Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY SOLUTION] exclude cloud alias index from our query #81551

Merged
merged 3 commits into from
Oct 26, 2020
Merged

[SECURITY SOLUTION] exclude cloud alias index from our query #81551

merged 3 commits into from
Oct 26, 2020

Conversation

XavierM
Copy link
Contributor

@XavierM XavierM commented Oct 23, 2020
edited
Loading

Summary

If a user enabled the new cloud logging functionality, they will end up with a plethora of “hosts” from the logs event even if the user only has 1 endpoint enrolled.

image

To remediate this problem, we exclude all the elastic cloud logs from all our query inside of the security solution by using this index alias -*elastic-cloud-logs-*

@MikePaquette if we want we can be a little bit fancier and just excluded -*elastic-cloud-logs-* when we have the alias logs-* who has been selected.

Checklist

@XavierM XavierM added bug Fixes for quality problems that affect the customer experience release_note:enhancement v8.0.0 impact:critical This issue should be addressed immediately due to a critical level of impact on the product. v7.10.0 Team:Threat Hunting Security Solution Threat Hunting Team labels Oct 23, 2020
@XavierM XavierM requested review from a team as code owners October 23, 2020 01:31
@XavierM XavierM self-assigned this Oct 23, 2020
@MikePaquette
Copy link

Thanks @XavierM

@MikePaquette if we want we can be a little bit fancier and just excluded -elastic-cloud-logs- when we have the alias logs-* who has been selected.

Yes, I like that option. This way, if a user wants to collect their cloud logs, they can replace the logs-* with a more specific set of index patterns/aliases.

MikePaquette
MikePaquette reviewed Oct 23, 2020
View reviewed changes
Copy link

@MikePaquette MikePaquette left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like your suggestion of only adding this exclusion when logs-* is present. We should document this behavior.

patrykkopycinski
patrykkopycinski approved these changes Oct 26, 2020
View reviewed changes
Copy link
Contributor

@patrykkopycinski patrykkopycinski left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💪

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

async chunks size

id before after diff
securitySolution 8.1MB 8.1MB +1.5KB

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@XavierM XavierM merged commit 96fd83b into elastic:master Oct 26, 2020
@jmikell821 jmikell821 mentioned this pull request Oct 26, 2020
Closed
@XavierM XavierM mentioned this pull request Oct 26, 2020
Merged
XavierM added a commit to XavierM/kibana that referenced this pull request Oct 26, 2020
@XavierM
[SECURITY SOLUTION] exclude cloud alias index from our query (elastic…
0cb6bc7 
…#81551)

* exclude cloud alias index

* only exclude cloud alias when logs-* is there
@XavierM XavierM mentioned this pull request Oct 26, 2020
Merged
XavierM added a commit to XavierM/kibana that referenced this pull request Oct 26, 2020
@XavierM
[SECURITY SOLUTION] exclude cloud alias index from our query (elastic…
3d1df99 
…#81551)

* exclude cloud alias index

* only exclude cloud alias when logs-* is there
XavierM added a commit that referenced this pull request Oct 26, 2020
@XavierM
[SECURITY SOLUTION] exclude cloud alias index from our query (#81551) (
1bc7eb8 
…#81634)

* exclude cloud alias index

* only exclude cloud alias when logs-* is there
XavierM added a commit that referenced this pull request Oct 26, 2020
@XavierM
[SECURITY SOLUTION] exclude cloud alias index from our query (#81551) (
26ff502 
…#81635)

* exclude cloud alias index

* only exclude cloud alias when logs-* is there
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MikePaquette MikePaquette MikePaquette left review comments

@patrykkopycinski patrykkopycinski patrykkopycinski approved these changes

Assignees

@XavierM XavierM

Labels
bug Fixes for quality problems that affect the customer experience impact:critical This issue should be addressed immediately due to a critical level of impact on the product. release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v7.10.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@XavierM @MikePaquette @kibanamachine @patrykkopycinski @MindyRS