Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Entity Analytics] Can't start risk engine on serverless #168406

Closed
dhurley14 opened this issue Oct 9, 2023 · 8 comments
Closed

[Security Solution][Entity Analytics] Can't start risk engine on serverless #168406

dhurley14 opened this issue Oct 9, 2023 · 8 comments
Assignees
@nkhristinin
Labels
bug Fixes for quality problems that affect the customer experience consider-next Feature:Entity Analytics Security Solution Entity Analytics features fixed impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Project:Serverless Work as part of the Serverless project for its initial release Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@dhurley14
Copy link
Contributor

dhurley14 commented Oct 9, 2023
edited
Loading

Describe the bug:
Found during the serverless testing party last week. 400 error returned - illegal_argument_exception: no matching index template found for data stream [risk-score.risk-score-default]

Need to update how risk score data stream is created - use DLM, not ILM in Serverless

https://github.com/elastic/kibana/pull/160572/files?file-filters%5B%5D=.json&file-filters%5B%5D=.jsonc&file-filters%5B%5D=.ts&file-filters%5B%5D=.tsx&owned-by%5B%5D=dhurley14&show-viewed-files=true#diff-74701f6237f2551aeb4642920e86b13c2bd8a4d046e74885b1c818606c7bd26b

Steps to reproduce:

  1. Create a serverless project on production
  2. Go to Project settings in Kibana
  3. Entity Risk Score
  4. Turn Entity Risk Scoring on

Current behavior:
400 error displayed on the UI

Expected behavior:
200 response - entity analytics should start

Screenshots (if relevant):

error_starting_risk_scoring
@dhurley14 dhurley14 added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Project:Serverless Work as part of the Serverless project for its initial release Feature:Entity Analytics Security Solution Entity Analytics features Team:Detection Engine Security Solution Detection Engine Area labels Oct 9, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@nkhristinin
Copy link
Contributor

Thanks for reporting, just to linke the same bug here

And also will be fixed here: #168155

@MikePaquette MikePaquette added the impact:critical This issue should be addressed immediately due to a critical level of impact on the product. label Oct 12, 2023
@yctercero
Copy link
Contributor

Let's close out once it's confirmed on serverless prod.

@nkhristinin
Copy link
Contributor

Tested on serverless QA, and it risk engine can be installed and also generate risk scores

@MadameSheema
Copy link
Member

@yctercero @nkhristinin the fix should have reached production already, may you please quickly check? Thanks!! :)

@nkhristinin
Copy link
Contributor

Unfortunately on production it doesn't work, it give this error:

Here is a list what is avaible for serverless:

illegal_argument_exception Root causes: illegal_argument_exception: Settings [index.auto_expand_replicas] are not available when running in serverless mode

It's strange why it's working on local dev and especially on Serverless QA enviroment.

I wil create PR soon to fix those settings

@nkhristinin nkhristinin mentioned this issue Oct 16, 2023
Merged
oatkiller pushed a commit that referenced this issue Oct 17, 2023
@nkhristinin @kibanamachine
Remove unsupported settings from index template (#168968)
79e9f50 
## Summary
those settings[ not working
](#168406 (comment))
in serverless

---------

Co-authored-by: Kibana Machine <[email protected]>
dej611 pushed a commit to dej611/kibana that referenced this issue Oct 17, 2023
@nkhristinin @kibanamachine @dej611
Remove unsupported settings from index template (elastic#168968)
3a40191 
## Summary
those settings[ not working
](elastic#168406 (comment))
in serverless

---------

Co-authored-by: Kibana Machine <[email protected]>
@nkhristinin
Copy link
Contributor

nkhristinin commented Oct 25, 2023
edited
Loading

This bug is fixed, tested on cloud.elastic.co

role can enable can see risk scores
Platform engineer YES YES
Detections admin YES YES
Admin YES YES
Tier 1 analyst NO YES
Tier 2 analyst NO YES
Tier 3 analyst NO YES
Threat intelligence analyst NO YES
Rule author NO YES
SOC manager NO YES
Endpoint operations analyst NO YES
Endpoint policy manager NO YES
Viewer NO YES
Editor NO YES

@MadameSheema
Copy link
Member

MadameSheema commented Oct 25, 2023
edited
Loading

Great!! Thanks @nkhristinin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nkhristinin nkhristinin

Labels
bug Fixes for quality problems that affect the customer experience consider-next Feature:Entity Analytics Security Solution Entity Analytics features fixed impact:critical This issue should be addressed immediately due to a critical level of impact on the product. Project:Serverless Work as part of the Serverless project for its initial release Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@dhurley14 @nkhristinin @yctercero @elasticmachine @MadameSheema @MikePaquette