[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available #200621
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…en tier node is not available
vitaliidm
added
release_note:skip
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
cc @vitaliidm |
marshallmain
approved these changes
Nov 19, 2024
|
Starting backport for target branches: 8.16, 8.18, 8.x |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 20, 2024
…en tier node is not available (elastic#200621) ## Summary - addresses elastic/security-team#11117 ### How to test 1. Create a deployment with cold and frozen data tiers and use following commands to create index and ILM <details> <summary>Data tiers commands</summary> ```JSON PUT /_cluster/settings { "persistent": { "indices.lifecycle.poll_interval": "10s" } } PUT /_ilm/policy/filtering_data_tiers { "policy": { "phases": { "frozen": { "min_age": "10s", "actions": { "searchable_snapshot": { "snapshot_repository": "found-snapshots", "force_merge_index": true } } }, "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 } } } } } } PUT /_index_template/filtering_data_tiers_template { "index_patterns": [ "filtering_data_tiers*" ], "template": { "settings": { "index.lifecycle.name": "filtering_data_tiers", "index.lifecycle.rollover_alias": "test-filtering_data_tiers" }, "mappings": { "_meta": { "version": "1.6.0" }, "properties": { "@timestamp": { "type": "date" }, "host": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } } } } } } PUT /filtering_data_tiers-000001 { "aliases": { "filtering_data_tiers": { "is_write_index": true } } } POST filtering_data_tiers/_doc { "@timestamp": "2024-07-08T17:00:01.000Z", "host.name": "test-0" } ``` </details> 2. Wait until document moves to frozen tier 3. Run another set of commands to persist document in hot tier <details> <summary>Data tiers commands</summary> ```JSON PUT /_ilm/policy/filtering_data_tiers { "policy": { "phases": { "frozen": { "min_age": "100h", "actions": { "searchable_snapshot": { "snapshot_repository": "found-snapshots", "force_merge_index": true } } }, "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 } } } } } } PUT /filtering_data_tiers-000002 { "aliases": { "filtering_data_tiers": { "is_write_index": true } } } POST filtering_data_tiers/_doc { "@timestamp": "2024-11-08T17:00:01.000Z", "host.name": "test-1" } ``` </details> 4. Pause frozen tier node (admin permissions needed for this) or increase memory of it, forcing node to become unavailable for short period of time. 5. Run IM rule with [advanced setting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions) filtering out frozen data tier 6. Rule should not fail and generate an alert from document in a hot tier --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit ee397d6)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 20, 2024
…en tier node is not available (elastic#200621) ## Summary - addresses elastic/security-team#11117 ### How to test 1. Create a deployment with cold and frozen data tiers and use following commands to create index and ILM <details> <summary>Data tiers commands</summary> ```JSON PUT /_cluster/settings { "persistent": { "indices.lifecycle.poll_interval": "10s" } } PUT /_ilm/policy/filtering_data_tiers { "policy": { "phases": { "frozen": { "min_age": "10s", "actions": { "searchable_snapshot": { "snapshot_repository": "found-snapshots", "force_merge_index": true } } }, "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 } } } } } } PUT /_index_template/filtering_data_tiers_template { "index_patterns": [ "filtering_data_tiers*" ], "template": { "settings": { "index.lifecycle.name": "filtering_data_tiers", "index.lifecycle.rollover_alias": "test-filtering_data_tiers" }, "mappings": { "_meta": { "version": "1.6.0" }, "properties": { "@timestamp": { "type": "date" }, "host": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } } } } } } PUT /filtering_data_tiers-000001 { "aliases": { "filtering_data_tiers": { "is_write_index": true } } } POST filtering_data_tiers/_doc { "@timestamp": "2024-07-08T17:00:01.000Z", "host.name": "test-0" } ``` </details> 2. Wait until document moves to frozen tier 3. Run another set of commands to persist document in hot tier <details> <summary>Data tiers commands</summary> ```JSON PUT /_ilm/policy/filtering_data_tiers { "policy": { "phases": { "frozen": { "min_age": "100h", "actions": { "searchable_snapshot": { "snapshot_repository": "found-snapshots", "force_merge_index": true } } }, "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 } } } } } } PUT /filtering_data_tiers-000002 { "aliases": { "filtering_data_tiers": { "is_write_index": true } } } POST filtering_data_tiers/_doc { "@timestamp": "2024-11-08T17:00:01.000Z", "host.name": "test-1" } ``` </details> 4. Pause frozen tier node (admin permissions needed for this) or increase memory of it, forcing node to become unavailable for short period of time. 5. Run IM rule with [advanced setting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions) filtering out frozen data tier 6. Rule should not fail and generate an alert from document in a hot tier --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit ee397d6)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Nov 20, 2024
…n frozen tier node is not available (#200621) (#200877) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available (#200621)](#200621) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-20T10:00:16Z","message":"[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available (#200621)\n\n## Summary\r\n\r\n- addresses https://github.com/elastic/security-team/issues/11117\r\n\r\n### How to test\r\n\r\n\r\n1. Create a deployment with cold and frozen data tiers and use following\r\ncommands to create index and ILM\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n \"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"10s\"\r\n }\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"10s\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /_index_template/filtering_data_tiers_template\r\n{\r\n \"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n \"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\": \"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\": \"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\": {\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n \"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n \"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\": \"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>\r\n\r\n2. Wait until document moves to frozen tier\r\n3. Run another set of commands to persist document in hot tier\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n\r\n```JSON\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"100h\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /filtering_data_tiers-000002\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-11-08T17:00:01.000Z\",\r\n \"host.name\": \"test-1\"\r\n}\r\n\r\n\r\n```\r\n</details>\r\n\r\n4. Pause frozen tier node (admin permissions needed for this) or\r\nincrease memory of it, forcing node to become unavailable for short\r\nperiod of time.\r\n5. Run IM rule with [advanced\r\nsetting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions)\r\nfiltering out frozen data tier\r\n6. Rule should not fail and generate an alert from document in a hot\r\ntier\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"ee397d66b8325f25582eb610826991365a4b5f71","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team:Detection Engine","v8.16.0","backport:version","v8.17.0","v8.18.0"],"title":"[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available","number":200621,"url":"https://github.com/elastic/kibana/pull/200621","mergeCommit":{"message":"[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available (#200621)\n\n## Summary\r\n\r\n- addresses https://github.com/elastic/security-team/issues/11117\r\n\r\n### How to test\r\n\r\n\r\n1. Create a deployment with cold and frozen data tiers and use following\r\ncommands to create index and ILM\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n \"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"10s\"\r\n }\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"10s\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /_index_template/filtering_data_tiers_template\r\n{\r\n \"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n \"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\": \"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\": \"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\": {\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n \"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n \"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\": \"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>\r\n\r\n2. Wait until document moves to frozen tier\r\n3. Run another set of commands to persist document in hot tier\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n\r\n```JSON\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"100h\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /filtering_data_tiers-000002\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-11-08T17:00:01.000Z\",\r\n \"host.name\": \"test-1\"\r\n}\r\n\r\n\r\n```\r\n</details>\r\n\r\n4. Pause frozen tier node (admin permissions needed for this) or\r\nincrease memory of it, forcing node to become unavailable for short\r\nperiod of time.\r\n5. Run IM rule with [advanced\r\nsetting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions)\r\nfiltering out frozen data tier\r\n6. Rule should not fail and generate an alert from document in a hot\r\ntier\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"ee397d66b8325f25582eb610826991365a4b5f71"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.x","8.18"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/200621","number":200621,"mergeCommit":{"message":"[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available (#200621)\n\n## Summary\r\n\r\n- addresses https://github.com/elastic/security-team/issues/11117\r\n\r\n### How to test\r\n\r\n\r\n1. Create a deployment with cold and frozen data tiers and use following\r\ncommands to create index and ILM\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n \"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"10s\"\r\n }\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"10s\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /_index_template/filtering_data_tiers_template\r\n{\r\n \"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n \"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\": \"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\": \"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\": {\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n \"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n \"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\": \"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>\r\n\r\n2. Wait until document moves to frozen tier\r\n3. Run another set of commands to persist document in hot tier\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n\r\n```JSON\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"100h\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /filtering_data_tiers-000002\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-11-08T17:00:01.000Z\",\r\n \"host.name\": \"test-1\"\r\n}\r\n\r\n\r\n```\r\n</details>\r\n\r\n4. Pause frozen tier node (admin permissions needed for this) or\r\nincrease memory of it, forcing node to become unavailable for short\r\nperiod of time.\r\n5. Run IM rule with [advanced\r\nsetting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions)\r\nfiltering out frozen data tier\r\n6. Rule should not fail and generate an alert from document in a hot\r\ntier\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"ee397d66b8325f25582eb610826991365a4b5f71"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Vitalii Dmyterko <[email protected]>
|
Looks like this PR has backport PRs but they still haven't been merged. Please merge them ASAP to keep the branches relatively in sync. |
kibanamachine
added
the
backport missing
paul-tavares
added a commit
that referenced
this pull request
Nov 22, 2024
…en frozen tier node is not available (#200621) (#200876) # Backport This will backport the following commits from `main` to `8.16`: - [[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available (#200621)](#200621) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-20T10:00:16Z","message":"[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available (#200621)\n\n## Summary\r\n\r\n- addresses https://github.com/elastic/security-team/issues/11117\r\n\r\n### How to test\r\n\r\n\r\n1. Create a deployment with cold and frozen data tiers and use following\r\ncommands to create index and ILM\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n \"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"10s\"\r\n }\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"10s\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /_index_template/filtering_data_tiers_template\r\n{\r\n \"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n \"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\": \"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\": \"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\": {\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n \"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n \"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\": \"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>\r\n\r\n2. Wait until document moves to frozen tier\r\n3. Run another set of commands to persist document in hot tier\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n\r\n```JSON\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"100h\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /filtering_data_tiers-000002\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-11-08T17:00:01.000Z\",\r\n \"host.name\": \"test-1\"\r\n}\r\n\r\n\r\n```\r\n</details>\r\n\r\n4. Pause frozen tier node (admin permissions needed for this) or\r\nincrease memory of it, forcing node to become unavailable for short\r\nperiod of time.\r\n5. Run IM rule with [advanced\r\nsetting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions)\r\nfiltering out frozen data tier\r\n6. Rule should not fail and generate an alert from document in a hot\r\ntier\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"ee397d66b8325f25582eb610826991365a4b5f71","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","Team:Detection Engine","v8.16.0","backport:version","v8.17.0","v8.18.0"],"title":"[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available","number":200621,"url":"https://github.com/elastic/kibana/pull/200621","mergeCommit":{"message":"[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available (#200621)\n\n## Summary\r\n\r\n- addresses https://github.com/elastic/security-team/issues/11117\r\n\r\n### How to test\r\n\r\n\r\n1. Create a deployment with cold and frozen data tiers and use following\r\ncommands to create index and ILM\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n \"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"10s\"\r\n }\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"10s\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /_index_template/filtering_data_tiers_template\r\n{\r\n \"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n \"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\": \"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\": \"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\": {\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n \"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n \"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\": \"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>\r\n\r\n2. Wait until document moves to frozen tier\r\n3. Run another set of commands to persist document in hot tier\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n\r\n```JSON\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"100h\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /filtering_data_tiers-000002\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-11-08T17:00:01.000Z\",\r\n \"host.name\": \"test-1\"\r\n}\r\n\r\n\r\n```\r\n</details>\r\n\r\n4. Pause frozen tier node (admin permissions needed for this) or\r\nincrease memory of it, forcing node to become unavailable for short\r\nperiod of time.\r\n5. Run IM rule with [advanced\r\nsetting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions)\r\nfiltering out frozen data tier\r\n6. Rule should not fail and generate an alert from document in a hot\r\ntier\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"ee397d66b8325f25582eb610826991365a4b5f71"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.x","8.18"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/200621","number":200621,"mergeCommit":{"message":"[Security Solution][Detection Engine] fixes IM rule failure when frozen tier node is not available (#200621)\n\n## Summary\r\n\r\n- addresses https://github.com/elastic/security-team/issues/11117\r\n\r\n### How to test\r\n\r\n\r\n1. Create a deployment with cold and frozen data tiers and use following\r\ncommands to create index and ILM\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n \"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"10s\"\r\n }\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"10s\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /_index_template/filtering_data_tiers_template\r\n{\r\n \"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n \"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\": \"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\": \"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\": {\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n \"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n \"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n \"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\": \"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>\r\n\r\n2. Wait until document moves to frozen tier\r\n3. Run another set of commands to persist document in hot tier\r\n\r\n<details>\r\n<summary>Data tiers commands</summary>\r\n\r\n\r\n```JSON\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n \"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\": \"100h\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n \"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\": true\r\n }\r\n }\r\n },\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n \"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n\r\n\r\nPUT /filtering_data_tiers-000002\r\n{\r\n \"aliases\": {\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n }\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n \"@timestamp\": \"2024-11-08T17:00:01.000Z\",\r\n \"host.name\": \"test-1\"\r\n}\r\n\r\n\r\n```\r\n</details>\r\n\r\n4. Pause frozen tier node (admin permissions needed for this) or\r\nincrease memory of it, forcing node to become unavailable for short\r\nperiod of time.\r\n5. Run IM rule with [advanced\r\nsetting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions)\r\nfiltering out frozen data tier\r\n6. Rule should not fail and generate an alert from document in a hot\r\ntier\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"ee397d66b8325f25582eb610826991365a4b5f71"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.x","label":"v8.17.0","branchLabelMappingKey":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> --------- Co-authored-by: Vitalii Dmyterko <[email protected]> Co-authored-by: Paul Tavares <[email protected]>
kibanamachine
added
v8.16.2
and removed
backport missing
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Nov 26, 2024
…en tier node is not available (elastic#200621) ## Summary - addresses elastic/security-team#11117 ### How to test 1. Create a deployment with cold and frozen data tiers and use following commands to create index and ILM <details> <summary>Data tiers commands</summary> ```JSON PUT /_cluster/settings { "persistent": { "indices.lifecycle.poll_interval": "10s" } } PUT /_ilm/policy/filtering_data_tiers { "policy": { "phases": { "frozen": { "min_age": "10s", "actions": { "searchable_snapshot": { "snapshot_repository": "found-snapshots", "force_merge_index": true } } }, "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 } } } } } } PUT /_index_template/filtering_data_tiers_template { "index_patterns": [ "filtering_data_tiers*" ], "template": { "settings": { "index.lifecycle.name": "filtering_data_tiers", "index.lifecycle.rollover_alias": "test-filtering_data_tiers" }, "mappings": { "_meta": { "version": "1.6.0" }, "properties": { "@timestamp": { "type": "date" }, "host": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } } } } } } PUT /filtering_data_tiers-000001 { "aliases": { "filtering_data_tiers": { "is_write_index": true } } } POST filtering_data_tiers/_doc { "@timestamp": "2024-07-08T17:00:01.000Z", "host.name": "test-0" } ``` </details> 2. Wait until document moves to frozen tier 3. Run another set of commands to persist document in hot tier <details> <summary>Data tiers commands</summary> ```JSON PUT /_ilm/policy/filtering_data_tiers { "policy": { "phases": { "frozen": { "min_age": "100h", "actions": { "searchable_snapshot": { "snapshot_repository": "found-snapshots", "force_merge_index": true } } }, "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 } } } } } } PUT /filtering_data_tiers-000002 { "aliases": { "filtering_data_tiers": { "is_write_index": true } } } POST filtering_data_tiers/_doc { "@timestamp": "2024-11-08T17:00:01.000Z", "host.name": "test-1" } ``` </details> 4. Pause frozen tier node (admin permissions needed for this) or increase memory of it, forcing node to become unavailable for short period of time. 5. Run IM rule with [advanced setting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions) filtering out frozen data tier 6. Rule should not fail and generate an alert from document in a hot tier --------- Co-authored-by: kibanamachine <[email protected]>
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Dec 12, 2024
…en tier node is not available (elastic#200621) ## Summary - addresses elastic/security-team#11117 ### How to test 1. Create a deployment with cold and frozen data tiers and use following commands to create index and ILM <details> <summary>Data tiers commands</summary> ```JSON PUT /_cluster/settings { "persistent": { "indices.lifecycle.poll_interval": "10s" } } PUT /_ilm/policy/filtering_data_tiers { "policy": { "phases": { "frozen": { "min_age": "10s", "actions": { "searchable_snapshot": { "snapshot_repository": "found-snapshots", "force_merge_index": true } } }, "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 } } } } } } PUT /_index_template/filtering_data_tiers_template { "index_patterns": [ "filtering_data_tiers*" ], "template": { "settings": { "index.lifecycle.name": "filtering_data_tiers", "index.lifecycle.rollover_alias": "test-filtering_data_tiers" }, "mappings": { "_meta": { "version": "1.6.0" }, "properties": { "@timestamp": { "type": "date" }, "host": { "properties": { "name": { "type": "keyword", "ignore_above": 1024 } } } } } } } PUT /filtering_data_tiers-000001 { "aliases": { "filtering_data_tiers": { "is_write_index": true } } } POST filtering_data_tiers/_doc { "@timestamp": "2024-07-08T17:00:01.000Z", "host.name": "test-0" } ``` </details> 2. Wait until document moves to frozen tier 3. Run another set of commands to persist document in hot tier <details> <summary>Data tiers commands</summary> ```JSON PUT /_ilm/policy/filtering_data_tiers { "policy": { "phases": { "frozen": { "min_age": "100h", "actions": { "searchable_snapshot": { "snapshot_repository": "found-snapshots", "force_merge_index": true } } }, "hot": { "min_age": "0ms", "actions": { "set_priority": { "priority": 100 } } } } } } PUT /filtering_data_tiers-000002 { "aliases": { "filtering_data_tiers": { "is_write_index": true } } } POST filtering_data_tiers/_doc { "@timestamp": "2024-11-08T17:00:01.000Z", "host.name": "test-1" } ``` </details> 4. Pause frozen tier node (admin permissions needed for this) or increase memory of it, forcing node to become unavailable for short period of time. 5. Run IM rule with [advanced setting](https://www.elastic.co/guide/en/security/current/advanced-settings.html#exclude-cold-frozen-data-rule-executions) filtering out frozen data tier 6. Rule should not fail and generate an alert from document in a hot tier --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
How to test
Data tiers commands
Data tiers commands