New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Data Quality dashboard #150063
[Security Solution] Data Quality dashboard #150063
Conversation
310b837
to
daea3bb
Compare
cb04461
to
ac02dc6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Files owned by explore look good, thanks Andrew!
13fa411
to
b24f64c
Compare
Files by Code Ownerelastic/kibana-operations
elastic/security-solution
elastic/security-threat-hunting-explore
|
…ty-team#4559) ![dashboards_page](https://user-images.githubusercontent.com/4459398/204692572-e6b664a4-157a-4ecf-8c09-ebdb077c92f0.png) _Above: The Dashboards page has a new entry for the `Data Quality` dashboard_ ![data_quality_dashboard](https://user-images.githubusercontent.com/4459398/204692377-8fc2dced-876e-4596-a7e9-efef97ee5e3c.png) _Above: The data quality dashboard_ ![all_mappings_compliant](https://user-images.githubusercontent.com/4459398/204692782-1449b0bf-971c-434f-a582-b35d306e1fbd.png) _Above: Complaint mappings_ ![summary_with_non_compliant_mappings](https://user-images.githubusercontent.com/4459398/204692874-57da78d8-e631-476a-bf48-bb27e2889bbe.png) _Above: A summary with non-compliant mappings_ ![case_created_from_a_summary](https://user-images.githubusercontent.com/4459398/204693034-bbf090c3-9914-40df-996c-c4896358956a.png) _Above: A case created from a summary_ ![ecs_meter](https://user-images.githubusercontent.com/4459398/204693225-e80b5bcd-b125-49d3-a184-84830674b3e9.gif) _Above: ECS goal chart_ ![allowed_values](https://user-images.githubusercontent.com/4459398/204693583-5ad5f1ac-7369-4a01-b683-ecab6463de09.png) _Above: Allowed values from ECS metadata_ This commit introduces a new (prototype) plugin named `dataQuality` in `x-pack/plugins/data_quality`. This plugin hosts an API that currently (only) returns mappings from Elasticsearch.
## Check ECS compatibility with just one click With just one click, the _Data Quality dashboard_ checks all the indices used by the Security Solution, (or anything else), for compatibility with the [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) ![checking_data_quality](https://user-images.githubusercontent.com/4459398/215989195-2f5e2126-9ece-4df6-9742-284c73442962.gif) ## Create cases from results Create a single case containing all the results, or create cases for specific indices ![create_case_from_take_action](https://user-images.githubusercontent.com/4459398/215989342-4489cf68-69d1-4ac4-859c-d849c4778d68.gif) ## Interactive tabs put results in context Expand any index to reveal interactive tabs - Summary - Incompatible fields - Custom fields - ECS complaint fields - All fields ![tabs](https://user-images.githubusercontent.com/4459398/215989435-a363a9e5-8635-42d1-a0f7-5e0ddc6f9515.gif) ## Share comprehensive markdown reports Share markdown reports containing the same content as the dashboard ![markdown_report](https://user-images.githubusercontent.com/4459398/215989555-72c53ed8-99f9-4be7-9181-6b9f365a8f6e.gif) ### On page load When the Data Quality dashboard page loads, the alerts index, and any indices matching the selected `Data view` are displayed ![page_load](https://user-images.githubusercontent.com/4459398/215989957-3b4d52f1-eaa4-4d42-9e40-d556602b006b.png) Only `hot`, `warm`, or `unmanaged` indices are displayed by default Indices are not checked automatically when the dashboard loads Click either : - `Check all` to check all the indices on the page - The expand button to automatically check (just) one index, and instantly view results ### Check all When the `Check all` button is clicked - The `Check all` button changes to a `Cancel` button - The `Last checked: n <time unit> ago` text is replaced with a progress bar indicating how many Indices are left to check - The `Checking <index name>` text will update as each index is checked. Text will wrap if necessary - The results tables begin updating with results - Pattern stats update to summarize each table - Rolled up results for the entire page update after every index is checked ![running_before_errors](https://user-images.githubusercontent.com/4459398/215990059-43efd573-217f-47e8-8ed2-1b1de4766834.png) <https://user-images.githubusercontent.com/4459398/216007795-2ebbc0c6-8c7a-49c7-a22c-b97d2a58dddd.mov> When Check all, is running, the Data Quality dashboard adds a three second delay after every check completes, before beginning the next check. Check all will keep checking indexes until the user cancels, or all indexes have (attempted to be) checked. While Check all is running, users may simultaneously click on any index to check it on demand. The results are instantly rolled up when this happens. When all checks complete, the page looks like this: ![all_results_no_errors](https://user-images.githubusercontent.com/4459398/215990208-b28e1ad4-d8fd-453b-a037-1123c4352469.png) ### Take action Click the `Take action` popover to share the entire page of results via one of the following actions: - Add to new case - Copy to clipboard ![take_action_popover](https://user-images.githubusercontent.com/4459398/215990971-fff06bf3-cac5-418f-83fc-556caa4b9413.png) ![create_case_from_take_action](https://user-images.githubusercontent.com/4459398/216012412-812f7b84-94a7-462a-8574-2e05afa35efd.gif) ![copy_toast](https://user-images.githubusercontent.com/4459398/215992498-c83b9191-8226-4ab1-8170-1bc953083f5c.png) ### Expanding results The `Incompatible fields` tab is always displayed by default when a result is expanded The `Incompatible fields` tab shows a success message when a successful result is expanded ![incompatible_fields_zero](https://user-images.githubusercontent.com/4459398/215991201-2ff7158e-1787-4221-b2de-d7e5ee49c412.png) The `Incompatible fields` tab shows, side by side, expected ECS mapping types vs the actual mapping types when they are different ![mapping_differences](https://user-images.githubusercontent.com/4459398/215990436-82bb969e-fab7-4f2b-97f1-f21fd5bc3641.png) The `Incompatible fields` tab also compares field values expected by ECS vs the actual values in an index, when they are different ![expect_vs_actual_value](https://user-images.githubusercontent.com/4459398/215990341-2c5ce75b-03cc-4b72-9431-282dfd032844.png) The `Incompatible fields` tab displays a callout that explains the consequences of having incompatible fields. The content is based on the following illustration, created by @MikePaquette <img width="1264" alt="ecs_meter" src="https://user-images.githubusercontent.com/4459398/216016124-6fe89ab4-c364-40ec-8a6f-99349e6d583c.png"> The calllout has a call to action to create a case or copy a markdown report for just the expanded result - Add to new case - Copy to clipboard ![create_case_from_incompatable_fields_tab](https://user-images.githubusercontent.com/4459398/215990827-57506e26-06e3-4704-afb4-4bd8308b217a.png) ### Tabs The Summary tab displays a call to action when incompatible fields are found Click on any part of the Summary tab chart or legend to navigate to the corresponding tab ![summary_tab](https://user-images.githubusercontent.com/4459398/215990517-41e96cab-558a-4461-a34a-e149873841a4.png) Clicking on the `Copy to clipboard` call to action in the Custom fields tab copies a markdown version of the table to the clipboard ![custom_fields_tab](https://user-images.githubusercontent.com/4459398/215990623-8c787d11-cf93-4321-a803-2133c81fcd1b.png) The search feature of the ECS complaint fields tab may, for example, be used to verify a specific ECS complaint mapping exists ![ecs_complaint_fields_tab](https://user-images.githubusercontent.com/4459398/215990703-dc0b93b3-a3ed-447b-96c5-714d71f4177d.png) The All fields tab displays the union of all other tabs ![all_fields_tab](https://user-images.githubusercontent.com/4459398/215990746-88eb8812-7a00-47f4-94fc-5105aad024c1.png) ### Data view selection The `Data view` dropdown defaults to the `Security Default Data View` ![data_view_selection](https://user-images.githubusercontent.com/4459398/216020987-d710aa85-5ddc-4fa1-9a3f-c131e656da56.png) The alerts index is always checked and included in the results, even when another Data View is selected ![alerts_index_always_included](https://user-images.githubusercontent.com/4459398/216022004-4a6adb46-5bc1-4619-ad46-7364d7565e3a.png) ### ILM phase options ![ilm_selection](https://user-images.githubusercontent.com/4459398/216023010-c3bb9e3e-9aec-487b-8757-e4736c06de7e.png) Only `hot`, `warm`, or `unmanaged` indices may be selected for checking. The `cold` and `frozen` options are disabled. When all options in the `ILM phase` box are cleared, an informative empty prompt is displayed ![ilm_empty_prompt](https://user-images.githubusercontent.com/4459398/216029584-659fafda-92fb-4607-b61e-87aa3f0b45e8.png) ### Errors Errors may occur for some (or all) indices. The `View errors` button appears when the first error occurs ![running_with_errors](https://user-images.githubusercontent.com/4459398/216024230-609ec815-e2e4-408f-b9a5-d12aad9f83c5.png) Users may click the `View errors` button to view them, even while a check is in progress ![errors_popover](https://user-images.githubusercontent.com/4459398/216025346-d470b9cf-b4ec-491a-af14-52dea26ff8bb.png) The Copy to clipboard button in the errors popover copies a markdown version of the errors table to the clipboard When errors occur, the same content shown in the Errors popover is automatically included in the markdown report created by the `Take action` menu ### Markdown reports The content of markdown reports (created by the Take action menu) includes most of the content from the Data Quality dashboard that created it In the screenshot below, the Data Quality dashboard is on the left, and a markdown report (pasted into Github) is on the right ![side_by_side_compare_1](https://user-images.githubusercontent.com/4459398/216026602-7cf7aaaa-b461-44e0-a03e-6690e3d87d3c.png) Stats rollups and tables are included in markdown reports ![side_by_side_2](https://user-images.githubusercontent.com/4459398/216026872-d5319279-e4b2-4ac0-b291-06dc61ba108c.png) Markdown reports use the same "expected vs actual" format to display the details of incompatible field mappings ### Navigation The Data Quality dashboard is grouped with the existing Security Solution dashboards ![dashboards_page](https://user-images.githubusercontent.com/4459398/216057432-0ae99d57-4857-4270-bd7d-07bc96e27cb0.png) It may also be launched via the side navigation ![side_nav](https://user-images.githubusercontent.com/4459398/216057528-2370b82a-dc92-4ea6-8519-7e8abc61acd0.png) # An actual markdown report (all content below) The rest of the content below is pasted from an actual report, created via the `Take action` menu: # Data quality | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 17 | 15 | 17 | 1,404,514 | ## .alerts-security.alerts-default `hot(1)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 1 | 1 | 1 | 1,837 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .internal.alerts-security.alerts-default-000001 | 1,837 (100.0%) | 1 | `hot` | ### .internal.alerts-security.alerts-default-000001 The `.internal.alerts-security.alerts-default-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .internal.alerts-security.alerts-default-000001 | 1,837 (100.0%) | 1 | `hot` | ### **Incompatible fields** `1` **Custom fields** `188` **ECS compliant fields** `1219` **All fields** `1408` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field values - .internal.alerts-security.alerts-default-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `behavior` (62) | ## auditbeat-* `hot(11)` `unmanaged(1)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 13 | 10 | 12 | 29,182 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.6.0-2023.01.17-000001 | 14,409 (49.4%) | 0 | `hot` | | -- | .ds-auditbeat-8.5.3-2023.01.24-000001 | 2,857 (9.8%) | -- | `hot` | | ✅ | .ds-auditbeat-8.2.3-2023.01.24-000001 | 2,246 (7.7%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.4.1-2023.01.24-000001 | 2,179 (7.5%) | 0 | `hot` | | -- | .ds-auditbeat-8.3.3-2023.01.24-000001 | 1,921 (6.6%) | -- | `hot` | | ✅ | auditbeat-7.16.0-2023.01.17-000001 | 1,880 (6.4%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.1.1-2023.01.24-000001 | 1,676 (5.7%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.2.2-2023.01.24-000001 | 1,578 (5.4%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.0.0-2023.01.24-000001 | 251 (0.9%) | 0 | `hot` | | ❌ | auditbeat-7.10.2-2023.01.24-000001 | 111 (0.4%) | 12 | `hot` | | ✅ | .ds-auditbeat-8.5.0-2023.01.24-000001 | 74 (0.3%) | 0 | `hot` | | ❌ | auditbeat-custom-empty-index-1 | 0 (0.0%) | 1 | `unmanaged` | ### .ds-auditbeat-8.6.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.6.0-2023.01.17-000001 | 14,409 (49.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `549` **ECS compliant fields** `1210` **All fields** `1759` ### .ds-auditbeat-8.2.3-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.2.3-2023.01.24-000001 | 2,246 (7.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1210` **All fields** `1720` ### .ds-auditbeat-8.4.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.4.1-2023.01.24-000001 | 2,179 (7.5%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `509` **ECS compliant fields** `1210` **All fields** `1719` ### auditbeat-7.16.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | auditbeat-7.16.0-2023.01.17-000001 | 1,880 (6.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `523` **ECS compliant fields** `1111` **All fields** `1634` ### .ds-auditbeat-8.1.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.1.1-2023.01.24-000001 | 1,676 (5.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1204` **All fields** `1714` ### .ds-auditbeat-8.2.2-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.2.2-2023.01.24-000001 | 1,578 (5.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1210` **All fields** `1720` ### .ds-auditbeat-8.0.0-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.0.0-2023.01.24-000001 | 251 (0.9%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1204` **All fields** `1714` ### auditbeat-7.10.2-2023.01.24-000001 The `auditbeat-7.10.2-2023.01.24-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | auditbeat-7.10.2-2023.01.24-000001 | 111 (0.4%) | 12 | `hot` | ### **Incompatible fields** `12` **Custom fields** `467` **ECS compliant fields** `602` **All fields** `1081` #### 12 incompatible fields Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - auditbeat-7.10.2-2023.01.24-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | error.message | `match_only_text` | `text` | | error.stack_trace | `wildcard` | `keyword` | | http.request.body.content | `wildcard` | `keyword` | | http.response.body.content | `wildcard` | `keyword` | | message | `match_only_text` | `text` | | process.command_line | `wildcard` | `keyword` | | process.parent.command_line | `wildcard` | `keyword` | | registry.data.strings | `wildcard` | `keyword` | | url.full | `wildcard` | `keyword` | | url.original | `wildcard` | `keyword` | | url.path | `wildcard` | `keyword` | #### Incompatible field values - auditbeat-7.10.2-2023.01.24-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.kind | `alert`, `enrichment`, `event`, `metric`, `state`, `pipeline_error`, `signal` | `error` (1) | ### .ds-auditbeat-8.5.0-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.5.0-2023.01.24-000001 | 74 (0.3%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `509` **ECS compliant fields** `1210` **All fields** `1719` ### auditbeat-custom-empty-index-1 The `auditbeat-custom-empty-index-1` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | auditbeat-custom-empty-index-1 | 0 (0.0%) | 1 | `unmanaged` | ### **Incompatible fields** `1` **Custom fields** `0` **ECS compliant fields** `0` **All fields** `0` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - auditbeat-custom-empty-index-1 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | @timestamp | `date` | `-` | ## logs-* `hot(2)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 3 | 2 | 2 | 602 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.alerts-default-2023.01.17-000001 | 342 (56.8%) | 2 | `hot` | | ❌ | .ds-logs-endpoint.events.process-default-2023.01.17-000001 | 260 (43.2%) | 1 | `hot` | ### .ds-logs-endpoint.alerts-default-2023.01.17-000001 The `.ds-logs-endpoint.alerts-default-2023.01.17-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.alerts-default-2023.01.17-000001 | 342 (56.8%) | 2 | `hot` | ### **Incompatible fields** `2` **Custom fields** `857` **ECS compliant fields** `675` **All fields** `1534` #### 2 incompatible fields Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - .ds-logs-endpoint.alerts-default-2023.01.17-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | process.env_vars | `keyword` | `object` | #### Incompatible field values - .ds-logs-endpoint.alerts-default-2023.01.17-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `behavior` (45) | ### .ds-logs-endpoint.events.process-default-2023.01.17-000001 The `.ds-logs-endpoint.events.process-default-2023.01.17-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.events.process-default-2023.01.17-000001 | 260 (43.2%) | 1 | `hot` | ### **Incompatible fields** `1` **Custom fields** `130` **ECS compliant fields** `304` **All fields** `435` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - .ds-logs-endpoint.events.process-default-2023.01.17-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | process.env_vars | `keyword` | `object` | ## packetbeat-* `hot(2)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 0 | 2 | 2 | 1,372,893 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.6.0-2023.01.17-000001 | 704,062 (51.3%) | 0 | `hot` | | ✅ | .ds-packetbeat-8.4.1-2023.01.24-000001 | 668,831 (48.7%) | 0 | `hot` | ### .ds-packetbeat-8.6.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.6.0-2023.01.17-000001 | 704,062 (51.3%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `604` **ECS compliant fields** `1209` **All fields** `1813` ### .ds-packetbeat-8.4.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.4.1-2023.01.24-000001 | 668,831 (48.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `604` **ECS compliant fields** `1209` **All fields** `1813` ## Errors Some indices were not checked for Data Quality Errors may occur when pattern or index metadata is temporarily unavailable, or because you don't have permission to access them. | Pattern | Index | Error | |---------|-------|-------| | auditbeat-* | .ds-auditbeat-8.3.3-2023.01.24-000001 | `Error: simulated fetchUnallowedValues failure` | | auditbeat-* | .ds-auditbeat-8.5.3-2023.01.24-000001 | `Error: simulated mappings fetch failure` | See also: elastic/security-team#4559
…es stat count is undefined
- moves the buildResponse export out of packages/kbn-securitysolution-es-utils back into ecs_data_quality_dashboard
a1aaebf
to
1a3b84e
Compare
columns={columns} | ||
items={enrichedFieldMetadata} | ||
search={search} | ||
sorting={true} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
feel free to ignore, just don't need the ={true}
<CodeDanger>{fieldName}</CodeDanger>{' '} | ||
<span> | ||
{'('} | ||
{count} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit
(${count})
export const ERROR_LOADING_METADATA_TITLE = (pattern: string) => | ||
i18n.translate('ecsDataQualityDashboard.emptyErrorPrompt.errorLoadingMetadataTitle', { | ||
values: { pattern }, | ||
defaultMessage: "Indices matching the {pattern} pattern won't checked", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
won't be checked
if (mappingsProperties == null) { | ||
return { | ||
...EMPTY_METADATA, | ||
incompatible: [getMissingTimestampFieldMetadata()], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe a silly question, but why do we default to showing timestamp as incompatible rather than not showing anything at all?
const requestItems = useMemo( | ||
() => | ||
getUnallowedValueRequestItems({ | ||
ecsMetadata: EcsFlat as unknown as Record<string, EcsMetadata>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be worth it adding typeof EcsFlat
to the union type for the ecsMetadata field to all of these functions to avoid this casting?
💚 Build Succeeded
Metrics [docs]Module Count
Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
ESLint disabled line counts
miscellaneous assets size
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: |
# [Security Solution] Data Quality dashboard ## Check ECS compatibility with just one click With just one click, the _Data Quality dashboard_ checks all the indices used by the Security Solution, (or anything else), for compatibility with the [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) ![checking_data_quality](https://user-images.githubusercontent.com/4459398/215989195-2f5e2126-9ece-4df6-9742-284c73442962.gif) ## Create cases from results Create a single case containing all the results, or create cases for specific indices ![create_case_from_take_action](https://user-images.githubusercontent.com/4459398/215989342-4489cf68-69d1-4ac4-859c-d849c4778d68.gif) ## Interactive tabs put results in context Expand any index to reveal interactive tabs - Summary - Incompatible fields - Custom fields - ECS complaint fields - All fields ![tabs](https://user-images.githubusercontent.com/4459398/215989435-a363a9e5-8635-42d1-a0f7-5e0ddc6f9515.gif) ## Share comprehensive markdown reports Share markdown reports containing the same content as the dashboard ![markdown_report](https://user-images.githubusercontent.com/4459398/215989555-72c53ed8-99f9-4be7-9181-6b9f365a8f6e.gif) ### On page load When the Data Quality dashboard page loads, the alerts index, and any indices matching the selected `Data view` are displayed ![page_load](https://user-images.githubusercontent.com/4459398/215989957-3b4d52f1-eaa4-4d42-9e40-d556602b006b.png) Only `hot`, `warm`, or `unmanaged` indices are displayed by default Indices are not checked automatically when the dashboard loads Click either : - `Check all` to check all the indices on the page - The expand button to automatically check (just) one index, and instantly view results ### Check all When the `Check all` button is clicked - The `Check all` button changes to a `Cancel` button - The `Last checked: n <time unit> ago` text is replaced with a progress bar indicating how many Indices are left to check - The `Checking <index name>` text will update as each index is checked. Text will wrap if necessary - The results tables begin updating with results - Pattern stats update to summarize each table - Rolled up results for the entire page update after every index is checked ![running_before_errors](https://user-images.githubusercontent.com/4459398/215990059-43efd573-217f-47e8-8ed2-1b1de4766834.png) <https://user-images.githubusercontent.com/4459398/216007795-2ebbc0c6-8c7a-49c7-a22c-b97d2a58dddd.mov> When Check all, is running, the Data Quality dashboard adds a three second delay after every check completes, before beginning the next check. Check all will keep checking indexes until the user cancels, or all indexes have (attempted to be) checked. While Check all is running, users may simultaneously click on any index to check it on demand. The results are instantly rolled up when this happens. When all checks complete, the page looks like this: ![all_results_no_errors](https://user-images.githubusercontent.com/4459398/215990208-b28e1ad4-d8fd-453b-a037-1123c4352469.png) ### Take action Click the `Take action` popover to share the entire page of results via one of the following actions: - Add to new case - Copy to clipboard ![take_action_popover](https://user-images.githubusercontent.com/4459398/215990971-fff06bf3-cac5-418f-83fc-556caa4b9413.png) ![create_case_from_take_action](https://user-images.githubusercontent.com/4459398/216012412-812f7b84-94a7-462a-8574-2e05afa35efd.gif) ![copy_toast](https://user-images.githubusercontent.com/4459398/215992498-c83b9191-8226-4ab1-8170-1bc953083f5c.png) ### Expanding results The `Incompatible fields` tab is always displayed by default when a result is expanded The `Incompatible fields` tab shows a success message when a successful result is expanded ![incompatible_fields_zero](https://user-images.githubusercontent.com/4459398/215991201-2ff7158e-1787-4221-b2de-d7e5ee49c412.png) The `Incompatible fields` tab shows, side by side, expected ECS mapping types vs the actual mapping types when they are different ![mapping_differences](https://user-images.githubusercontent.com/4459398/215990436-82bb969e-fab7-4f2b-97f1-f21fd5bc3641.png) The `Incompatible fields` tab also compares field values expected by ECS vs the actual values in an index, when they are different ![expect_vs_actual_value](https://user-images.githubusercontent.com/4459398/215990341-2c5ce75b-03cc-4b72-9431-282dfd032844.png) The `Incompatible fields` tab displays a callout that explains the consequences of having incompatible fields. The content is based on the following illustration, created by @MikePaquette <img width="1264" alt="ecs_meter" src="https://user-images.githubusercontent.com/4459398/216016124-6fe89ab4-c364-40ec-8a6f-99349e6d583c.png"> The calllout has a call to action to create a case or copy a markdown report for just the expanded result - Add to new case - Copy to clipboard ![create_case_from_incompatable_fields_tab](https://user-images.githubusercontent.com/4459398/215990827-57506e26-06e3-4704-afb4-4bd8308b217a.png) ### Tabs The Summary tab displays a call to action when incompatible fields are found Click on any part of the Summary tab chart or legend to navigate to the corresponding tab ![summary_tab](https://user-images.githubusercontent.com/4459398/215990517-41e96cab-558a-4461-a34a-e149873841a4.png) Clicking on the `Copy to clipboard` call to action in the Custom fields tab copies a markdown version of the table to the clipboard ![custom_fields_tab](https://user-images.githubusercontent.com/4459398/215990623-8c787d11-cf93-4321-a803-2133c81fcd1b.png) The search feature of the ECS complaint fields tab may, for example, be used to verify a specific ECS complaint mapping exists ![ecs_complaint_fields_tab](https://user-images.githubusercontent.com/4459398/215990703-dc0b93b3-a3ed-447b-96c5-714d71f4177d.png) The All fields tab displays the union of all other tabs ![all_fields_tab](https://user-images.githubusercontent.com/4459398/215990746-88eb8812-7a00-47f4-94fc-5105aad024c1.png) ### Data view selection The `Data view` dropdown defaults to the `Security Default Data View` ![data_view_selection](https://user-images.githubusercontent.com/4459398/216020987-d710aa85-5ddc-4fa1-9a3f-c131e656da56.png) The alerts index is always checked and included in the results, even when another Data View is selected ![alerts_index_always_included](https://user-images.githubusercontent.com/4459398/216022004-4a6adb46-5bc1-4619-ad46-7364d7565e3a.png) ### ILM phase options ![ilm_selection](https://user-images.githubusercontent.com/4459398/216023010-c3bb9e3e-9aec-487b-8757-e4736c06de7e.png) Only `hot`, `warm`, or `unmanaged` indices may be selected for checking. The `cold` and `frozen` options are disabled. When all options in the `ILM phase` box are cleared, an informative empty prompt is displayed ![ilm_empty_prompt](https://user-images.githubusercontent.com/4459398/216029584-659fafda-92fb-4607-b61e-87aa3f0b45e8.png) ### Errors Errors may occur for some (or all) indices. The `View errors` button appears when the first error occurs ![running_with_errors](https://user-images.githubusercontent.com/4459398/216024230-609ec815-e2e4-408f-b9a5-d12aad9f83c5.png) Users may click the `View errors` button to view them, even while a check is in progress ![error_popover](https://user-images.githubusercontent.com/4459398/216755446-210996d8-605b-4d6b-8c90-cf94dc83a76b.png) The Copy to clipboard button in the errors popover copies a markdown version of the errors table to the clipboard When errors occur, the same content shown in the Errors popover is automatically included in the markdown report created by the `Take action` menu ### Markdown reports The content of markdown reports (created by the Take action menu) includes most of the content from the Data Quality dashboard that created it In the screenshot below, the Data Quality dashboard is on the left, and a markdown report (pasted into Github) is on the right ![side_by_side_compare_1](https://user-images.githubusercontent.com/4459398/216026602-7cf7aaaa-b461-44e0-a03e-6690e3d87d3c.png) Stats rollups and tables are included in markdown reports ![side_by_side_2](https://user-images.githubusercontent.com/4459398/216026872-d5319279-e4b2-4ac0-b291-06dc61ba108c.png) Markdown reports use the same "expected vs actual" format to display the details of incompatible field mappings ### Navigation The Data Quality dashboard is grouped with the existing Security Solution dashboards ![dashboards_page](https://user-images.githubusercontent.com/4459398/216057432-0ae99d57-4857-4270-bd7d-07bc96e27cb0.png) It may also be launched via the side navigation ![side_nav](https://user-images.githubusercontent.com/4459398/216057528-2370b82a-dc92-4ea6-8519-7e8abc61acd0.png) ## Privileges The privileges in the table below are required to check any pattern of indices, or any specific index: | Privilege | Required to | Required for API | |-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|------------------| | `monitor` or `manage` (`manage` builds on `monitor`) | List indices that match a pattern, and get document counts for an index example: `GET logs-*/_stats` | `_stats` | | `view_index_metadata` or `manage_ilm` | List index ILM configs (e.g. hot) that match a pattern example: `GET logs-*/_ilm/explain` | `_ilm/explain` | | `view_index_metadata` or `manage` | Get index mappings for a specific index example: `GET .ds-logs-endpoint.events.process-default-2023.01.17-000001/_mapping` | `_mapping` | | `read` or `read_cross_cluster` | Run aggregations to test for unallowed values example: `GET .ds-logs-endpoint.events.process-default-2023.01.17-000001/_search` | `_search` | Users may have some of the privileges required to check an index, but not all of them. The built-in `viewer` role does not have the `monitor` (or `manage`) role. The following screenshot illustrates what a user will see if they login as a user with the `viewer` role: ![login_with_viewer_role](https://user-images.githubusercontent.com/4459398/216755590-b6c01a7b-73b1-4680-8db1-b9d1c0035f06.png) # An actual markdown report (all content below) The rest of the content below is pasted from an actual report, created via the `Take action` menu: # Data quality | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 17 | 15 | 17 | 1,404,514 | ## .alerts-security.alerts-default `hot(1)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 1 | 1 | 1 | 1,837 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .internal.alerts-security.alerts-default-000001 | 1,837 (100.0%) | 1 | `hot` | ### .internal.alerts-security.alerts-default-000001 The `.internal.alerts-security.alerts-default-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .internal.alerts-security.alerts-default-000001 | 1,837 (100.0%) | 1 | `hot` | ### **Incompatible fields** `1` **Custom fields** `188` **ECS compliant fields** `1219` **All fields** `1408` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field values - .internal.alerts-security.alerts-default-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `behavior` (62) | ## auditbeat-* `hot(11)` `unmanaged(1)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 13 | 10 | 12 | 29,182 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.6.0-2023.01.17-000001 | 14,409 (49.4%) | 0 | `hot` | | -- | .ds-auditbeat-8.5.3-2023.01.24-000001 | 2,857 (9.8%) | -- | `hot` | | ✅ | .ds-auditbeat-8.2.3-2023.01.24-000001 | 2,246 (7.7%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.4.1-2023.01.24-000001 | 2,179 (7.5%) | 0 | `hot` | | -- | .ds-auditbeat-8.3.3-2023.01.24-000001 | 1,921 (6.6%) | -- | `hot` | | ✅ | auditbeat-7.16.0-2023.01.17-000001 | 1,880 (6.4%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.1.1-2023.01.24-000001 | 1,676 (5.7%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.2.2-2023.01.24-000001 | 1,578 (5.4%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.0.0-2023.01.24-000001 | 251 (0.9%) | 0 | `hot` | | ❌ | auditbeat-7.10.2-2023.01.24-000001 | 111 (0.4%) | 12 | `hot` | | ✅ | .ds-auditbeat-8.5.0-2023.01.24-000001 | 74 (0.3%) | 0 | `hot` | | ❌ | auditbeat-custom-empty-index-1 | 0 (0.0%) | 1 | `unmanaged` | ### .ds-auditbeat-8.6.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.6.0-2023.01.17-000001 | 14,409 (49.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `549` **ECS compliant fields** `1210` **All fields** `1759` ### .ds-auditbeat-8.2.3-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.2.3-2023.01.24-000001 | 2,246 (7.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1210` **All fields** `1720` ### .ds-auditbeat-8.4.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.4.1-2023.01.24-000001 | 2,179 (7.5%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `509` **ECS compliant fields** `1210` **All fields** `1719` ### auditbeat-7.16.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | auditbeat-7.16.0-2023.01.17-000001 | 1,880 (6.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `523` **ECS compliant fields** `1111` **All fields** `1634` ### .ds-auditbeat-8.1.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.1.1-2023.01.24-000001 | 1,676 (5.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1204` **All fields** `1714` ### .ds-auditbeat-8.2.2-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.2.2-2023.01.24-000001 | 1,578 (5.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1210` **All fields** `1720` ### .ds-auditbeat-8.0.0-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.0.0-2023.01.24-000001 | 251 (0.9%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1204` **All fields** `1714` ### auditbeat-7.10.2-2023.01.24-000001 The `auditbeat-7.10.2-2023.01.24-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | auditbeat-7.10.2-2023.01.24-000001 | 111 (0.4%) | 12 | `hot` | ### **Incompatible fields** `12` **Custom fields** `467` **ECS compliant fields** `602` **All fields** `1081` #### 12 incompatible fields Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - auditbeat-7.10.2-2023.01.24-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | error.message | `match_only_text` | `text` | | error.stack_trace | `wildcard` | `keyword` | | http.request.body.content | `wildcard` | `keyword` | | http.response.body.content | `wildcard` | `keyword` | | message | `match_only_text` | `text` | | process.command_line | `wildcard` | `keyword` | | process.parent.command_line | `wildcard` | `keyword` | | registry.data.strings | `wildcard` | `keyword` | | url.full | `wildcard` | `keyword` | | url.original | `wildcard` | `keyword` | | url.path | `wildcard` | `keyword` | #### Incompatible field values - auditbeat-7.10.2-2023.01.24-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.kind | `alert`, `enrichment`, `event`, `metric`, `state`, `pipeline_error`, `signal` | `error` (1) | ### .ds-auditbeat-8.5.0-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.5.0-2023.01.24-000001 | 74 (0.3%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `509` **ECS compliant fields** `1210` **All fields** `1719` ### auditbeat-custom-empty-index-1 The `auditbeat-custom-empty-index-1` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | auditbeat-custom-empty-index-1 | 0 (0.0%) | 1 | `unmanaged` | ### **Incompatible fields** `1` **Custom fields** `0` **ECS compliant fields** `0` **All fields** `0` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - auditbeat-custom-empty-index-1 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | @timestamp | `date` | `-` | ## logs-* `hot(2)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 3 | 2 | 2 | 602 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.alerts-default-2023.01.17-000001 | 342 (56.8%) | 2 | `hot` | | ❌ | .ds-logs-endpoint.events.process-default-2023.01.17-000001 | 260 (43.2%) | 1 | `hot` | ### .ds-logs-endpoint.alerts-default-2023.01.17-000001 The `.ds-logs-endpoint.alerts-default-2023.01.17-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.alerts-default-2023.01.17-000001 | 342 (56.8%) | 2 | `hot` | ### **Incompatible fields** `2` **Custom fields** `857` **ECS compliant fields** `675` **All fields** `1534` #### 2 incompatible fields Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - .ds-logs-endpoint.alerts-default-2023.01.17-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | process.env_vars | `keyword` | `object` | #### Incompatible field values - .ds-logs-endpoint.alerts-default-2023.01.17-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `behavior` (45) | ### .ds-logs-endpoint.events.process-default-2023.01.17-000001 The `.ds-logs-endpoint.events.process-default-2023.01.17-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.events.process-default-2023.01.17-000001 | 260 (43.2%) | 1 | `hot` | ### **Incompatible fields** `1` **Custom fields** `130` **ECS compliant fields** `304` **All fields** `435` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - .ds-logs-endpoint.events.process-default-2023.01.17-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | process.env_vars | `keyword` | `object` | ## packetbeat-* `hot(2)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 0 | 2 | 2 | 1,372,893 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.6.0-2023.01.17-000001 | 704,062 (51.3%) | 0 | `hot` | | ✅ | .ds-packetbeat-8.4.1-2023.01.24-000001 | 668,831 (48.7%) | 0 | `hot` | ### .ds-packetbeat-8.6.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.6.0-2023.01.17-000001 | 704,062 (51.3%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `604` **ECS compliant fields** `1209` **All fields** `1813` ### .ds-packetbeat-8.4.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.4.1-2023.01.24-000001 | 668,831 (48.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `604` **ECS compliant fields** `1209` **All fields** `1813` ## Errors Some indices were not checked for Data Quality Errors may occur when pattern or index metadata is temporarily unavailable, or because you don't have the privileges required for access The following privileges are required to check an index: - `monitor` or `manage` - `view_index_metadata` - `read` or `read_cross_cluster` | Pattern | Index | Error | |---------|-------|-------| | .alerts-security.alerts-default | -- | `Error loading stats: Error: Forbidden` | | auditbeat-* | -- | `Error loading stats: Error: Forbidden` | | logs-* | -- | `Error loading stats: Error: Forbidden` | | packetbeat-* | -- | `Error loading stats: Error: Forbidden` | See also: elastic/security-team#4559
# [Security Solution] Data Quality dashboard ## Check ECS compatibility with just one click With just one click, the _Data Quality dashboard_ checks all the indices used by the Security Solution, (or anything else), for compatibility with the [Elastic Common Schema (ECS)](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) ![checking_data_quality](https://user-images.githubusercontent.com/4459398/215989195-2f5e2126-9ece-4df6-9742-284c73442962.gif) ## Create cases from results Create a single case containing all the results, or create cases for specific indices ![create_case_from_take_action](https://user-images.githubusercontent.com/4459398/215989342-4489cf68-69d1-4ac4-859c-d849c4778d68.gif) ## Interactive tabs put results in context Expand any index to reveal interactive tabs - Summary - Incompatible fields - Custom fields - ECS complaint fields - All fields ![tabs](https://user-images.githubusercontent.com/4459398/215989435-a363a9e5-8635-42d1-a0f7-5e0ddc6f9515.gif) ## Share comprehensive markdown reports Share markdown reports containing the same content as the dashboard ![markdown_report](https://user-images.githubusercontent.com/4459398/215989555-72c53ed8-99f9-4be7-9181-6b9f365a8f6e.gif) ### On page load When the Data Quality dashboard page loads, the alerts index, and any indices matching the selected `Data view` are displayed ![page_load](https://user-images.githubusercontent.com/4459398/215989957-3b4d52f1-eaa4-4d42-9e40-d556602b006b.png) Only `hot`, `warm`, or `unmanaged` indices are displayed by default Indices are not checked automatically when the dashboard loads Click either : - `Check all` to check all the indices on the page - The expand button to automatically check (just) one index, and instantly view results ### Check all When the `Check all` button is clicked - The `Check all` button changes to a `Cancel` button - The `Last checked: n <time unit> ago` text is replaced with a progress bar indicating how many Indices are left to check - The `Checking <index name>` text will update as each index is checked. Text will wrap if necessary - The results tables begin updating with results - Pattern stats update to summarize each table - Rolled up results for the entire page update after every index is checked ![running_before_errors](https://user-images.githubusercontent.com/4459398/215990059-43efd573-217f-47e8-8ed2-1b1de4766834.png) <https://user-images.githubusercontent.com/4459398/216007795-2ebbc0c6-8c7a-49c7-a22c-b97d2a58dddd.mov> When Check all, is running, the Data Quality dashboard adds a three second delay after every check completes, before beginning the next check. Check all will keep checking indexes until the user cancels, or all indexes have (attempted to be) checked. While Check all is running, users may simultaneously click on any index to check it on demand. The results are instantly rolled up when this happens. When all checks complete, the page looks like this: ![all_results_no_errors](https://user-images.githubusercontent.com/4459398/215990208-b28e1ad4-d8fd-453b-a037-1123c4352469.png) ### Take action Click the `Take action` popover to share the entire page of results via one of the following actions: - Add to new case - Copy to clipboard ![take_action_popover](https://user-images.githubusercontent.com/4459398/215990971-fff06bf3-cac5-418f-83fc-556caa4b9413.png) ![create_case_from_take_action](https://user-images.githubusercontent.com/4459398/216012412-812f7b84-94a7-462a-8574-2e05afa35efd.gif) ![copy_toast](https://user-images.githubusercontent.com/4459398/215992498-c83b9191-8226-4ab1-8170-1bc953083f5c.png) ### Expanding results The `Incompatible fields` tab is always displayed by default when a result is expanded The `Incompatible fields` tab shows a success message when a successful result is expanded ![incompatible_fields_zero](https://user-images.githubusercontent.com/4459398/215991201-2ff7158e-1787-4221-b2de-d7e5ee49c412.png) The `Incompatible fields` tab shows, side by side, expected ECS mapping types vs the actual mapping types when they are different ![mapping_differences](https://user-images.githubusercontent.com/4459398/215990436-82bb969e-fab7-4f2b-97f1-f21fd5bc3641.png) The `Incompatible fields` tab also compares field values expected by ECS vs the actual values in an index, when they are different ![expect_vs_actual_value](https://user-images.githubusercontent.com/4459398/215990341-2c5ce75b-03cc-4b72-9431-282dfd032844.png) The `Incompatible fields` tab displays a callout that explains the consequences of having incompatible fields. The content is based on the following illustration, created by @MikePaquette <img width="1264" alt="ecs_meter" src="https://user-images.githubusercontent.com/4459398/216016124-6fe89ab4-c364-40ec-8a6f-99349e6d583c.png"> The calllout has a call to action to create a case or copy a markdown report for just the expanded result - Add to new case - Copy to clipboard ![create_case_from_incompatable_fields_tab](https://user-images.githubusercontent.com/4459398/215990827-57506e26-06e3-4704-afb4-4bd8308b217a.png) ### Tabs The Summary tab displays a call to action when incompatible fields are found Click on any part of the Summary tab chart or legend to navigate to the corresponding tab ![summary_tab](https://user-images.githubusercontent.com/4459398/215990517-41e96cab-558a-4461-a34a-e149873841a4.png) Clicking on the `Copy to clipboard` call to action in the Custom fields tab copies a markdown version of the table to the clipboard ![custom_fields_tab](https://user-images.githubusercontent.com/4459398/215990623-8c787d11-cf93-4321-a803-2133c81fcd1b.png) The search feature of the ECS complaint fields tab may, for example, be used to verify a specific ECS complaint mapping exists ![ecs_complaint_fields_tab](https://user-images.githubusercontent.com/4459398/215990703-dc0b93b3-a3ed-447b-96c5-714d71f4177d.png) The All fields tab displays the union of all other tabs ![all_fields_tab](https://user-images.githubusercontent.com/4459398/215990746-88eb8812-7a00-47f4-94fc-5105aad024c1.png) ### Data view selection The `Data view` dropdown defaults to the `Security Default Data View` ![data_view_selection](https://user-images.githubusercontent.com/4459398/216020987-d710aa85-5ddc-4fa1-9a3f-c131e656da56.png) The alerts index is always checked and included in the results, even when another Data View is selected ![alerts_index_always_included](https://user-images.githubusercontent.com/4459398/216022004-4a6adb46-5bc1-4619-ad46-7364d7565e3a.png) ### ILM phase options ![ilm_selection](https://user-images.githubusercontent.com/4459398/216023010-c3bb9e3e-9aec-487b-8757-e4736c06de7e.png) Only `hot`, `warm`, or `unmanaged` indices may be selected for checking. The `cold` and `frozen` options are disabled. When all options in the `ILM phase` box are cleared, an informative empty prompt is displayed ![ilm_empty_prompt](https://user-images.githubusercontent.com/4459398/216029584-659fafda-92fb-4607-b61e-87aa3f0b45e8.png) ### Errors Errors may occur for some (or all) indices. The `View errors` button appears when the first error occurs ![running_with_errors](https://user-images.githubusercontent.com/4459398/216024230-609ec815-e2e4-408f-b9a5-d12aad9f83c5.png) Users may click the `View errors` button to view them, even while a check is in progress ![error_popover](https://user-images.githubusercontent.com/4459398/216755446-210996d8-605b-4d6b-8c90-cf94dc83a76b.png) The Copy to clipboard button in the errors popover copies a markdown version of the errors table to the clipboard When errors occur, the same content shown in the Errors popover is automatically included in the markdown report created by the `Take action` menu ### Markdown reports The content of markdown reports (created by the Take action menu) includes most of the content from the Data Quality dashboard that created it In the screenshot below, the Data Quality dashboard is on the left, and a markdown report (pasted into Github) is on the right ![side_by_side_compare_1](https://user-images.githubusercontent.com/4459398/216026602-7cf7aaaa-b461-44e0-a03e-6690e3d87d3c.png) Stats rollups and tables are included in markdown reports ![side_by_side_2](https://user-images.githubusercontent.com/4459398/216026872-d5319279-e4b2-4ac0-b291-06dc61ba108c.png) Markdown reports use the same "expected vs actual" format to display the details of incompatible field mappings ### Navigation The Data Quality dashboard is grouped with the existing Security Solution dashboards ![dashboards_page](https://user-images.githubusercontent.com/4459398/216057432-0ae99d57-4857-4270-bd7d-07bc96e27cb0.png) It may also be launched via the side navigation ![side_nav](https://user-images.githubusercontent.com/4459398/216057528-2370b82a-dc92-4ea6-8519-7e8abc61acd0.png) ## Privileges The privileges in the table below are required to check any pattern of indices, or any specific index: | Privilege | Required to | Required for API | |-------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------|------------------| | `monitor` or `manage` (`manage` builds on `monitor`) | List indices that match a pattern, and get document counts for an index example: `GET logs-*/_stats` | `_stats` | | `view_index_metadata` or `manage_ilm` | List index ILM configs (e.g. hot) that match a pattern example: `GET logs-*/_ilm/explain` | `_ilm/explain` | | `view_index_metadata` or `manage` | Get index mappings for a specific index example: `GET .ds-logs-endpoint.events.process-default-2023.01.17-000001/_mapping` | `_mapping` | | `read` or `read_cross_cluster` | Run aggregations to test for unallowed values example: `GET .ds-logs-endpoint.events.process-default-2023.01.17-000001/_search` | `_search` | Users may have some of the privileges required to check an index, but not all of them. The built-in `viewer` role does not have the `monitor` (or `manage`) role. The following screenshot illustrates what a user will see if they login as a user with the `viewer` role: ![login_with_viewer_role](https://user-images.githubusercontent.com/4459398/216755590-b6c01a7b-73b1-4680-8db1-b9d1c0035f06.png) # An actual markdown report (all content below) The rest of the content below is pasted from an actual report, created via the `Take action` menu: # Data quality | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 17 | 15 | 17 | 1,404,514 | ## .alerts-security.alerts-default `hot(1)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 1 | 1 | 1 | 1,837 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .internal.alerts-security.alerts-default-000001 | 1,837 (100.0%) | 1 | `hot` | ### .internal.alerts-security.alerts-default-000001 The `.internal.alerts-security.alerts-default-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .internal.alerts-security.alerts-default-000001 | 1,837 (100.0%) | 1 | `hot` | ### **Incompatible fields** `1` **Custom fields** `188` **ECS compliant fields** `1219` **All fields** `1408` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field values - .internal.alerts-security.alerts-default-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `behavior` (62) | ## auditbeat-* `hot(11)` `unmanaged(1)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 13 | 10 | 12 | 29,182 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.6.0-2023.01.17-000001 | 14,409 (49.4%) | 0 | `hot` | | -- | .ds-auditbeat-8.5.3-2023.01.24-000001 | 2,857 (9.8%) | -- | `hot` | | ✅ | .ds-auditbeat-8.2.3-2023.01.24-000001 | 2,246 (7.7%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.4.1-2023.01.24-000001 | 2,179 (7.5%) | 0 | `hot` | | -- | .ds-auditbeat-8.3.3-2023.01.24-000001 | 1,921 (6.6%) | -- | `hot` | | ✅ | auditbeat-7.16.0-2023.01.17-000001 | 1,880 (6.4%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.1.1-2023.01.24-000001 | 1,676 (5.7%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.2.2-2023.01.24-000001 | 1,578 (5.4%) | 0 | `hot` | | ✅ | .ds-auditbeat-8.0.0-2023.01.24-000001 | 251 (0.9%) | 0 | `hot` | | ❌ | auditbeat-7.10.2-2023.01.24-000001 | 111 (0.4%) | 12 | `hot` | | ✅ | .ds-auditbeat-8.5.0-2023.01.24-000001 | 74 (0.3%) | 0 | `hot` | | ❌ | auditbeat-custom-empty-index-1 | 0 (0.0%) | 1 | `unmanaged` | ### .ds-auditbeat-8.6.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.6.0-2023.01.17-000001 | 14,409 (49.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `549` **ECS compliant fields** `1210` **All fields** `1759` ### .ds-auditbeat-8.2.3-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.2.3-2023.01.24-000001 | 2,246 (7.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1210` **All fields** `1720` ### .ds-auditbeat-8.4.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.4.1-2023.01.24-000001 | 2,179 (7.5%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `509` **ECS compliant fields** `1210` **All fields** `1719` ### auditbeat-7.16.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | auditbeat-7.16.0-2023.01.17-000001 | 1,880 (6.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `523` **ECS compliant fields** `1111` **All fields** `1634` ### .ds-auditbeat-8.1.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.1.1-2023.01.24-000001 | 1,676 (5.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1204` **All fields** `1714` ### .ds-auditbeat-8.2.2-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.2.2-2023.01.24-000001 | 1,578 (5.4%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1210` **All fields** `1720` ### .ds-auditbeat-8.0.0-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.0.0-2023.01.24-000001 | 251 (0.9%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `510` **ECS compliant fields** `1204` **All fields** `1714` ### auditbeat-7.10.2-2023.01.24-000001 The `auditbeat-7.10.2-2023.01.24-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | auditbeat-7.10.2-2023.01.24-000001 | 111 (0.4%) | 12 | `hot` | ### **Incompatible fields** `12` **Custom fields** `467` **ECS compliant fields** `602` **All fields** `1081` #### 12 incompatible fields Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - auditbeat-7.10.2-2023.01.24-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | error.message | `match_only_text` | `text` | | error.stack_trace | `wildcard` | `keyword` | | http.request.body.content | `wildcard` | `keyword` | | http.response.body.content | `wildcard` | `keyword` | | message | `match_only_text` | `text` | | process.command_line | `wildcard` | `keyword` | | process.parent.command_line | `wildcard` | `keyword` | | registry.data.strings | `wildcard` | `keyword` | | url.full | `wildcard` | `keyword` | | url.original | `wildcard` | `keyword` | | url.path | `wildcard` | `keyword` | #### Incompatible field values - auditbeat-7.10.2-2023.01.24-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.kind | `alert`, `enrichment`, `event`, `metric`, `state`, `pipeline_error`, `signal` | `error` (1) | ### .ds-auditbeat-8.5.0-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-auditbeat-8.5.0-2023.01.24-000001 | 74 (0.3%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `509` **ECS compliant fields** `1210` **All fields** `1719` ### auditbeat-custom-empty-index-1 The `auditbeat-custom-empty-index-1` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | auditbeat-custom-empty-index-1 | 0 (0.0%) | 1 | `unmanaged` | ### **Incompatible fields** `1` **Custom fields** `0` **ECS compliant fields** `0` **All fields** `0` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - auditbeat-custom-empty-index-1 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | @timestamp | `date` | `-` | ## logs-* `hot(2)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 3 | 2 | 2 | 602 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.alerts-default-2023.01.17-000001 | 342 (56.8%) | 2 | `hot` | | ❌ | .ds-logs-endpoint.events.process-default-2023.01.17-000001 | 260 (43.2%) | 1 | `hot` | ### .ds-logs-endpoint.alerts-default-2023.01.17-000001 The `.ds-logs-endpoint.alerts-default-2023.01.17-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.alerts-default-2023.01.17-000001 | 342 (56.8%) | 2 | `hot` | ### **Incompatible fields** `2` **Custom fields** `857` **ECS compliant fields** `675` **All fields** `1534` #### 2 incompatible fields Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - .ds-logs-endpoint.alerts-default-2023.01.17-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | process.env_vars | `keyword` | `object` | #### Incompatible field values - .ds-logs-endpoint.alerts-default-2023.01.17-000001 | Field | ECS values (expected) | Document values (actual) | |-------|-----------------------|--------------------------| | event.category | `authentication`, `configuration`, `database`, `driver`, `email`, `file`, `host`, `iam`, `intrusion_detection`, `malware`, `network`, `package`, `process`, `registry`, `session`, `threat`, `vulnerability`, `web` | `behavior` (45) | ### .ds-logs-endpoint.events.process-default-2023.01.17-000001 The `.ds-logs-endpoint.events.process-default-2023.01.17-000001` index has [mappings](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html) or field values that are different than the [Elastic Common Schema](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html) (ECS), version `8.6.0` [definitions](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html). | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ❌ | .ds-logs-endpoint.events.process-default-2023.01.17-000001 | 260 (43.2%) | 1 | `hot` | ### **Incompatible fields** `1` **Custom fields** `130` **ECS compliant fields** `304` **All fields** `435` #### 1 incompatible field Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0. ❌ Detection engine rules referencing these fields may not match them correctly ❌ Pages may not display some events or fields due to unexpected field mappings or values ❌ Mappings or field values that don't comply with ECS are not supported #### Incompatible field mappings - .ds-logs-endpoint.events.process-default-2023.01.17-000001 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | process.env_vars | `keyword` | `object` | ## packetbeat-* `hot(2)` | Incompatible fields | Indices checked | Indices | Docs | |---------------------|-----------------|---------|------| | 0 | 2 | 2 | 1,372,893 | | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.6.0-2023.01.17-000001 | 704,062 (51.3%) | 0 | `hot` | | ✅ | .ds-packetbeat-8.4.1-2023.01.24-000001 | 668,831 (48.7%) | 0 | `hot` | ### .ds-packetbeat-8.6.0-2023.01.17-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.6.0-2023.01.17-000001 | 704,062 (51.3%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `604` **ECS compliant fields** `1209` **All fields** `1813` ### .ds-packetbeat-8.4.1-2023.01.24-000001 | Result | Index | Docs | Incompatible fields | ILM Phase | |--------|-------|------|---------------------|-----------| | ✅ | .ds-packetbeat-8.4.1-2023.01.24-000001 | 668,831 (48.7%) | 0 | `hot` | ### **Incompatible fields** `0` **Custom fields** `604` **ECS compliant fields** `1209` **All fields** `1813` ## Errors Some indices were not checked for Data Quality Errors may occur when pattern or index metadata is temporarily unavailable, or because you don't have the privileges required for access The following privileges are required to check an index: - `monitor` or `manage` - `view_index_metadata` - `read` or `read_cross_cluster` | Pattern | Index | Error | |---------|-------|-------| | .alerts-security.alerts-default | -- | `Error loading stats: Error: Forbidden` | | auditbeat-* | -- | `Error loading stats: Error: Forbidden` | | logs-* | -- | `Error loading stats: Error: Forbidden` | | packetbeat-* | -- | `Error loading stats: Error: Forbidden` | See also: elastic/security-team#4559
Wow this is amazing 👏 can't wait!! |
[Security Solution] Data Quality dashboard
Check ECS compatibility with just one click
With just one click, the Data Quality dashboard checks all the indices used by the Security Solution, (or anything else), for compatibility with the Elastic Common Schema (ECS)
Create cases from results
Create a single case containing all the results, or create cases for specific indices
Interactive tabs put results in context
Expand any index to reveal interactive tabs
Share comprehensive markdown reports
Share markdown reports containing the same content as the dashboard
On page load
When the Data Quality dashboard page loads, the alerts index, and any indices matching the selected
Data view
are displayedOnly
hot
,warm
, orunmanaged
indices are displayed by defaultIndices are not checked automatically when the dashboard loads
Click either :
Check all
to check all the indices on the pageCheck all
When the
Check all
button is clickedCheck all
button changes to aCancel
buttonLast checked: n <time unit> ago
text is replaced with a progress bar indicating how many Indices are left to checkChecking <index name>
text will update as each index is checked. Text will wrap if necessarycheck_all_trimmed.mov
When Check all, is running, the Data Quality dashboard adds a three second delay after every check completes, before beginning the next check.
Check all will keep checking indexes until the user cancels, or all indexes have (attempted to be) checked.
While Check all is running, users may simultaneously click on any index to check it on demand. The results are instantly rolled up when this happens.
When all checks complete, the page looks like this:
Take action
Click the
Take action
popover to share the entire page of results via one of the following actions:Expanding results
The
Incompatible fields
tab is always displayed by default when a result is expandedThe
Incompatible fields
tab shows a success message when a successful result is expandedThe
Incompatible fields
tab shows, side by side, expected ECS mapping types vs the actual mapping types when they are differentThe
Incompatible fields
tab also compares field values expected by ECS vs the actual values in an index, when they are differentThe
Incompatible fields
tab displays a callout that explains the consequences of having incompatible fields. The content is based on the following illustration, created by @MikePaquetteThe calllout has a call to action to create a case or copy a markdown report for just the expanded result
Tabs
The Summary tab displays a call to action when incompatible fields are found
Click on any part of the Summary tab chart or legend to navigate to the corresponding tab
Clicking on the
Copy to clipboard
call to action in the Custom fields tab copies a markdown version of the table to the clipboardThe search feature of the ECS complaint fields tab may, for example, be used to verify a specific ECS complaint mapping exists
The All fields tab displays the union of all other tabs
Data view selection
The
Data view
dropdown defaults to theSecurity Default Data View
The alerts index is always checked and included in the results, even when another Data View is selected
ILM phase options
Only
hot
,warm
, orunmanaged
indices may be selected for checking.The
cold
andfrozen
options are disabled.When all options in the
ILM phase
box are cleared, an informative empty prompt is displayedErrors
Errors may occur for some (or all) indices. The
View errors
button appears when the first error occursUsers may click the
View errors
button to view them, even while a check is in progressThe Copy to clipboard button in the errors popover copies a markdown version of the errors table to the clipboard
When errors occur, the same content shown in the Errors popover is automatically included in the markdown report created by the
Take action
menuMarkdown reports
The content of markdown reports (created by the Take action menu) includes most of the content from the Data Quality dashboard that created it
In the screenshot below, the Data Quality dashboard is on the left, and a markdown report (pasted into Github) is on the right
Stats rollups and tables are included in markdown reports
Markdown reports use the same "expected vs actual" format to display the details of incompatible field mappings
Navigation
The Data Quality dashboard is grouped with the existing Security Solution dashboards
It may also be launched via the side navigation
Privileges
The privileges in the table below are required to check any pattern of indices, or any specific index:
monitor
ormanage
(manage
builds onmonitor
)GET logs-*/_stats
_stats
view_index_metadata
ormanage_ilm
GET logs-*/_ilm/explain
_ilm/explain
view_index_metadata
ormanage
GET .ds-logs-endpoint.events.process-default-2023.01.17-000001/_mapping
_mapping
read
orread_cross_cluster
GET .ds-logs-endpoint.events.process-default-2023.01.17-000001/_search
_search
Users may have some of the privileges required to check an index, but not all of them.
The built-in
viewer
role does not have themonitor
(ormanage
) role. The following screenshot illustrates what a user will see if they login as a user with theviewer
role:An actual markdown report (all content below)
The rest of the content below is pasted from an actual report, created via the
Take action
menu:Data quality
.alerts-security.alerts-default
hot(1)
hot
.internal.alerts-security.alerts-default-000001
The
.internal.alerts-security.alerts-default-000001
index has mappings or field values that are different than the Elastic Common Schema (ECS), version8.6.0
definitions.hot
Incompatible fields
1
Custom fields188
ECS compliant fields1219
All fields1408
1 incompatible field
Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0.
❌ Detection engine rules referencing these fields may not match them correctly
❌ Pages may not display some events or fields due to unexpected field mappings or values
❌ Mappings or field values that don't comply with ECS are not supported
Incompatible field values - .internal.alerts-security.alerts-default-000001
authentication
,configuration
,database
,driver
,email
,file
,host
,iam
,intrusion_detection
,malware
,network
,package
,process
,registry
,session
,threat
,vulnerability
,web
behavior
(62)auditbeat-*
hot(11)
unmanaged(1)
hot
hot
hot
hot
hot
hot
hot
hot
hot
hot
hot
unmanaged
.ds-auditbeat-8.6.0-2023.01.17-000001
hot
Incompatible fields
0
Custom fields549
ECS compliant fields1210
All fields1759
.ds-auditbeat-8.2.3-2023.01.24-000001
hot
Incompatible fields
0
Custom fields510
ECS compliant fields1210
All fields1720
.ds-auditbeat-8.4.1-2023.01.24-000001
hot
Incompatible fields
0
Custom fields509
ECS compliant fields1210
All fields1719
auditbeat-7.16.0-2023.01.17-000001
hot
Incompatible fields
0
Custom fields523
ECS compliant fields1111
All fields1634
.ds-auditbeat-8.1.1-2023.01.24-000001
hot
Incompatible fields
0
Custom fields510
ECS compliant fields1204
All fields1714
.ds-auditbeat-8.2.2-2023.01.24-000001
hot
Incompatible fields
0
Custom fields510
ECS compliant fields1210
All fields1720
.ds-auditbeat-8.0.0-2023.01.24-000001
hot
Incompatible fields
0
Custom fields510
ECS compliant fields1204
All fields1714
auditbeat-7.10.2-2023.01.24-000001
The
auditbeat-7.10.2-2023.01.24-000001
index has mappings or field values that are different than the Elastic Common Schema (ECS), version8.6.0
definitions.hot
Incompatible fields
12
Custom fields467
ECS compliant fields602
All fields1081
12 incompatible fields
Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0.
❌ Detection engine rules referencing these fields may not match them correctly
❌ Pages may not display some events or fields due to unexpected field mappings or values
❌ Mappings or field values that don't comply with ECS are not supported
Incompatible field mappings - auditbeat-7.10.2-2023.01.24-000001
match_only_text
text
wildcard
keyword
wildcard
keyword
wildcard
keyword
match_only_text
text
wildcard
keyword
wildcard
keyword
wildcard
keyword
wildcard
keyword
wildcard
keyword
wildcard
keyword
Incompatible field values - auditbeat-7.10.2-2023.01.24-000001
alert
,enrichment
,event
,metric
,state
,pipeline_error
,signal
error
(1).ds-auditbeat-8.5.0-2023.01.24-000001
hot
Incompatible fields
0
Custom fields509
ECS compliant fields1210
All fields1719
auditbeat-custom-empty-index-1
The
auditbeat-custom-empty-index-1
index has mappings or field values that are different than the Elastic Common Schema (ECS), version8.6.0
definitions.unmanaged
Incompatible fields
1
Custom fields0
ECS compliant fields0
All fields0
1 incompatible field
Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0.
❌ Detection engine rules referencing these fields may not match them correctly
❌ Pages may not display some events or fields due to unexpected field mappings or values
❌ Mappings or field values that don't comply with ECS are not supported
Incompatible field mappings - auditbeat-custom-empty-index-1
date
-
logs-*
hot(2)
hot
hot
.ds-logs-endpoint.alerts-default-2023.01.17-000001
The
.ds-logs-endpoint.alerts-default-2023.01.17-000001
index has mappings or field values that are different than the Elastic Common Schema (ECS), version8.6.0
definitions.hot
Incompatible fields
2
Custom fields857
ECS compliant fields675
All fields1534
2 incompatible fields
Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0.
❌ Detection engine rules referencing these fields may not match them correctly
❌ Pages may not display some events or fields due to unexpected field mappings or values
❌ Mappings or field values that don't comply with ECS are not supported
Incompatible field mappings - .ds-logs-endpoint.alerts-default-2023.01.17-000001
keyword
object
Incompatible field values - .ds-logs-endpoint.alerts-default-2023.01.17-000001
authentication
,configuration
,database
,driver
,email
,file
,host
,iam
,intrusion_detection
,malware
,network
,package
,process
,registry
,session
,threat
,vulnerability
,web
behavior
(45).ds-logs-endpoint.events.process-default-2023.01.17-000001
The
.ds-logs-endpoint.events.process-default-2023.01.17-000001
index has mappings or field values that are different than the Elastic Common Schema (ECS), version8.6.0
definitions.hot
Incompatible fields
1
Custom fields130
ECS compliant fields304
All fields435
1 incompatible field
Fields are incompatible with ECS when index mappings, or the values of the fields in the index, don't conform to the Elastic Common Schema (ECS), version 8.6.0.
❌ Detection engine rules referencing these fields may not match them correctly
❌ Pages may not display some events or fields due to unexpected field mappings or values
❌ Mappings or field values that don't comply with ECS are not supported
Incompatible field mappings - .ds-logs-endpoint.events.process-default-2023.01.17-000001
keyword
object
packetbeat-*
hot(2)
hot
hot
.ds-packetbeat-8.6.0-2023.01.17-000001
hot
Incompatible fields
0
Custom fields604
ECS compliant fields1209
All fields1813
.ds-packetbeat-8.4.1-2023.01.24-000001
hot
Incompatible fields
0
Custom fields604
ECS compliant fields1209
All fields1813
Errors
Some indices were not checked for Data Quality
Errors may occur when pattern or index metadata is temporarily unavailable, or because you don't have the privileges required for access
The following privileges are required to check an index:
monitor
ormanage
view_index_metadata
read
orread_cross_cluster
Error loading stats: Error: Forbidden
Error loading stats: Error: Forbidden
Error loading stats: Error: Forbidden
Error loading stats: Error: Forbidden
See also: https://github.com/elastic/security-team/issues/4559