Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Alert Telemetry for the Security app #77200

Merged
merged 27 commits into from
Sep 30, 2020
Merged

Conversation

tsg
Copy link
Contributor

@tsg tsg commented Sep 10, 2020

Summary

This adds a TelemetryEventsSender component that can be used to publish Endpoint alerts to our Telemetry service. The alerts are filtered by a set of allowed fields (for PII) and batched in a queue to be sent once per minute. There is a cap of 100 alerts per minute to be sent. The component respects the telemetry opt-in status and enriches the alerts with the cluster ID and name.

The Detection Engine is slightly modified to send endpoint telemetry events via the TelemetryEventsSender. Only the the "custom query" rule type is modified because that's the only one that can create Endpoint Alerts.

Remaining TODOs:

  • actually send the alerts once the URL is finalized
  • filter-out non-endpoint alerts (currently sends them all for testing)
  • retrieve the cluster-ID and license info and include it in the telemetry
  • set sending time to 1m

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@tsg
Copy link
Contributor Author

tsg commented Sep 18, 2020

@elasticmachine merge upstream

tsg added 5 commits September 23, 2020 12:44
This is using recursion now.

Also, based on Xavier's review,  moved up the try and the isSending check to avoid building up
queries.
// Allow list for the data we include in the events. True means that it is deep-cloned
// blindly. Object contents means that we only copy the fields that appear explicitly in
// the sub-object.
const allowlistEventFields: AllowlistFields = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me. FYI @bfilar @pjhampton @jeska

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Detections changes LGTM! 👍

@tsg tsg marked this pull request as ready for review September 30, 2020 11:56
@tsg tsg requested review from a team as code owners September 30, 2020 11:56
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@tsg tsg requested a review from XavierM September 30, 2020 11:56
@tsg
Copy link
Contributor Author

tsg commented Sep 30, 2020

@elasticmachine merge upstream

Copy link
Contributor

@XavierM XavierM left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well done!

Tudor 1 - Typescript 0

image

@XavierM
Copy link
Contributor

XavierM commented Sep 30, 2020

@elasticmachine merge upstream

@tsg
Copy link
Contributor Author

tsg commented Sep 30, 2020

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

distributable file count

id value diff baseline
default 45828 +2 45826

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@tsg tsg merged commit 49c8ff3 into elastic:master Sep 30, 2020
phillipb added a commit to phillipb/kibana that referenced this pull request Sep 30, 2020
…aly-detection-partition-field

* 'master' of github.com:elastic/kibana: (37 commits)
  Fixes for the Ticket 78375 (elastic#79004)
  [Security] Alert Telemetry for the Security app (elastic#77200)
  [Search bar] Remove duplicate `popoverProps` (elastic#79025)
  [Security Solution][Detections] Add rule overrides for single event EQL rules (elastic#78876)
  [SECURITY_SOLUTION][ENDPOINT] Improve Endpoint Host data generator to also integrate with Ingest (elastic#74305)
  remove file accidentally checked in (elastic#79005)
  [ML] DF Analytics creation wizard: replace select input with job type cards with icons (elastic#78872)
  [Design] A couple fixes for 7.10 (elastic#78801)
  Fix KQL autocomplete value suggestions (elastic#78676)
  [Security Solution][Resolver] New mock with cursor (elastic#78863)
  Embeddables: basic documentation (elastic#78900)
  [security solution] only import beat_schema when needed (elastic#78708)
  [Reporting] API Integration tests: fix flaky tests for Spaces CSV formatting (elastic#78849)
  [Actions] Adds a "Test Connector" button on the Connectors List to make discovery of the Test tab easier (elastic#78746)
  [Discover] Fix functional time picker test permissions (elastic#78564)
  [ML] Fixing module datafeed overrides (elastic#78925)
  Adds some missing licenses to the CSV export (elastic#78719)
  [dev/cli] ensure plugins/ and all watch source dirs exist (elastic#78973)
  [Lens] Stop using scripted metric to collect telemetry (elastic#78687)
  [Lens] fix wrong message in fields accordion (elastic#78924)
  ...
tsg added a commit that referenced this pull request Oct 1, 2020
This adds a `TelemetryEventsSender` component that can be used to publish Endpoint alerts to our Telemetry service. The alerts are filtered by a set of allowed fields (for PII) and batched in a queue to be sent once per minute. There is a cap of 100 alerts per minute to be sent. The component respects the telemetry opt-in status and enriches the alerts with the cluster ID and name.

The Detection Engine is slightly modified to send endpoint telemetry events via the `TelemetryEventsSender`. Only the "custom query" rule type is modified because that's the only one that can create Endpoint Alerts.

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
@tsg tsg mentioned this pull request Nov 24, 2020
14 tasks
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Telemetry release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants