[Request] [Detection Engine] add EQL alert suppression docs for non-sequence queries #4977
Assignees
Labels
Effort: Medium
Issues that take moderate but not substantial time to complete
Feature: Rules
Priority: High
Issues that are time-sensitive and/or are of high customer importance
Team: Detection Engine
ui-copy
v8.14.0
Comments
8 tasks
nastasha-solomon
added
Feature: Rules
Team: Detection Engine
Priority: High
|
@rylnd if you still need it, here are some options for the scenarios listed above. Scenario 1Tooltip that lets users know that alert suppression isn't supported for sequence queries:
Scenario 2Validation message that displays when users change a non-sequence query to a sequence query:
Let me know if you have questions, concerns, or suggestions for any of these. |
|
Action items from meeting with @rylnd today:
|
rylnd
added a commit
to WafaaNasr/kibana
that referenced
this issue
Apr 5, 2024
These were discussed in elastic/security-docs#4977
nastasha-solomon
added
Effort: Medium
|
Recording here for posterity: @banderror made the point that we may want to reference the current "execute but with a warning, and ignoring suppression" behavior for EQL sequence rules. We do refer to "non-sequence EQL rules" throughout this PR, but perhaps we want to reference this behavior for explicitness' sake. |
rylnd
added a commit
to elastic/kibana
that referenced
this issue
Apr 17, 2024
…nce based queries (#176422) # Summary - Address adding suppression to EQL rules https://github.com/elastic/security-team/issues/7773 - Milestone details https://github.com/elastic/security-team/issues/8432 ## Checklist - [x] Functional changes are hidden behind a feature flag. If not hidden, the PR explains why these changes are being implemented in a long-living feature branch. - [x] Functional changes are covered with a test plan and automated tests. [Test plan](https://github.com/elastic/security-team/pull/9155) - [ ] Stability of new and changed tests is verified using the [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner) in both ESS and Serverless. By default, use 200 runs for ESS and 200 runs for Serverless. * Cypress ESS: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5686 * Cypress Serverless: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5687 * FTR ESS: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5688 * FTR Serverless: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5689 - [x] Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless. - [x] Mapping changes are accompanied by a technical design document. It can be a GitHub issue or an RFC explaining the changes. The design document is shared with and approved by the appropriate teams and individual stakeholders. - [ ] (OPTIONAL) OpenAPI specs changes include detailed descriptions and examples of usage and are ready to be released on https://docs.elastic.co/api-reference. NOTE: This is optional because at the moment we don't have yet any OpenAPI specs that would be fully "documented" and "GA-ready" for publishing on https://docs.elastic.co/api-reference. - [x] Functional changes are communicated to the Docs team. A ticket is opened in https://github.com/elastic/security-docs using the [`Internal documentation request (Elastic employees)`](https://github.com/elastic/security-docs/issues/new?assignees=&labels=&projects=&template=docs-request-internal.yaml&title=%5BRequest%5D+) template. The following information is included: feature flags used, target ESS version, planned timing for ESS and Serverless releases. - [x] Check if in timeline we can show the suppression count column when the user clicks on investigate on timeline for Eql suppressed Alerts (#180976) ## Related Issues * Sub-PRs - Address EQL schema changes PR #176391 - Adding Feature flag PR and updating the Frontend Part in Rule Create/Edit #176398 - Adding Backend changes and FTR tests #176597 - Fix Investigate in Timeline for the Suppressed Alerts #177839 - Add Cypress e2e tests #177870 - Disable EQL sequence suppression in the UI and fix Cypress `after` esArchive path #178531 - Docs Issue elastic/security-docs#4977 - Test plan https://github.com/elastic/security-team/pull/9155 ## Screenshots/recordings ### Non-Sequence Suppression 1. Rule creation, Suppression based on a single value https://github.com/elastic/kibana/assets/12671903/8d168bce-15d3-45c2-a5dc-238b3ac01626 2. Rule creation, Suppression based on an array of values https://github.com/elastic/kibana/assets/12671903/0e3312a9-4eae-476b-9c1e-c68189bbaf95 3. Investigate In Timeline https://github.com/elastic/kibana/assets/12671903/e10c8668-4d5b-4748-b8a1-678603b4a8a5 ### Disabled Sequence Suppression 1. UI https://github.com/elastic/kibana/assets/12671903/01faa649-ca8b-43e4-a398-42ab242e7a72 --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Ryland Herrick <ryalnd@gmail.com> Co-authored-by: Georgii Gorbachev <georgii.gorbachev@elastic.co>
|
Thanks @banderror and @rylnd for the feedback. I think the warnings that display on the Rules page, the rule details page, and the rule execution log do a great job of communicating this temporary limitation. Also AFAIK, the UI doesn't offer a way to configure suppression on an EQL rule that's using a sequence query. Users would have to use the create/update rule APIs if they wanted to do this, and suppression still wouldn't work after they enabled the rule. At that point, the warnings that @rylnd added the UI would pop up and inform users that their suppression configuration isn't supported. |
|
ESS and Serverless docs merged! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Implementing alert suppression for EQL non-sequence-based alerts while disabling it for sequence alerts involves two main scenarios:
Scenario 1:
When a user inputs a sequence query, suppression fields are automatically disabled. A tooltip appears when hovering over any suppression field, indicating "Suppression is not enabled for EQL sequence queries."
Scenario 2:
If suppression fields are configured prior, and the user edits an EQL rule that wasn't originally a sequence query but is changed to one, a validation error occurs below the suppression group by fields. The error message states: "Suppression is not enabled for EQL sequence queries. Please reset the suppression fields." Once the user removes the suppression fields, they are disabled, following the behavior outlined in Scenario 1.
Explaining the second Scenario:
https://github.com/elastic/security-docs/assets/12671903/9eafe84e-c8dd-4c39-9c90-5c76ea2b8e9a
Details
When users create an Eql rule, they can specify the fields they want to be grouped for suppression. For EQL rules, the minimum number of field names that can be specified is 1. The max is 3.
The maximum number of alerts that can be suppressed is tied to the
max_signalssetting.If enabling suppression causes the EQL rule to timeout during the rule preview or when the rule is enabled and running, there are two possible ways to resolve this:
Fields with an array of values are treated as a single group and suppressed together (i.e., they're treated as a single suppression value). When you check the
kibana.alert.suppression.termsfield, you'll see an array of values for suppressed fields.suppression.termswill be an array, not a single value as in the Query rule caseThe new
alert_supressionparam for eql rules has the same functionality as the query rule.The default maximum number of alerts that can be suppressed for each rule type:
max_signalsvalue (100 by default)max_signalsvalue (500 by default)max_signalsvalue (100 by default)Background & resources
Which documentation set does this change impact?
ESS and serverless
ESS release
8.14
Serverless release
Around 8.14 release
Feature differences
ESS: Alert suppression is available for Platinum license
Serverless: available for Essentials and Complete tiers
API docs impact
Adds
alert_suppressionfield to Eql rule create/update/patch rule APIsPrerequisites, privileges, feature flags
ESS: requires Platinum license
Feature Flag:
alertSuppressionForNonSequenceEqlRuleEnabledThe text was updated successfully, but these errors were encountered: