Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ResponseOps] alert index mapping for events keyword fields do not include ignore_above #187768

Closed
vitaliidm opened this issue Jul 8, 2024 · 9 comments
Closed

[ResponseOps] alert index mapping for events keyword fields do not include ignore_above #187768

vitaliidm opened this issue Jul 8, 2024 · 9 comments
Assignees
@ymao1
Labels
Feature:Alert Mappings Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@vitaliidm
Copy link
Contributor

vitaliidm commented Jul 8, 2024
edited
Loading

  1. kibana.alert.original_event.* keyword fields are mismatched with the original event’s mapping in many cases - the ignore_above attribute is not specified in kibana.alert.original_event.*.

For example, the event.module mapped as

"module": {
  "type": "keyword",
  "ignore_above": 1024
}

where as kibana.alert.original_event.module mapped as

"module": {
  "type": "keyword"
}

Same event object mappings

   "event": {
          "properties": {
            "action": {
              "type": "keyword"
            },
            "agent_id_status": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "category": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "code": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "created": {
              "type": "date"
            },
            "dataset": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "duration": {
              "type": "long"
            },
            "end": {
              "type": "date"
            },
            "hash": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "id": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "ingested": {
              "type": "date"
            },
            "kind": {
              "type": "keyword"
            },
            "module": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "original": {
              "type": "keyword"
            },
            "outcome": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "provider": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "reason": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "reference": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "risk_score": {
              "type": "float"
            },
            "risk_score_norm": {
              "type": "float"
            },
            "sequence": {
              "type": "long"
            },
            "severity": {
              "type": "long"
            },
            "start": {
              "type": "date"
            },
            "timezone": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "type": {
              "type": "keyword",
              "ignore_above": 1024
            },
            "url": {
              "type": "keyword",
              "ignore_above": 1024
            }
          }
        },

Most of the properties have "ignore_above", but some of them like event.action not.

            "action": {
              "type": "keyword"
            },
            "agent_id_status": {
              "type": "keyword",
              "ignore_above": 1024
            },

This leads to issues like #187630, where user can potentially save long text in event.module and everything will work fine as long as ignore_above is specified. If keyword field does not have ignore_above attribute (like kibana.alert.original_event.module) ES will throw an error when user will try to store huge text into that field. The limit is 32766 bytes which is a Lucene’s term byte-length limit https://www.elastic.co/guide/en/elasticsearch/reference/current/ignore-above.html

We would like to have mappings of all event fields to include ignore_above, to prevent hitting the limit of 32766.
@vitaliidm vitaliidm added the bug Fixes for quality problems that affect the customer experience label Jul 8, 2024
@botelastic botelastic bot added the needs-team Issues missing a team label label Jul 8, 2024
@vitaliidm vitaliidm added the Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) label Jul 8, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@botelastic botelastic bot removed the needs-team Issues missing a team label label Jul 8, 2024
@vitaliidm vitaliidm removed the bug Fixes for quality problems that affect the customer experience label Jul 8, 2024
@vitaliidm vitaliidm changed the title [ResponseOps] alert index mapping for events are not aligned [ResponseOps] alert index mapping for events keyword fields do not include ignore_above Jul 8, 2024
@ymao1
Copy link
Contributor

ymao1 commented Jul 8, 2024

@vitaliidm The field mappings for kibana.alert.original_event.* are defined here: x-pack/plugins/security_solution/common/field_maps/8.0.0/alerts.ts and owned by security solution. ignore_above can be added to the field definition in order to get it added to to mapping

@pmuellr pmuellr added Feature:Alerting Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry Feature:Alert Mappings labels Jul 8, 2024
@vitaliidm
Copy link
Contributor Author

vitaliidm commented Jul 9, 2024
edited
Loading

@ymao1 , thanks for pointing out on that file. By adding ignore_above, I was able to fix the first case.

But still, experience failures with the second one, where mapping in event.* do not have ignore_above and after the research look like, some of event.* fields are not ECS compliant.

  1. Field event.action - in ECS schema it should have ignore_above:1024. Reference
    But it does not have in alerts index.
    Same goes for event.kind - refer to ECS schema

And I think, the reason for it, these mappings are getting overridden somewhere in alerting framework. I was able to find this template, where the wrong mappings possibly originated

Screenshot 2024-07-09 at 12 28 14
  1. Field event.original in ECS schema is not indexable at all.
            "original": {
              "doc_values": false,
              "index": false,
              "type": "keyword"
            },

But code that reads ECS properties does not account for that field

https://github.com/elastic/kibana/blob/8.15/packages/kbn-alerts-as-data-utils/src/field_maps/ecs_field_map.ts#L77-L83

So, event.original in alerts index becomes

       "original": {
              "type": "keyword"
            },

and susceptible to error due to Lucene symbols limit

@vitaliidm vitaliidm mentioned this issue Jul 9, 2024
Merged
@ymao1
Copy link
Contributor

ymao1 commented Jul 9, 2024

Looks like those are here: packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts. It looks like you have a PR open to address the original_event fields. Feel free to update the event.kind and event.action fields as well in that PR. I will open an issue to see if we can perform a check to ensure any re-defined ECS fields use the same field map definition.

@vitaliidm
Copy link
Contributor Author

Regarding event.original, if we make index:false, it might potentially break customer's workflows, where any search query relies on event.original being indexed and searchable.
So, in order not break anything and fix current issue, do you think it make sense to add into file packages/kbn-alerts-as-data-utils/src/field_maps/alert_field_map.ts event.original too? Where we can put ignore_above similarly to the rest of fields

@ymao1
Copy link
Contributor

ymao1 commented Jul 9, 2024

event.original in the original ECS field mapping does not have an ignore_above value so you're saying you want to override that mapping to include an ignore_above? I agree that at this point, we probably don't want to put index: false on that field.

@vitaliidm
Copy link
Contributor Author

event.original in the original ECS field mapping does not have an ignore_above value so you're saying you want to override that mapping to include an ignore_above?

Yes, it does not have ignore_above, but not indexed instead (so it would work for large values over 32766)
While, we don't want to make it not indexed, putting ignore_above there, would align this field with the rest of event fields and would prevent Lucene symbols limit error while indexing.

@ymao1
Copy link
Contributor

ymao1 commented Jul 10, 2024

Sure, that sounds reasonable.

vitaliidm added a commit that referenced this issue Jul 22, 2024
@e40pud @vitaliidm
[Security Solution][Detections][BUG] Rule execution error when source…
0077b0e 
… document has a non-ECS compliant text field (#187630) (#187673)

## Summary

-  #187630
- #187768

These changes fix the error on saving the alert
> An error occurred during rule execution: message: "[1:6952] failed to
parse field [event.original] of type [keyword] in document with id
'330b17dc2ac382dbdd2f2577c28e83b42c5dc66eaf95e857ec0f222abfc486fa'..."

The issue happens when source index has non-ECS compliant text field
which is expected to be a keyword. If the text value is longer than
32766 bytes and keyword field does not have ignore_above parameter set,
then on trying to store the text value in keyword field we will hit the
Lucene's term byte-length limit (for more details see [this
page](https://www.elastic.co/guide/en/elasticsearch/reference/current/ignore-above.html)).

See the main ticket for steps to reproduce the issue.

---------

Co-authored-by: Vitalii Dmyterko <[email protected]>
@ymao1
Copy link
Contributor

ymao1 commented Jul 22, 2024

Closed with #187673

@ymao1 ymao1 closed this as completed Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ymao1 ymao1

Labels
Feature:Alert Mappings Feature:Alerting/Alerts-as-Data Issues related to Alerts-as-data and RuleRegistry Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@pmuellr @ymao1 @elasticmachine @vitaliidm