New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add criticality fields and risk score fields to alert schema #174626
Add criticality fields and risk score fields to alert schema #174626
Conversation
/ci |
/ci |
@nkhristinin Since asset criticality has not yet been released (as of 8.12), I recommend we remove the older Kibana fieldmapsets so it does not clutter the alert fields. With the above internal fields cleaned up, I approve merging this PR so we use the proposed ECS fields instead. |
@elasticmachine merge upstream |
As there change that it was released in serverless, those fields can be in alert_mappings, but not in the alert document. I will not remove them from mappings for backwards compatibility |
@elasticmachine merge upstream |
|
||
export const alertsFieldMap8130 = { | ||
...alertsFieldMap840, | ||
/** | ||
* @deprecated Use ALERT_HOST_CRITICALITY instead. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to see these JSDoc being used anywhere, either on the broader alertsFieldMap8130
type, nor on pulling the value out. Since the key itself is deprecated, perhaps that's good enough?
export const ALERT_HOST_CRITICALITY = `${ALERT_NAMESPACE}.host.criticality_level` as const; | ||
export const ALERT_USER_CRITICALITY = `${ALERT_NAMESPACE}.user.criticality_level` as const; | ||
/** | ||
* @deprecated Use ALERT_HOST_CRITICALITY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This format will actually link to the other type:
* @deprecated Use ALERT_HOST_CRITICALITY | |
* @deprecated Use {@link ALERT_HOST_CRITICALITY} |
|
||
export const ALERT_HOST_CRITICALITY = `host.asset.criticality` as const; | ||
export const ALERT_USER_CRITICALITY = `user.asset.criticality` as const; | ||
export const ALERT_HOST_RISK_SCORE_CALCULATED_LEVEL = `host.risk.calculated_level` as const; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do these need these ALERT_
prefixes if the fields aren't specific to alerts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, for those fields I want to show that they are related to alerts.
We do have host.risk.calculated_level
in other places in our app, but host.asset.criticality
unique only for alerts, so I wanted to specify that
...curity_solution/server/lib/detection_engine/rule_types/utils/enrichments/__mocks__/alerts.ts
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm, but traditionally it's been @elastic/response-ops that want to keep the alerts as data schemas as light as possible
@elasticmachine merge upstream |
@@ -122,6 +122,9 @@ const SecurityAlertOptional = rt.partial({ | |||
'ecs.version': schemaString, | |||
'event.action': schemaString, | |||
'event.kind': schemaString, | |||
'host.asset.criticality': schemaString, | |||
'host.risk.calculated_level': schemaString, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
host.risk.calculated_level
and host.risk.calculated_score_norm
are already in the ECS component template, which is referenced by by the security alerts index. Do we need to redefine them in the security alerts component template?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch!
I will check if I can have in alert types, but remove from field_maps, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested locally, you rights, the field already in alert mappings, we probably don't need them here. Thanks!
@@ -204,6 +207,9 @@ const SecurityAlertOptional = rt.partial({ | |||
'kibana.alert.workflow_user': schemaString, | |||
'kibana.version': schemaString, | |||
tags: schemaStringArray, | |||
'user.asset.criticality': schemaString, | |||
'user.risk.calculated_level': schemaString, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same question about user.risk.calculated_score_norm
and user.risk.calculated_level
. If they are already in the ECS component template, do we need to redefine them in the security alerts component template?
@elasticmachine merge upstream |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Response ops changes LGTM
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was briefly hung up on this exchange, but it sounds like you and Sourin have come to an agreement there 👍 .
@ymao1 thanks for catching those redundancies!
EA/SecSol changes LGTM.
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Update alerts fields names for asset criticality, and add risk score field
We want to update
kibana.alert.user.criticality_level
tohost.asset.criticality
kibana.alert.host.criticality_level
tohost.asset.criticality
kibana.alert.user.criticality_level
andkibana.alert.host.criticality_level
will be still present in the schema/mappings, for backward compatibility as it was released to serverless/Also, we added
host.risk.calculated_score_norm
,host.risk.calculated_level
,user.risk.calculated_score_norm
,user.risk.calculated_level
.Those fields enriched alerts from8.5.0, but weren't added to the alert schema
@SourinPaul approved usage of new fields