[Request] [Draft] Document impact of using logsDB for security users #5864
Description
[Work in progress]
Description
In 8.17 the new index mode will be available for Elastic users. @yctercero trying to figure out if in 9.0 it will be on by default. This mode will be on by default for Serverless users (without the ability to change it?).
We need to provide information to the security users about it's impact:
Alerts
As part of the logsDB changes, certain field types will be stored in ES differently than their original format. During alert creation, we copy the original event over into the alert in order to keep reference to the original data. However, we now need to be more specific, perhaps, about what we mean by "original". We will copy over the fields as given to us by ES, which may now be in a different format than the original source for:
@approksiu can you confirm if we make any kind of assurances about maintaining original copies of source events? We'll need to update any language that makes those kind of assurances to note that this is not the case when logsDB is enabled.
- we don't seem to be mentioning anything about it, except warning users against using _source in the Alert ECS schema doc.
Affected rule types would be:
- Custom query
- EQL non sequence
- Non aggregate rule types. There are some rule types where we already do not maintain copies of the original source (Threshold, ML, EQL sequence).
Runtime fields
Runtime fields that reference source may be affected. The following are examples of accessing _source that work:
"source": """ emit(params._source.agent.name + "_____" + doc['agent.name'].value ); """
"source": """ emit(params._source['agent']['name'] + "_____" + doc['agent.name'].value ); """
"source": """ emit(field('agent.name').get(null) + "_____" + doc['agent.name'].value ); """
"source": """ emit($('agent.name', null) + "_____" + doc['agent.name'].value ); """
The following will not work with synthetic source (logsDB enabled):
"source": """ emit(params._source['agent.name'] + "_____" + doc['agent.name'].value ); """
More details on this found in this issue and doc'd here.
Actions
No anticipated issues, but there may be an edge case we haven't thought of. Per @vitaliidm 's doc:
Properties of alert are accessible in action template when synthetic source is enabled.
The Resulting alert is constructed from a synthetic source, which means any dot notation fields will be converted to a nested object. But the template works for both cases.
Moreover, when the original event is a nested object(when the synthetic source is disabled) it will also be stored in the resulting alert as a nested object. So, there should not be any impact on functionality.
There could however happen to be a mistmatch between how users expect field values to be formatted based on what we outlined in the "Alerts" section above. If users ship out their alerts using actions and then have logic outside our system that is based on fields being in the format of the original source, their flows may be broken. In particular, affected fields would be array of objects (see description of differences here).
Background & resources
- PRs:
- Issues/metas:
- Point of contact: @yctercero
- Test environments:
- Details: https://docs.google.com/document/d/1lNb2V_HEot90W913iJTyRv4l90WCiWdtslexUMn35IE/edit#heading=h.m5d9irssane6
Which documentation set does this change impact?
ESS
ESS release
8.17
Serverless release
- will be default behavior for GA
Feature differences
no differences
API docs impact
No impact to our APIs.
Prerequisites, privileges, feature flags
Should make reference to ES team docs for more info on logsdb - https://www.elastic.co/guide/en/elasticsearch/reference/master/mapping-source-field.html#synthetic-source