Entity Analytics 9.4 updates for UEBA integrations#17626
Entity Analytics 9.4 updates for UEBA integrations#17626
Conversation
Vale Linting ResultsSummary: 1 warning, 9 suggestions found
|
| File | Line | Rule | Message |
|---|---|---|---|
| packages/ded/docs/README.md | 83 | Elastic.Latinisms | Latin terms and abbreviations are a common source of confusion. Use 'using' instead of 'via'. |
💡 Suggestions (9)
| File | Line | Rule | Message |
|---|---|---|---|
| packages/ded/docs/README.md | 37 | Elastic.WordChoice | Consider using 'refer to if it's a document, view if it's a UI element' instead of 'See', unless the term is in the UI. |
| packages/ded/docs/README.md | 52 | Elastic.Wordiness | Consider using 'if' instead of 'In the event that'. |
| packages/dga/docs/README.md | 84 | Elastic.Repetition | "Detection" is repeated. |
| packages/lmd/docs/README.md | 46 | Elastic.WordChoice | Consider using 'refer to if it's a document, view if it's a UI element' instead of 'See', unless the term is in the UI. |
| packages/lmd/docs/README.md | 76 | Elastic.Clone | Use Clone only when referring to cloning a GitHub repository or creating a copy that is linked to the original. Often confused with 'copy' and 'duplicate'. |
| packages/pad/docs/README.md | 96 | Elastic.Wordiness | Consider using 'if' instead of 'In the event that'. |
| packages/problemchild/docs/README.md | 16 | Elastic.WordChoice | Consider using 'refer to if it's a document, view if it's a UI element' instead of 'see', unless the term is in the UI. |
| packages/problemchild/docs/README.md | 124 | Elastic.WordChoice | Consider using 'refer to if it's a document, view if it's a UI element' instead of 'See', unless the term is in the UI. |
| packages/problemchild/docs/README.md | 126 | Elastic.Repetition | "Detection" is repeated. |
The Vale linter checks documentation changes against the Elastic Docs style guide.
To use Vale locally or report issues, refer to Elastic style guide for Vale.
andrewkroh
added
documentation
jmcarlock
changed the title
sodhikirti07
left a comment
sodhikirti07
left a comment
There was a problem hiding this comment.
@jmcarlock Thanks for making the changes. I've left a few comments around documentation and adding fields to the transforms. Other are some minor changes.
packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/transform.yml
Show resolved
Hide resolved
packages/pad/elasticsearch/transform/pivot_transform_win_privilege_list_ea/fields/fields.yml
Outdated
Show resolved
Hide resolved
andrewkroh
left a comment
andrewkroh
left a comment
There was a problem hiding this comment.
I was giving this a quick look and noticed a pre-existing issue with ECS event.kind in the problemchild pipeline. It makes the event.kind into an array, but in ECS this is a scalar field. So instead of append processors those should be set. It's pre-existing, so feel free to ignore this if you don't want to address it now. I can open an issue for it if you'd like. See
|
@andrewkroh Thank you for the review! This was an easy fix so I added it here |
|
@rylnd @abhishekbhatia1710 @dplumlee Along with the PR in Kibana, could you also review this PR for changes relevant to your team? 🙏 |
peteharverson
left a comment
peteharverson
left a comment
There was a problem hiding this comment.
Changes to the ML jobs LGTM
|
Hi Gus, let's consider cherry-picking the relevant commits from #18038 so that users don't get too many version bumps at once (as opposed to if we merged that PR and this one too) |
Convert bold list items to headings so #enable-detection-rules and #enabling-detection-rules anchors resolve in docs-builder. Affects: ded, dga, lmd, problemchild Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
@susan-shu-c Brought the docs changes in c196362 |
Resolve merge conflicts in changelog.yml, manifest.yml, and transform.yml files across ded, dga, hta, lmd, pad, and problemchild packages. Keeps branch version numbers and incorporates main's recent changelog entries.
kapral18
left a comment
kapral18
left a comment
There was a problem hiding this comment.
DED and LMD changes look correct — job IDs, transforms, fields, dashboards, and docs are all internally consistent.
The PAD package has four issues:
- Functional bug: The Windows dashboard
searchSourceJSONquery lists 8 job IDs but omitspad_windows_rare_region_name_by_user_ea, so anomalies from that job are silently filtered from all Lens panels (only the swim lane shows them). - Copy-paste error: The Windows dashboard swimlane
panelTitlereferences Linux job names. - Doc typo: The Anomaly Detection Jobs table lists
pad_okta_spike_in_group_application_assignment_changebut the actual job ID ispad_okta_spike_in_group_application_assignment_changes_ea(missing trailingsand_easuffix). - Doc error:
pad_linux_high_median_process_command_line_entropy_by_user_eais listed with "Okta Integration" as the supported platform — should be "Linux".
Everything else (transform field additions, ML module renames, changelog/manifest bumps) is clean across all three packages.
packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json
Outdated
Show resolved
Hide resolved
packages/pad/kibana/dashboard/pad-ea-4bc1d5ca-01b7-4adc-b7f8-53b0933eed09.json
Outdated
Show resolved
Hide resolved
|
This will be merged closer to Kibana release as integrations are independent this schedule. |
💚 Build Succeeded
History
|
|
Thanks you Karen for the review! |
9 participants
Proposed commit message
Updates UEBA packages for Entity Analytics in the 9.4 release.
Checklist
I have verified that all data streams collect metrics or logs.changelog.ymlfile.How to test this PR locally
Test with ITP