Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][DQD] add nested field items for incompatible and … #184657

Merged
merged 2 commits into from
Jun 4, 2024
Merged

[Security Solution][DQD] add nested field items for incompatible and … #184657

merged 2 commits into from
Jun 4, 2024

Conversation

kapral18
Copy link
Contributor

@kapral18 kapral18 commented Jun 3, 2024
edited
Loading

…same family fields

Addresses #184037

  • Add incompatibleFieldItems and sameFamilyFieldItems as nested fields with required attributes.

Steps to verify the change:

  1. Bootup PR branch with local es + kibana
  2. Open Kibana DevTools
  3. Call GET .kibana-data-quality-dashboard-results-default/_mapping
  4. Verify existence of properly nested incompatibleFieldItems and sameFamilyFieldItems new fields

image
image

@kapral18
[Security Solution][DQD] add nested field items for incompatible and …
b43912a 
…same family fields

Addresses elastic#184037

- Add `incompatibleFieldItems` and `sameFamilyFieldItems` as nested fields with required attributes.
@kapral18 kapral18 added release_note:skip Skip the PR/issue when compiling release notes Team:Threat Hunting Security Solution Threat Hunting Team Team:Threat Hunting:Explore v8.15.0 labels Jun 3, 2024
@kapral18 kapral18 self-assigned this Jun 3, 2024
@kapral18 kapral18 requested a review from a team as a code owner June 3, 2024 14:40
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting-explore (Team:Threat Hunting:Explore)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@angorayc
Copy link
Contributor

angorayc commented Jun 3, 2024

/ci

@angorayc
Copy link
Contributor

angorayc commented Jun 3, 2024

@elasticmachine merge upstream

@kibana-ci
Copy link
Collaborator

kibana-ci commented Jun 3, 2024
edited
Loading

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

✅ unchanged

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @kapral18

angorayc
angorayc reviewed Jun 3, 2024
View reviewed changes
Copy link
Contributor

@angorayc angorayc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From this mapping I can see we have expectedValue and actualValue

Please correct me I am wrong, it seemed that we miss the information for expectedType and actualType

In the incompatible field, it could be incompatible mapping or incompatible values
Screenshot 2024-06-03 at 17 14 27

To create an index contains incompatible field types:

PUT auditbeat-custom-index-1

PUT auditbeat-custom-index-1/_mapping
{
  "properties": {
    "@timestamp": {
      "type": "date"
    },
    "event.category": {
      "type": "keyword",
      "ignore_above": 1024
    }
  }
}

POST auditbeat-custom-index-1/_doc
{
  "@timestamp": "2024-06-03T09:41:49.668Z",
  "host": {
    "name": "foo"
  },
  "event": {
    "category": "an_invalid_category"
  },
  "some.field": "this",
  "source": {
    "port": 90210,
    "ip": "10.1.2.3"
  }
}

POST auditbeat-custom-index-1/_doc
{
  "@timestamp": "2024-06-03T09:42:22.123Z",
  "host": {
    "name": "bar"
  },
  "event": {
    "category": "an_invalid_category"
  },
  "some.field": "space",
  "source": {
    "port": 867,
    "ip": "10.9.8.7"
  }
}

POST auditbeat-custom-index-1/_doc
{
  "@timestamp": "2024-06-03T09:43:35.456Z",
  "host": {
    "name": "baz"
  },
  "event": {
    "category": "theory"
  },
  "some.field": "for",
  "source": {
    "port": 5,
    "ip": "10.4.6.6"
  }
}

POST auditbeat-custom-index-1/_doc
{
  "@timestamp": "2024-06-03T09:44:36.700Z",
  "host": {
    "name": "@baz"
  },
  "event": {
    "category": "malware"
  },
  "some.field": "rent",
  "source": {
    "port": 309,
    "ip": "10.1.1.1"
  }
}

To create an index with incompatible value:

PUT auditbeat-custom-index-2

PUT auditbeat-custom-index-2/_mapping
{
  "properties": {
    "@timestamp": {
      "type": "date"
    },
    "event.category": {
      "type": "keyword",
      "ignore_above": 1024
    }
  }
}

POST auditbeat-custom-index-2/_doc
{
  "@timestamp": "2024-06-03T09:41:49.668Z",
  "host": {
    "name": "foo"
  },
  "event": {
    "category": "an_invalid_category"
  },
  "some.field": "this",
  "source": {
    "port": 90210,
    "ip": "10.1.2.3"
  }
}

@angorayc
Copy link
Contributor

angorayc commented Jun 3, 2024

Here is a PR explains the basic functionality of data quality dashboard: #150063
Test plan: https://docs.google.com/document/d/14oTLA85lkpHdjOTm0FG03Vzpsdi5iMRHQMhBOlc6eTI/edit

@semd
Copy link
Contributor

semd commented Jun 4, 2024

@angorayc The plan was to use the reason field to know if the incompatibility comes from the value or the mapping, and use the expectedValue and actualValue accordingly.

incompatibleFields: [
  {
    fieldName: 'agent.type'
    expectedValue: 'keyword',
    actualValue: 'text'
    description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.'
    reason: 'mapping'
  },
  {
    fieldName: 'event.category'
    expectedValue: 'api,authentication,configuration,database,driver,email,file,host,iam,intrusion_detection,library,malware,network,package,process,registry,session,threat,vulnerability,web',
    actualValue: 'behavior'
    description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.'
    reason: 'value'
  },
]

This way we don't store undefined values, but I agree that we can also have expectedType and actualType and drop the reason field. I don't have a strong preference.

@angorayc
Copy link
Contributor

angorayc commented Jun 4, 2024
edited
Loading

@angorayc The plan was to use the reason field to know if the incompatibility comes from the value or the mapping, and use the expectedValue and actualValue accordingly.

incompatibleFields: [
  {
    fieldName: 'agent.type'
    expectedValue: 'keyword',
    actualValue: 'text'
    description: 'Type of the agent. The agent type always stays the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.'
    reason: 'mapping'
  },
  {
    fieldName: 'event.category'
    expectedValue: 'api,authentication,configuration,database,driver,email,file,host,iam,intrusion_detection,library,malware,network,package,process,registry,session,threat,vulnerability,web',
    actualValue: 'behavior'
    description: 'This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.'
    reason: 'value'
  },
]

This way we don't store undefined values, but I agree that we can also have expectedType and actualType and drop the reason field. I don't have a strong preference.

Thanks for the clarification @semd. I didn't understand properly of how the data was stored, but I am happy with the existing mapping after understanding how it works.

@kapral18 kapral18 merged commit 07df3b1 into elastic:main Jun 4, 2024
17 checks passed
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Jun 4, 2024
@kapral18 kapral18 deleted the feat/DQD/184037-add-nested-fields-to-results-field-map branch June 4, 2024 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@angorayc angorayc angorayc approved these changes

Assignees

@kapral18 kapral18

Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Threat Hunting:Explore Team:Threat Hunting Security Solution Threat Hunting Team v8.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@kapral18 @elasticmachine @angorayc @kibana-ci @semd @kibanamachine