-
Notifications
You must be signed in to change notification settings - Fork 190
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Request] [Draft] Document impact of using logsDB for security users #5864
Comments
@paulewing could you please add information about the impact on the security analyst workflows? |
@caitlinbetz https://www.elastic.co/guide/en/security/8.15/add-exceptions.html#ex-nested-conditions this workflow might be affected by logsdb. Could you please check with your team what needs to be documented? |
@marshallmain @YulNaumenko @vitaliidm would you mind reviewing the above to ensure accuracy? Let me know if I missed anything or any information is now out of date. |
Here's the draft document cc @yctercero @nastasha-solomon @vitaliidm @jmikell821 I think it makes sense to add this as a section at the end of this page: https://www.elastic.co/guide/en/security/current/detection-engine-overview.html. |
Let's go with Option 2 : make a separate page just to document this impact, and reference it from the end of this page |
Github ticket for the equivalent serverless doc : #6181 |
Serverless docs published. Still need to port the docs to 8.17. |
8.17 docs merged. |
[Work in progress]
Description
In 8.17 the new index mode will be available for Elastic users. @yctercero trying to figure out if in 9.0 it will be on by default. This mode will be on by default for Serverless users (without the ability to change it?).
We need to provide information to the security users about it's impact:
Alerts
As part of the logsDB changes, certain field types will be stored in ES differently than their original format. During alert creation, we copy the original event over into the alert in order to keep reference to the original data. However, we now need to be more specific, perhaps, about what we mean by "original". We will copy over the fields as given to us by ES, which may now be in a different format than the original source for:
@approksiu can you confirm if we make any kind of assurances about maintaining original copies of source events? We'll need to update any language that makes those kind of assurances to note that this is not the case when logsDB is enabled.
Affected rule types would be:
Runtime fields
Runtime fields that reference source may be affected. The following are examples of accessing
_source
that work:The following will not work with synthetic source (logsDB enabled):
More details on this found in this issue and doc'd here.
Actions
No anticipated issues, but there may be an edge case we haven't thought of. Per @vitaliidm 's doc:
There could however happen to be a mistmatch between how users expect field values to be formatted based on what we outlined in the "Alerts" section above. If users ship out their alerts using actions and then have logic outside our system that is based on fields being in the format of the original source, their flows may be broken. In particular, affected fields would be array of objects (see description of differences here).
Background & resources
Which documentation set does this change impact?
ESS
ESS release
8.17
Serverless release
Feature differences
no differences
API docs impact
No impact to our APIs.
Prerequisites, privileges, feature flags
Should make reference to ES team docs for more info on logsdb - https://www.elastic.co/guide/en/elasticsearch/reference/master/mapping-source-field.html#synthetic-source
The text was updated successfully, but these errors were encountered: