[8.19] [Response Ops][Rule Management] Update RulesClient methods to migrate legacy SIEM actions in bulk (#219432) #224114
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… legacy SIEM actions in bulk (elastic#219432) ## Summary Legacy actions context: elastic#112327 This PR modifies legacy SIEM action migration logic to migrate actions in bulk, significantly improving performance. Response time and # of requests to ES for SIEM rule management HTTP APIs are both significantly reduced. When tested on 800 rules, this saves about 1-1.5 seconds per bulk API call and eliminates hundreds of individual requests to Elasticsearch. Bulk disable for example goes from taking ~3.3 seconds to ~2.3 seconds, and the APM transaction for the API call no longer drops spans due to hitting the max span limit. ## Testing I added a helper function in the quickstart tooling, `createRuleWithLegacyAction`, to make it easier to get started with manual testing. The function creates a connector, a rule, and then a legacy action referencing the connector and the rule. The legacy action (a `siem.notification` type rule) and rule can be viewed in the alerting SO index via dev tools: ``` GET .kibana_alerting_cases/_search { "query": { "bool": { "filter": { "term": { "type": "alert" } } } } } ``` Viewing the rule details via the Security Solution UI should display only one rule with the action as part of the rule. After making any kind of change to the rule (enable, disable, update, etc), the dev tools command above should show only a single rule with the action inside the rule instead of as a separate `siem.notification` type rule. --------- Co-authored-by: Maxim Palenov <maxim.palenov@elastic.co> Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 5ce96f4)
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
💚 Build Succeeded
Metrics [docs] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.19:Questions ?
Please refer to the Backport tool documentation