Skip to content

Add risk_score indexes for kibana_system_user #96348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jun 8, 2023
Merged

Add risk_score indexes for kibana_system_user #96348

merged 4 commits into from
Jun 8, 2023

Conversation

@nkhristinin
Copy link
Contributor

@nkhristinin nkhristinin commented May 25, 2023
edited
Loading

It introduces, the privileges for risk scores datastream indices for kibana-system user
Related PR: elastic/kibana#158422

@elasticsearchmachine elasticsearchmachine added v8.9.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels May 25, 2023
@nkhristinin nkhristinin force-pushed the risk-ds-kibana-system branch from 8515d74 to a0a0c43 Compare June 6, 2023 09:05
@nkhristinin
Copy link
Contributor Author

nkhristinin commented Jun 6, 2023

@elasticmachine merge upstream

@nkhristinin nkhristinin force-pushed the risk-ds-kibana-system branch from 38b1bbe to 386b2e6 Compare June 7, 2023 07:50
@nkhristinin nkhristinin marked this pull request as ready for review June 7, 2023 08:40
@nkhristinin nkhristinin mentioned this pull request Jun 7, 2023
Merged
@elasticsearchmachine elasticsearchmachine added the needs:triage Requires assignment of a team area label label Jun 7, 2023
@jakelandis jakelandis added :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC >non-issue and removed needs:triage Requires assignment of a team area label external-contributor Pull request authored by a developer outside the Elasticsearch team labels Jun 7, 2023
jakelandis
jakelandis approved these changes Jun 7, 2023
View reviewed changes
Copy link
Contributor

@jakelandis jakelandis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@elasticsearchmachine elasticsearchmachine added the Team:Security Meta label for security team label Jun 7, 2023
@elasticsearchmachine
Copy link
Collaborator

elasticsearchmachine commented Jun 7, 2023

Pinging @elastic/es-security (Team:Security)

@nkhristinin nkhristinin merged commit 4fa7a94 into elastic:main Jun 8, 2023
nkhristinin added a commit to elastic/kibana that referenced this pull request Jun 21, 2023
@nkhristinin @kibanamachine
RiskScoreEndgineData client + install ds and other resources for risk…
dba2e9b 
… scoring (#158422)

## Risc score resources bootstrap

<img width="1288" alt="Screenshot 2023-06-12 at 14 46 56"
src="https://github.com/elastic/kibana/assets/7609147/f04564a5-5708-4617-9d76-d9403041619e">

ES PR: elastic/elasticsearch#96348

This PR introduces RiskEngineDataClient, which purpose to install
resources per namespace, including ilm policy, component template, index
template and datastream for risk score.

Some view demo/overview of the steps we do to initialise
RiskEngineDataClient and resources


https://github.com/elastic/kibana/assets/7609147/bf72bbb4-56f6-46be-9b89-c96e9f33b354


For default space, it installs indexes when the security_soluition
plugin is set up.
For other spaces, it initialises the resource when you call `getWriter`.


This data client was passed to `RequestContextFactory`

So in any request, it can be called like 
```
 const riskEngineDataClient = (await context.securitySolution).getRiskEngineDataClient();
 const spaceId = (await context.securitySolution).getSpaceId();
 const riskEngineDataClientWriter = riskEngineDataClient.getWriter({ namespace: spaceId });
  ```



### What is generated

1. ILM policy

`GET _ilm/policy/.risk-score-ilm-policy`

```
{
  ".risk-score-ilm-policy": {
    "version": 1,
    "modified_date": "2023-05-25T10:52:36.592Z",
    "policy": {
      "phases": {
        "hot": {
          "min_age": "0ms",
          "actions": {
            "rollover": {
              "max_age": "30d",
              "max_primary_shard_size": "50gb"
            }
          }
        }
      },
      "_meta": {
        "managed": true
      }
    },
    "in_use_by": {
      "indices": [
        ".ds-risk-score.risk-score-default-2023.05.25-000001"
      ],
      "data_streams": [
        "risk-score.risk-score-default"
      ],
      "composable_templates": [
        ".risk-score.risk-score-default-index-template"
      ]
    }
  }
}
```

2. Component template for risk score mappings

`GET _component_template/risk-score-mappings`

```
{
  "component_templates": [
    {
      "name": "risk-score-mappings",
      "component_template": {
        "template": {
          "settings": {},
          "mappings": {
            "dynamic": "strict",
            "properties": {
              "identifierField": {
                "type": "keyword"
              },
              "otherScore": {
                "type": "float"
              },
              "alertsScore": {
                "type": "float"
              },
              "@timestamp": {
                "type": "date"
              },
              "level": {
                "type": "keyword"
              },
              "riskiestInputs": {
                "type": "nested",
                "properties": {
                  "index": {
                    "type": "keyword"
                  },
                  "id": {
                    "type": "keyword"
                  },
                  "riskScore": {
                    "type": "float"
                  }
                }
              },
              "identifierValue": {
                "type": "keyword"
              },
              "totalScore": {
                "type": "float"
              },
              "totalScoreNormalized": {
                "type": "float"
              }
            }
          }
        },
        "_meta": {
          "managed": true
        }
      }
    }
  ]
}
```

3. Index template

`GET _index_template/.risk-score.risk-score-default-index-template`

```
{
  "index_templates": [
    {
      "name": ".risk-score.risk-score-default-index-template",
      "index_template": {
        "index_patterns": [
          "risk-score.risk-score-default"
        ],
        "template": {
          "settings": {
            "index": {
              "lifecycle": {
                "name": ".risk-score-ilm-policy"
              },
              "mapping": {
                "total_fields": {
                  "limit": "1000"
                }
              },
              "hidden": "true",
              "auto_expand_replicas": "0-1"
            }
          },
          "mappings": {
            "_meta": {
              "managed": true,
              "namespace": "default",
              "kibana": {
                "version": "8.9.0"
              }
            },
            "dynamic": false
          }
        },
        "composed_of": [
          "risk-score-mappings"
        ],
        "_meta": {
          "managed": true,
          "namespace": "default",
          "kibana": {
            "version": "8.9.0"
          }
        },
        "data_stream": {
          "hidden": true,
          "allow_custom_routing": false
        }
      }
    }
  ]
}
```

4. Data stream


`GET risk-score.risk-score-default` - where is `default` is space name 

return 
```
{
  ".ds-risk-score.risk-score-default-2023.05.25-000001": {
    "aliases": {},
    "mappings": {
      "dynamic": "false",
      "_meta": {
        "namespace": "default",
        "kibana": {
          "version": "8.9.0"
        },
        "managed": true
      },
      "_data_stream_timestamp": {
        "enabled": true
      },
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "alertsScore": {
          "type": "float"
        },
        "identifierField": {
          "type": "keyword"
        },
        "identifierValue": {
          "type": "keyword"
        },
        "level": {
          "type": "keyword"
        },
        "otherScore": {
          "type": "float"
        },
        "riskiestInputs": {
          "type": "nested",
          "properties": {
            "id": {
              "type": "keyword"
            },
            "index": {
              "type": "keyword"
            },
            "riskScore": {
              "type": "float"
            }
          }
        },
        "totalScore": {
          "type": "float"
        },
        "totalScoreNormalized": {
          "type": "float"
        }
      }
    },
    "settings": {
      "index": {
        "lifecycle": {
          "name": ".risk-engine-ilm-policy"
        },
        "routing": {
          "allocation": {
            "include": {
              "_tier_preference": "data_hot"
            }
          }
        },
        "mapping": {
          "total_fields": {
            "limit": "1000"
          }
        },
        "hidden": "true",
        "number_of_shards": "1",
        "auto_expand_replicas": "0-1",
"provided_name": ".ds-risk-score.risk-score-default-2023.05.25-000001",
        "creation_date": "1685009904171",
        "number_of_replicas": "0",
        "uuid": "_5yc7wG4Sxy88zIVqxC7yg",
        "version": {
          "created": "8090099"
        }
      }
    },
    "data_stream": "risk-score.risk-score-default"
  }
}
```

---------

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakelandis jakelandis jakelandis approved these changes

Assignees

No one assigned

Labels

>non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team v8.9.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@nkhristinin @elasticsearchmachine @jakelandis