Add criticality fields and risk score fields to alert schema #174626
Conversation
|
/ci |
|
/ci |
|
@nkhristinin Since asset criticality has not yet been released (as of 8.12), I recommend we remove the older Kibana fieldmapsets so it does not clutter the alert fields. With the above internal fields cleaned up, I approve merging this PR so we use the proposed ECS fields instead. |
|
@elasticmachine merge upstream |
As there change that it was released in serverless, those fields can be in alert_mappings, but not in the alert document. I will not remove them from mappings for backwards compatibility |
nkhristinin
added
the
release_note:feature
|
@elasticmachine merge upstream |
|
|
||
| export const alertsFieldMap8130 = { | ||
| ...alertsFieldMap840, | ||
| /** | ||
| * @deprecated Use ALERT_HOST_CRITICALITY instead. |
There was a problem hiding this comment.
I wasn't able to see these JSDoc being used anywhere, either on the broader alertsFieldMap8130 type, nor on pulling the value out. Since the key itself is deprecated, perhaps that's good enough?
| export const ALERT_HOST_CRITICALITY = `${ALERT_NAMESPACE}.host.criticality_level` as const; | ||
| export const ALERT_USER_CRITICALITY = `${ALERT_NAMESPACE}.user.criticality_level` as const; | ||
| /** | ||
| * @deprecated Use ALERT_HOST_CRITICALITY |
There was a problem hiding this comment.
This format will actually link to the other type:
| * @deprecated Use ALERT_HOST_CRITICALITY | |
| * @deprecated Use {@link ALERT_HOST_CRITICALITY} |
|
|
||
| export const ALERT_HOST_CRITICALITY = `host.asset.criticality` as const; | ||
| export const ALERT_USER_CRITICALITY = `user.asset.criticality` as const; | ||
| export const ALERT_HOST_RISK_SCORE_CALCULATED_LEVEL = `host.risk.calculated_level` as const; |
There was a problem hiding this comment.
Do these need these ALERT_ prefixes if the fields aren't specific to alerts?
There was a problem hiding this comment.
Yes, for those fields I want to show that they are related to alerts.
We do have host.risk.calculated_level in other places in our app, but host.asset.criticality unique only for alerts, so I wanted to specify that
...curity_solution/server/lib/detection_engine/rule_types/utils/enrichments/__mocks__/alerts.ts
Show resolved
Hide resolved
|
@elasticmachine merge upstream |
| @@ -122,6 +122,9 @@ const SecurityAlertOptional = rt.partial({ | |||
| 'ecs.version': schemaString, | |||
| 'event.action': schemaString, | |||
| 'event.kind': schemaString, | |||
| 'host.asset.criticality': schemaString, | |||
| 'host.risk.calculated_level': schemaString, | |||
There was a problem hiding this comment.
host.risk.calculated_level and host.risk.calculated_score_norm are already in the ECS component template, which is referenced by by the security alerts index. Do we need to redefine them in the security alerts component template?
There was a problem hiding this comment.
Good catch!
I will check if I can have in alert types, but remove from field_maps, thanks!
There was a problem hiding this comment.
Tested locally, you rights, the field already in alert mappings, we probably don't need them here. Thanks!
| @@ -204,6 +207,9 @@ const SecurityAlertOptional = rt.partial({ | |||
| 'kibana.alert.workflow_user': schemaString, | |||
| 'kibana.version': schemaString, | |||
| tags: schemaStringArray, | |||
| 'user.asset.criticality': schemaString, | |||
| 'user.risk.calculated_level': schemaString, | |||
There was a problem hiding this comment.
same question about user.risk.calculated_score_norm and user.risk.calculated_level. If they are already in the ECS component template, do we need to redefine them in the security alerts component template?
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
There was a problem hiding this comment.
I was briefly hung up on this exchange, but it sounds like you and Sourin have come to an agreement there 👍 .
@ymao1 thanks for catching those redundancies!
EA/SecSol changes LGTM.
kibanamachine
added
v8.13.0
backport:skip
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…#174626) ## Update alerts fields names for asset criticality, and add risk score field We want to update `kibana.alert.user.criticality_level` to `host.asset.criticality` `kibana.alert.host.criticality_level` to `host.asset.criticality` `kibana.alert.user.criticality_level` and `kibana.alert.host.criticality_level` will be still present in the schema/mappings, for backward compatibility as it was released to serverless/ Also, we added `host.risk.calculated_score_norm`, `host.risk.calculated_level`, `user.risk.calculated_score_norm`, `user.risk.calculated_level`. Those fields enriched alerts from[8.5.0](elastic#139478), but weren't added to the alert schema @SourinPaul [approved](elastic#174626 (comment)) usage of new fields --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Update alerts fields names for asset criticality, and add risk score field
We want to update
kibana.alert.user.criticality_leveltohost.asset.criticalitykibana.alert.host.criticality_leveltohost.asset.criticalitykibana.alert.user.criticality_levelandkibana.alert.host.criticality_levelwill be still present in the schema/mappings, for backward compatibility as it was released to serverless/Also, we added
host.risk.calculated_score_norm,host.risk.calculated_level,user.risk.calculated_score_norm,user.risk.calculated_level.Those fields enriched alerts from8.5.0, but weren't added to the alert schema
@SourinPaul approved usage of new fields