[RAC] - Update field names #107857
Merged
[RAC] - Update field names #107857
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yctercero
added
Feature:RAC
3 tasks
yctercero
commented
Aug 9, 2021
x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts
Outdated
Show resolved
Hide resolved
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/apm-ui (Team:apm) |
yctercero
added
the
release_note:skip
ecezalp
approved these changes
Aug 9, 2021
...lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
Outdated
Show resolved
Hide resolved
michaelolo24
approved these changes
Aug 9, 2021
There was a problem hiding this comment.
Thank you for doing this! Tested locally with @machadoum and looks great, just one minor comment 😄
gmmorris
approved these changes
Aug 10, 2021
|
Just a comment to uncomment these when it's all sorted: #108034 |
yctercero
commented
Aug 10, 2021
| @@ -17,25 +17,18 @@ const CONSUMERS = `${KIBANA_NAMESPACE}.consumers` as const; | |||
| const ECS_VERSION = 'ecs.version' as const; | |||
| const EVENT_ACTION = 'event.action' as const; | |||
| const EVENT_KIND = 'event.kind' as const; | |||
| const RULE_CATEGORY = 'rule.category' as const; | |||
There was a problem hiding this comment.
rule.* should only refer to source/event document fields, not our kibana rules.
yctercero
commented
Aug 10, 2021
| [Fields.ALERT_PRODUCER]: { type: 'keyword' }, | ||
| [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true }, | ||
| [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true }, | ||
| [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword' }, |
There was a problem hiding this comment.
Producer can be derived from the rule type id (apm.error_count) --> apm , so while convenient, we don't need to require it as long as we have the consumer and rule type id, we have enough for rbac.
yctercero
added
the
auto-backport
|
@elasticmachine merge upstream |
yctercero
force-pushed
the
update_ss_field_names
branch
from
cb03411
to
759decb
Compare
@michaelolo24 Note that after most recent CI failure, took the opportunity to make these changes here so once this goes in, should be golden 👍🏽 |
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @yctercero |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Aug 11, 2021
### Summary ### Fields used moving forward `kibana.alert.rule.consumer` will refer to the context in which a rule instance is created. Rules created in: - stack --> `alerts` - security solution --> `siem` - apm --> `apm` `kibana.alert.rule.producer` will refer to the plugin that registered a rule type. Rules registered in: - stack --> `alerts` - security solution --> `siem` - apm --> `apm` So an `apm.error_rate` rule created in stack will have: - consumer: `alerts` and producer: `apm` An `apm.error_rate` rule created in apm will have: - consumer: `apm` and producer: `apm` `kibana.alert.rule.rule_type_id` will refer to a rule's rule type id. Examples: - `apm.error_rate` - `siem.signals` - `siem.threshold` Also renamed the following because `rule.*` fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields. `rule.name` --> `kibana.alert.rule.name` will refer to the rule's name. `rule.category` --> `kibana.alert.rule.category` will refer to the rule's category. `rule.id` --> `kibana.alert.rule.uuid` will refer to the rule's uuid.
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
kibanamachine
added a commit
that referenced
this pull request
Aug 11, 2021
### Summary ### Fields used moving forward `kibana.alert.rule.consumer` will refer to the context in which a rule instance is created. Rules created in: - stack --> `alerts` - security solution --> `siem` - apm --> `apm` `kibana.alert.rule.producer` will refer to the plugin that registered a rule type. Rules registered in: - stack --> `alerts` - security solution --> `siem` - apm --> `apm` So an `apm.error_rate` rule created in stack will have: - consumer: `alerts` and producer: `apm` An `apm.error_rate` rule created in apm will have: - consumer: `apm` and producer: `apm` `kibana.alert.rule.rule_type_id` will refer to a rule's rule type id. Examples: - `apm.error_rate` - `siem.signals` - `siem.threshold` Also renamed the following because `rule.*` fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields. `rule.name` --> `kibana.alert.rule.name` will refer to the rule's name. `rule.category` --> `kibana.alert.rule.category` will refer to the rule's category. `rule.id` --> `kibana.alert.rule.uuid` will refer to the rule's uuid. Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
48 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Trying to align on field naming. In the code there seems to be the following that are all referencing the context in which a rule instance was created (rules created in stack have consumer of
alerts):rule.consumerskibana.alert.consumerkibana.alert.consumerskibana.alert.rule.consumerskibana.alert.ownerIn the code there are also the following all referencing a rule's alert type (ex:
apm.error_rate):rule.idkibana.alert.rule.rule_type_idIt's my understanding that these are all meant to refer to the same thing - the single feature which created the rule instance. So if a rule was created in security solution, the consumer is
siem, if created in apm it'sapm. Observability and the rule registry were usingkibana.alert.ownerthough it'd been on the list to update tokibana.alert.consumerand security solution was usingkibana.alert.owners. The other ones were there as fields but not being used.I think there is some confusion as to what
consumeris meant to denote. It should denote the same thing it does for rules rbac. If there's other context we want to save on an alert, that should be considered a different field, theconsumerfield was meant to be specific to role based access logic shared with alerting framework.Fields used moving forward
kibana.alert.rule.consumerwill refer to the context in which a rule instance is created. Rules created in:alertssiemapmkibana.alert.rule.producerwill refer to the plugin that registered a rule type. Rules registered in:alertssiemapmSo an
apm.error_raterule created in stack will have:alertsand producer:apmAn
apm.error_raterule created in apm will have:apmand producer:apmkibana.alert.rule.rule_type_idwill refer to a rule's rule type id. Examples:apm.error_ratesiem.signalssiem.thresholdAlso renamed the following because
rule.*fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields.rule.name-->kibana.alert.rule.namewill refer to the rule's name.rule.category-->kibana.alert.rule.categorywill refer to the rule's category.rule.id-->kibana.alert.rule.uuidwill refer to the rule's uuid.To test
Add the following to your
kibana.dev.yml:Create a custom rule with query
*:*.Run
yarn test:generatewithinx-pack/plugins/security_solutionObserve the magic (alerts should show up in table).