New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution][Detection Engine] adds alert suppression to ES|QL rule type #180927
base: main
Are you sure you want to change the base?
Conversation
# Conflicts: # x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/components/step_define_rule/use_experimental_feature_fields_transform.ts # x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.test.tsx # x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/use_alert_suppression.tsx # x-pack/test/security_solution_cypress/config.ts
…italiidm/kibana into de_8_15/esql_alert_suppression
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
# Conflicts: # x-pack/plugins/security_solution/public/detection_engine/rule_creation/logic/esql_validator.ts # x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/hooks/use_all_esql_rule_fields.test.ts # x-pack/plugins/security_solution/public/detection_engine/rule_creation_ui/hooks/use_all_esql_rule_fields.ts
/** | ||
* generates id for ES|QL alert | ||
*/ | ||
export const generateAlertId = ({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we add comment here and describe why we need to use hash, and not just provide unique id?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this is expected as only one alert is created. The rest are supppressed. So, the value you see is the value from event, which is used to create alert.
So, these "random" values are just values from the only created alert.
You suppression configuration is to suppress per rule execution only. That means, at least one alert per group would be created during the rule execution. By default you would have 12(5m interval) rule execution in preview, so if your events appear in different executions, an alert for each one would be created. |
Duplicate fields removed in 131929e |
...lution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/esql_rule.cy.ts
Show resolved
Hide resolved
...lution_cypress/cypress/e2e/detection_response/detection_engine/rule_creation/esql_rule.cy.ts
Outdated
Show resolved
Hide resolved
...y_solution_cypress/cypress/e2e/detection_response/detection_engine/rule_edit/esql_rule.cy.ts
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sec-eng-prod changes LGTM!
|
||
return getIndexListFromIndexString(indexString); | ||
return getIndexListFromIndexString(indexString); | ||
} catch (e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we log this error somewhere? Say a user thought their rule is correct, would they ever be alerted that something could be going wrong at this step? It'd likely error if there was some kind of syntax error, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even if there is a syntax error, AST helper should still return valid AST tree.
But there is a particular case when it crashes - typing [
after index.
The error is shown already in console.
Also reported it way back for Kibana team: #182012
...solution/public/detection_engine/rule_creation_ui/components/description_step/index.test.tsx
Show resolved
Hide resolved
⏳ Build in-progress, with failuresFailed CI Steps
History
To update your PR or re-run it, just comment with: cc @vitaliidm |
Summary
Demo
host.ip
host.ip
, hence same results_esql.suppression.mov
Limitations
Since suppressed alerts deduplication relies on alert timestamps, sorting of results other than
@timestamp asc
in ES|QL query may impact on number of suppressed alerts, when number of possible alerts more than max_signals.This affects only non-aggregating queries, since suppression boundaries for these alerts set as rule execution time
Checklist
Functional changes are hidden behind a feature flag
Feature flag
alertSuppressionForEsqlRuleEnabled
Functional changes are covered with a test plan and automated tests.
Stability of new and changed tests is verified using the Flaky Test Runner.
Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless.
Mapping changes are accompanied by a technical design document. It can be a GitHub issue or an RFC explaining the changes. The design document is shared with and approved by the appropriate teams and individual stakeholders.
Existing AlertSuppression schema field is used for ES|QL rule, the one that already used for Query, New terms and IM rules.
where
Functional changes are communicated to the Docs team. A ticket or PR is opened in https://github.com/elastic/security-docs. The following information is included: any feature flags used, affected environments (Serverless, ESS, or both).