Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RAC][Security Solution][Detections] Implement a Rule Execution Log abstraction for use in Security Solution #106461

Closed
Tracked by #101013
banderror opened this issue Jul 21, 2021 · 3 comments
Assignees
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete

Comments

@banderror
Copy link
Contributor

Parent ticket: #101013

Summary

Implement a rule execution log abstraction that would provide a simple api for writing to the log and executing queries, hiding non-important details from the rest of security_solution.

  • Use this proposal as a foundation: [Security Solution][Detections] Proposal: building Rule Execution Log on top of Event Log and ECS #94143.
  • Define a schema for rule execution events and metrics.
  • Implement the following methods:
    • several methods for logging specific events and metrics
    • a method for fetching a list of last N events of 1 rule
    • a method for fetching a table of last N events and metrics of M rules, total N*M values; here we should use Elasticsearch aggregations
  • Make sure to include the current Kibana space id in the documents when logging events and metrics. Filter by space id when reading the log.
  • Make sure to use event.sequence to ensure deterministic ordering in the log.
  • Use a separate feature switch for Rule Execution Log to switch between the old (based on custom Saved Objects) and the new (so far, based on rule_registry) implementations. Consider using a constant in the code instead of a feature switch in Kibana config to keep it safer and simpler.
  • Consider hiding both the old and the new implementations (and so switching between them as well) under a single abstraction, e.g. integrating RuleStatusService (implementation based on SOs) into the Rule Execution Log client.
@banderror banderror added Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jul 21, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@banderror banderror changed the title [Security Solution][Detections] Implement a Rule Execution Log abstraction for use in Security Solution [RAC][Security Solution][Detections] Implement a Rule Execution Log abstraction for use in Security Solution Jul 21, 2021
@banderror banderror added the Theme: rac label obsolete label Jul 21, 2021
@xcrzx
Copy link
Contributor

xcrzx commented Aug 3, 2021

Implemented in #103463

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete
Projects
None yet
Development

No branches or pull requests

3 participants