Siem query rule - reduce field_caps usage #184890
Conversation
mattkime
added
Team:DataDiscovery
mattkime
changed the title
| if (filters) { | ||
| const filtersArr = Array.isArray(filters) ? filters : [filters]; | ||
| for (const f of filtersArr) { | ||
| fields = fields.concat(f?.meta?.key); |
There was a problem hiding this comment.
fields = fields.concat(f?.meta?.key);
The optional chaining worries me. It was needed to pass the functional test. I'd rather figure out where the filter is being composed and determine whether this is being handled correctly.
x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/create_query_alert_type.test.ts produces [ 'user.name', 'user.name' ] at this line of code
There was a problem hiding this comment.
There are a couple of use cases here to be aware of:
- Filters coming from the unified search bar
a. "Regular" filters where a field is specified (wheremeta.keyis present)
b. "Custom" filters ("Edit as query DSL", wheremeta.keyis not present butmetais) - Any other Elasticsearch query DSL filter that gets passed in by consumers (not coming from unified search, and these probably won't have a
metakey at all)
We should probably also update this logic to filter out filters from unified search bar that are disabled (meta.disabled === true) since those aren't needed in the call to field_caps.
There was a problem hiding this comment.
Any other Elasticsearch query DSL filter that gets passed in by consumers (not coming from unified search, and these probably won't have a meta key at all)
Based on this it sounds like the change is necessary.
Additionally, we should only be appending if meta.key exists. And, for completeness, if meta.disabled !== true
|
/ci |
|
Pinging @elastic/kibana-data-discovery (Team:DataDiscovery) |
src/plugins/data/common/search/search_source/query_to_fields.ts
Outdated
Show resolved
Hide resolved
src/plugins/data/common/search/search_source/query_to_fields.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Thanks for this improvement Matt! Looks fine overall. I tested a custom query rule manually to verify that wildcards in field names are still processed. I also verified that we have integration tests for wildcards in field names for custom query rules that still pass.
...ecurity_solution/server/lib/detection_engine/rule_types/create_security_rule_type_wrapper.ts
Outdated
Show resolved
Hide resolved
| @@ -59,7 +61,11 @@ export const getFilter = async ({ | |||
| query, | |||
| exceptionFilter, | |||
| fields = [], | |||
There was a problem hiding this comment.
A note for follow up from security: we should split this function into 3 functions, one that loads fields automatically, one that requires fields to be passed in, and one that does not handle fields at all. Then we should explicitly call the version we want for each use case instead of trying to ensure that the parameters are passed in as expected.
There was a problem hiding this comment.
Hey @marshallmain - can you open a ticket to track this a tech debt?
|
/ci |
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Page load bundle
History
To update your PR or re-run it, just comment with: cc @mattkime |
kibanamachine
added
v8.15.0
backport:skip
## Summary Previously, the siem query rule loaded the full set of fields for an index pattern when running a query. This could load 5k fields or more. Now it only loads the fields necessary for the query. Changes as part of this PR - The data plugin exports `queryToFields` which takes a query and returns a list of the fields required to translate the query to ES DSL. - `queryToFields` properly handles all filter types, previously expected unified search bar provided filters. - `createSecurityRuleTypeWrapper` has been modified to skip field loading for the siem query rule - `getFilter` takes an optional `loadFields` arguments which loads only necessary fields - `getQueryFilterLoadFields` was created - based on `getQueryFilter` but also loads necessary fields
This reverts commit 257ef7f.
This reverts commit 257ef7f. ## Summary Summarize your PR. If it involves visual changes include a screenshot or gif. ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### Risk Matrix Delete this section if it is not applicable to this PR. Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release. When forming the risk matrix, consider some of the following examples and how they may potentially impact the change: | Risk | Probability | Severity | Mitigation/Notes | |---------------------------|-------------|----------|-------------------------| | Multiple Spaces—unexpected behavior in non-default Kibana Space. | Low | High | Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces. | | Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. | High | Low | Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure. | | Code should gracefully handle cases when feature X or plugin Y are disabled. | Medium | High | Unit tests will verify that any feature flag or plugin combination still results in our service operational. | | [See more potential risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) | ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)
## Summary #184890 was reverted in #186196 because it contained a bug with alerts created using Lucene queries. The bug was fixed in #186217. This PR un-reverts the original changes and preserves the fix. It also adds unit tests to cover the failed cases. ### Checklist - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios
Summary
Previously, the siem query rule loaded the full set of fields for an index pattern when running a query. This could load 5k fields or more. Now it only loads the fields necessary for the query.
Changes as part of this PR
queryToFieldswhich takes a query and returns a list of the fields required to translate the query to ES DSL.queryToFieldsproperly handles all filter types, previously expected unified search bar provided filters.createSecurityRuleTypeWrapperhas been modified to skip field loading for the siem query rulegetFiltertakes an optionalloadFieldsarguments which loads only necessary fieldsgetQueryFilterLoadFieldswas created - based ongetQueryFilterbut also loads necessary fields