-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace ECS static mapping with ECS dynamic mapping for AAD indices #168497
Comments
Pinging @elastic/response-ops (Team:ResponseOps) |
@ymao1 What are your thoughts about this? |
Definitely worth discussing! Since we'd be using the dynamic mapping in conjunction with alerts as data fields, what happens when we have a We should probably also get the opinion of @elastic/security-detections-response-alerts since the use the ECS fields most heavily. It would be good to do a POC to make sure transitioning from a static to a dynamic template on upgrade is possible and seamless. |
@ymao1 specific field mappings always takes priority over dynamic templates. First the field is checked to see if a mapping exists, if not the matching with dynamic template is applied. A few things that would need to be considered is that you have dynamic:false set because you don't want to map non-ecs fields, it might be hard to run dynamic templates while also disabling this for non-ecs fields. But im sure there are ways around it :) |
POC here: #200072 In order to use the dynamic ECS mappings, we have to set Setting
Because
When This occurs even if We should consider whether we need to stick to static ECS mappings maybe just for detection rules? |
Are security alerts the only docs that have non-ECS fields? No way to add them for o11y or stack rules? So "Add more fields to alert details" for ES Query is limited to only ECS fields? Oh, for ES Query it's a fixed list anyway :-) : kibana/x-pack/plugins/stack_alerts/common/constants.ts Lines 18 to 24 in 67f138e
I think we'd have to make that a constraint. Anytime a rule wants to add additional fields to an alert, they must use ECS field names, or they could run into the same problem as with the security rules. Wondering how we'd enforce that ... |
Yea, I think having to set |
All bets are are off if a customer messes with the index 😀 I'm more worried about US messing with the index 🤕 . Do we validate alert docs before writing them? I see some ECS schemas in But sounds like if security wants user-speciified non-ECS fields in their alerts, they won't want to be using |
I don't think we should allow non-ECS fields at the root unless they are stored within the Given It also allows us to avoid performing validation within Kibana, which would be a CPU intensive operation. |
To ensure only ECS fields are saved at the root level, can we filter data based on ecs_field_map and remove fields that don't exist in that mapping before saving it into the alert index? For observability rules, we add additional fields based on the group by fields, so if we enable this feature for observability, I don't see a CPU-intensive operation in that case. Also, to ensure the correct mapping, should we add a dynamic template equal to the ECS mappings? (Or does the dynamic field mapping match ECS mapping?) |
Detection rules can't do this, we need to copy even non-ECS fields into detection alerts. A new |
We were discussing this internally as well. I think adding this validation based on the schema would be the only way we would feel comfortable setting
Elasticsearch maintains a dynamic template called I can see from the O11y perspective the benefit of switching to the dynamic ECS template so if the additional schema validation overhead is acceptable to you, we can:
I think we would want to do this incrementally (switch rule types one at a time) and we would want input from the rule types to add functional tests to ensure no unwanted fields are being written. |
Discussed offline with @maryam-saeidi and it seems like if they are able to implement this issue: #183248 using @maryam-saeidi Would it be ok to table this issue for the time being in favor of investigating using the field caps API? |
@ymao1 Sounds good to me; thanks for checking |
📝 Summary
In Alert-As-Data (AAD), all the ECS fields are added statically to the mapping. In this ticket, I would like to discuss if it is a good idea to change it to dynamic mapping and how it can be done. (Slack discussion)
Motivation
@P1llus mentioned:
@simianhacker mentioned that when we add ECS fields statically, many fields are added to the mapping regardless of whether they are used or not, and as a result, in the KQL suggestion bar, the user will face many fields that many of them probably are not relevant.
Challenge
The challenge is ensuring dynamic mapping will not exceed the limit set for the number of fields in alerting. Here is the limit, which seems 1900 of them are ECS fields. This limitation was discussed in this RFC as well.
Possible solution
One solution to solve this issue is using
true_until_limit
that will be introduced in this PR.But @pmuellr shared this concern:
✅ Acceptance Criteria
The text was updated successfully, but these errors were encountered: