Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detection Engine] adds legacy siem signals telemetry #202671

Merged
merged 11 commits into from
Dec 11, 2024
Merged

[Security Solution][Detection Engine] adds legacy siem signals telemetry #202671

merged 11 commits into from
Dec 11, 2024
+714 −14

Conversation

vitaliidm
Copy link
Contributor

@vitaliidm vitaliidm commented Dec 3, 2024
edited by kibanamachine
Loading

Summary

  • partly addresses [Detection Engine][9.0] Deprecate legacy siem signals migration endpoints #195523
  • adds snapshot telemetry that shows number of legacy siem signals and number of spaces they are in
  • while working on PR, discovered and fixed few issues in APIs
    • get migration status API did not work correctly with new .alerts-* indices, listing them as outdated
    • finalize migration API did account for spaces, when adding alias to migrated index
    • remove migration API failed due to lack of permissions to removed migration task from .tasks index

How to test

How to create legacy siem index?

run script that used for FTR tests

node scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index

These would create legacy siem indices. But be aware, it might break Kibana .alerts indices creation. But sufficient for testing

How to test snapshot telemetry

Snapshot
For snapshot telemetry use API call
OR
Check snapshots in Kibana adv settings -> Global Settings Tab -> Usage collection section -> Click on cluster data example link -> Check legacy_siem_signals fields in flyout

Snapshot telemetry Screenshot 2024-12-03 at 13 08 03

@vitaliidm vitaliidm self-assigned this Dec 3, 2024
@vitaliidm vitaliidm added release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Team:Detection Engine Security Solution Detection Engine Area labels Dec 3, 2024
@vitaliidm vitaliidm marked this pull request as ready for review December 3, 2024 17:51
@vitaliidm vitaliidm requested review from a team as code owners December 3, 2024 17:51
@vitaliidm vitaliidm requested a review from rylnd December 3, 2024 17:51
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

TinaHeiligers
TinaHeiligers approved these changes Dec 4, 2024
View reviewed changes
Copy link
Contributor

@TinaHeiligers TinaHeiligers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Usage collection for snapshot telemetry LGTM. Tested locally too.

rylnd
rylnd approved these changes Dec 6, 2024
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally, thanks for the instructions on booting up a legacy index!

Thanks also for documenting/fixing/improving this code while adding the telemetry!

x-pack/plugins/security_solution/server/lib/detection_engine/migrations/delete_migration.ts
@@ -57,7 +56,6 @@ export const deleteMigration = async ({
});
}

await esClient.delete({ index: '.tasks', id: taskId });
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks again for tracking this one down 👍

...gins/security_solution/server/lib/detection_engine/migrations/replace_signals_index_alias.ts
@@ -40,12 +42,11 @@ export const replaceSignalsIndexAlias = async ({
],
},
});
// TODO: space-aware?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

...api_integration/test_suites/detections_response/utils/alerts/migrations/delete_migrations.ts Outdated Show resolved Hide resolved
szaffarano
szaffarano approved these changes Dec 9, 2024
View reviewed changes
Copy link
Contributor

@szaffarano szaffarano left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/securitysolution-es-utils 76 77 +1
Unknown metric groups

API count

id before after diff
@kbn/securitysolution-es-utils 87 88 +1

ESLint disabled line counts

id before after diff
securitySolution 560 564 +4

Total ESLint disabled count

id before after diff
securitySolution 644 648 +4

History

cc @vitaliidm

@vitaliidm vitaliidm merged commit 8821e03 into elastic:main Dec 11, 2024
8 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12274008928

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 11, 2024
@vitaliidm
[Security Solution][Detection Engine] adds legacy siem signals teleme…
4740371 
…try (elastic#202671)

## Summary

- partly addresses elastic#195523
- adds snapshot telemetry that shows number of legacy siem signals and
number of spaces they are in
- while working on PR, discovered and fixed few issues in APIs
- get migration status API did not work correctly with new `.alerts-*`
indices, listing them as outdated
- finalize migration API did account for spaces, when adding alias to
migrated index
- remove migration API failed due to lack of permissions to removed
migration task from `.tasks` index

### How to test

#### How to create legacy siem index?

run script that used for FTR tests

```bash
node scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index

```
These would create legacy siem indices. But be aware, it might break
Kibana .alerts indices creation. But sufficient for testing

#### How to test snapshot telemetry

Snapshot
For snapshot telemetry use
[API](https://docs.elastic.dev/telemetry/collection/snapshot-telemetry#telemetry-usage-payload-api)
call
OR
Check snapshots in Kibana adv settings -> Global Settings Tab -> Usage
collection section -> Click on cluster data example link -> Check
`legacy_siem_signals ` fields in flyout

<details>
<summary> Snapshot telemetry </summary>

<img width="2549" alt="Screenshot 2024-12-03 at 13 08 03"
src="https://github.com/user-attachments/assets/28ffe983-01c7-4435-a82a-9a968d32d5e0">

 </details>

---------

Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
(cherry picked from commit 8821e03)
@kibanamachine kibanamachine mentioned this pull request Dec 11, 2024
Merged
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

kibanamachine added a commit that referenced this pull request Dec 11, 2024
@kibanamachine @vitaliidm
[8.x] [Security Solution][Detection Engine] adds legacy siem signals …
cb68426 
…telemetry (#202671) (#203744)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Solution][Detection Engine] adds legacy siem signals
telemetry (#202671)](#202671)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2024-12-11T10:03:19Z","message":"[Security
Solution][Detection Engine] adds legacy siem signals telemetry
(#202671)\n\n## Summary\r\n\r\n- partly addresses
https://github.com/elastic/kibana/issues/195523\r\n- adds snapshot
telemetry that shows number of legacy siem signals and\r\nnumber of
spaces they are in\r\n- while working on PR, discovered and fixed few
issues in APIs\r\n- get migration status API did not work correctly with
new `.alerts-*`\r\nindices, listing them as outdated\r\n- finalize
migration API did account for spaces, when adding alias to\r\nmigrated
index\r\n- remove migration API failed due to lack of permissions to
removed\r\nmigration task from `.tasks` index\r\n\r\n### How to
test\r\n\r\n#### How to create legacy siem index?\r\n\r\nrun script that
used for FTR tests\r\n\r\n```bash\r\nnode scripts/es_archiver
--kibana-url=http://elastic:changeme@localhost:5601
--es-url=http://elastic:changeme@localhost:9200 load
x-pack/test/functional/es_archives/signals/legacy_signals_index\r\n\r\n```\r\nThese
would create legacy siem indices. But be aware, it might break\r\nKibana
.alerts indices creation. But sufficient for testing\r\n\r\n\r\n#### How
to test snapshot telemetry\r\n\r\nSnapshot\r\nFor snapshot telemetry
use\r\n[API](https://docs.elastic.dev/telemetry/collection/snapshot-telemetry#telemetry-usage-payload-api)\r\ncall\r\nOR\r\nCheck
snapshots in Kibana adv settings -> Global Settings Tab ->
Usage\r\ncollection section -> Click on cluster data example link ->
Check\r\n`legacy_siem_signals ` fields in
flyout\r\n\r\n<details>\r\n<summary> Snapshot telemetry
</summary>\r\n\r\n\r\n<img width=\"2549\" alt=\"Screenshot 2024-12-03 at
13 08
03\"\r\nsrc=\"https://github.com/user-attachments/assets/28ffe983-01c7-4435-a82a-9a968d32d5e0\">\r\n\r\n\r\n
</details>\r\n\r\n---------\r\n\r\nCo-authored-by: Ryland Herrick
<ryalnd@gmail.com>","sha":"8821e034e9c6cc4ad42915e54b429defd6b970b5","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","backport:prev-minor","Team:Detection
Engine"],"title":"[Security Solution][Detection Engine] adds legacy siem
signals
telemetry","number":202671,"url":"https://github.com/elastic/kibana/pull/202671","mergeCommit":{"message":"[Security
Solution][Detection Engine] adds legacy siem signals telemetry
(#202671)\n\n## Summary\r\n\r\n- partly addresses
https://github.com/elastic/kibana/issues/195523\r\n- adds snapshot
telemetry that shows number of legacy siem signals and\r\nnumber of
spaces they are in\r\n- while working on PR, discovered and fixed few
issues in APIs\r\n- get migration status API did not work correctly with
new `.alerts-*`\r\nindices, listing them as outdated\r\n- finalize
migration API did account for spaces, when adding alias to\r\nmigrated
index\r\n- remove migration API failed due to lack of permissions to
removed\r\nmigration task from `.tasks` index\r\n\r\n### How to
test\r\n\r\n#### How to create legacy siem index?\r\n\r\nrun script that
used for FTR tests\r\n\r\n```bash\r\nnode scripts/es_archiver
--kibana-url=http://elastic:changeme@localhost:5601
--es-url=http://elastic:changeme@localhost:9200 load
x-pack/test/functional/es_archives/signals/legacy_signals_index\r\n\r\n```\r\nThese
would create legacy siem indices. But be aware, it might break\r\nKibana
.alerts indices creation. But sufficient for testing\r\n\r\n\r\n#### How
to test snapshot telemetry\r\n\r\nSnapshot\r\nFor snapshot telemetry
use\r\n[API](https://docs.elastic.dev/telemetry/collection/snapshot-telemetry#telemetry-usage-payload-api)\r\ncall\r\nOR\r\nCheck
snapshots in Kibana adv settings -> Global Settings Tab ->
Usage\r\ncollection section -> Click on cluster data example link ->
Check\r\n`legacy_siem_signals ` fields in
flyout\r\n\r\n<details>\r\n<summary> Snapshot telemetry
</summary>\r\n\r\n\r\n<img width=\"2549\" alt=\"Screenshot 2024-12-03 at
13 08
03\"\r\nsrc=\"https://github.com/user-attachments/assets/28ffe983-01c7-4435-a82a-9a968d32d5e0\">\r\n\r\n\r\n
</details>\r\n\r\n---------\r\n\r\nCo-authored-by: Ryland Herrick
<ryalnd@gmail.com>","sha":"8821e034e9c6cc4ad42915e54b429defd6b970b5"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202671","number":202671,"mergeCommit":{"message":"[Security
Solution][Detection Engine] adds legacy siem signals telemetry
(#202671)\n\n## Summary\r\n\r\n- partly addresses
https://github.com/elastic/kibana/issues/195523\r\n- adds snapshot
telemetry that shows number of legacy siem signals and\r\nnumber of
spaces they are in\r\n- while working on PR, discovered and fixed few
issues in APIs\r\n- get migration status API did not work correctly with
new `.alerts-*`\r\nindices, listing them as outdated\r\n- finalize
migration API did account for spaces, when adding alias to\r\nmigrated
index\r\n- remove migration API failed due to lack of permissions to
removed\r\nmigration task from `.tasks` index\r\n\r\n### How to
test\r\n\r\n#### How to create legacy siem index?\r\n\r\nrun script that
used for FTR tests\r\n\r\n```bash\r\nnode scripts/es_archiver
--kibana-url=http://elastic:changeme@localhost:5601
--es-url=http://elastic:changeme@localhost:9200 load
x-pack/test/functional/es_archives/signals/legacy_signals_index\r\n\r\n```\r\nThese
would create legacy siem indices. But be aware, it might break\r\nKibana
.alerts indices creation. But sufficient for testing\r\n\r\n\r\n#### How
to test snapshot telemetry\r\n\r\nSnapshot\r\nFor snapshot telemetry
use\r\n[API](https://docs.elastic.dev/telemetry/collection/snapshot-telemetry#telemetry-usage-payload-api)\r\ncall\r\nOR\r\nCheck
snapshots in Kibana adv settings -> Global Settings Tab ->
Usage\r\ncollection section -> Click on cluster data example link ->
Check\r\n`legacy_siem_signals ` fields in
flyout\r\n\r\n<details>\r\n<summary> Snapshot telemetry
</summary>\r\n\r\n\r\n<img width=\"2549\" alt=\"Screenshot 2024-12-03 at
13 08
03\"\r\nsrc=\"https://github.com/user-attachments/assets/28ffe983-01c7-4435-a82a-9a968d32d5e0\">\r\n\r\n\r\n
</details>\r\n\r\n---------\r\n\r\nCo-authored-by: Ryland Herrick
<ryalnd@gmail.com>","sha":"8821e034e9c6cc4ad42915e54b429defd6b970b5"}}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
@vitaliidm @rylnd @CAWilson94
[Security Solution][Detection Engine] adds legacy siem signals teleme…
04a6bcc 
…try (elastic#202671)

## Summary

- partly addresses elastic#195523
- adds snapshot telemetry that shows number of legacy siem signals and
number of spaces they are in
- while working on PR, discovered and fixed few issues in APIs
- get migration status API did not work correctly with new `.alerts-*`
indices, listing them as outdated
- finalize migration API did account for spaces, when adding alias to
migrated index
- remove migration API failed due to lack of permissions to removed
migration task from `.tasks` index

### How to test

#### How to create legacy siem index?

run script that used for FTR tests

```bash
node scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index

```
These would create legacy siem indices. But be aware, it might break
Kibana .alerts indices creation. But sufficient for testing


#### How to test snapshot telemetry

Snapshot
For snapshot telemetry use
[API](https://docs.elastic.dev/telemetry/collection/snapshot-telemetry#telemetry-usage-payload-api)
call
OR
Check snapshots in Kibana adv settings -> Global Settings Tab -> Usage
collection section -> Click on cluster data example link -> Check
`legacy_siem_signals ` fields in flyout

<details>
<summary> Snapshot telemetry </summary>


<img width="2549" alt="Screenshot 2024-12-03 at 13 08 03"
src="https://github.com/user-attachments/assets/28ffe983-01c7-4435-a82a-9a968d32d5e0">


 </details>

---------

Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
@vitaliidm vitaliidm mentioned this pull request Dec 12, 2024
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TinaHeiligers TinaHeiligers TinaHeiligers approved these changes

@rylnd rylnd rylnd approved these changes

@szaffarano szaffarano szaffarano approved these changes

Assignees

@vitaliidm vitaliidm

Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) release_note:skip Skip the PR/issue when compiling release notes Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@vitaliidm @elasticmachine @kibanamachine @szaffarano @rylnd @TinaHeiligers