Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Request] [Draft] Document impact of using logsDB for security users #5864

Closed
approksiu opened this issue Sep 27, 2024 · 8 comments
Closed
Assignees
Labels
Effort: Large Issues that require significant planning, research, writing, and testing Feature: Alerts Feature: Rules Priority: High Issues that are time-sensitive and/or are of high customer importance Team: Detection Engine v8.17.0

Comments

@approksiu
Copy link
Contributor

approksiu commented Sep 27, 2024

[Work in progress]

Description

In 8.17 the new index mode will be available for Elastic users. @yctercero trying to figure out if in 9.0 it will be on by default. This mode will be on by default for Serverless users (without the ability to change it?).

We need to provide information to the security users about it's impact:

Alerts

As part of the logsDB changes, certain field types will be stored in ES differently than their original format. During alert creation, we copy the original event over into the alert in order to keep reference to the original data. However, we now need to be more specific, perhaps, about what we mean by "original". We will copy over the fields as given to us by ES, which may now be in a different format than the original source for:

@approksiu can you confirm if we make any kind of assurances about maintaining original copies of source events? We'll need to update any language that makes those kind of assurances to note that this is not the case when logsDB is enabled.

  • we don't seem to be mentioning anything about it, except warning users against using _source in the Alert ECS schema doc.

Affected rule types would be:

  • Custom query
  • EQL non sequence
  • Non aggregate rule types. There are some rule types where we already do not maintain copies of the original source (Threshold, ML, EQL sequence).

Runtime fields

Runtime fields that reference source may be affected. The following are examples of accessing _source that work:

"source": """  emit(params._source.agent.name + "_____" + doc['agent.name'].value ); """ 
"source": """  emit(params._source['agent']['name'] + "_____" + doc['agent.name'].value );  """
"source": """  emit(field('agent.name').get(null) + "_____" + doc['agent.name'].value ); """
"source": """  emit($('agent.name', null) + "_____" + doc['agent.name'].value ); """

The following will not work with synthetic source (logsDB enabled):

"source": """  emit(params._source['agent.name'] + "_____" + doc['agent.name'].value );  """

More details on this found in this issue and doc'd here.

Actions

No anticipated issues, but there may be an edge case we haven't thought of. Per @vitaliidm 's doc:

Properties of alert are accessible in action template when synthetic source is enabled.
The Resulting alert is constructed from a synthetic source, which means any dot notation fields will be converted to a nested object. But the template works for both cases.
Moreover, when the original event is a nested object(when the synthetic source is disabled) it will also be stored in the resulting alert as a nested object. So, there should not be any impact on functionality.

There could however happen to be a mistmatch between how users expect field values to be formatted based on what we outlined in the "Alerts" section above. If users ship out their alerts using actions and then have logic outside our system that is based on fields being in the format of the original source, their flows may be broken. In particular, affected fields would be array of objects (see description of differences here).

Background & resources

Which documentation set does this change impact?

ESS

ESS release

8.17

Serverless release

  • will be default behavior for GA

Feature differences

no differences

API docs impact

No impact to our APIs.

Prerequisites, privileges, feature flags

Should make reference to ES team docs for more info on logsdb - https://www.elastic.co/guide/en/elasticsearch/reference/master/mapping-source-field.html#synthetic-source

@approksiu
Copy link
Contributor Author

@paulewing could you please add information about the impact on the security analyst workflows?

@approksiu
Copy link
Contributor Author

@caitlinbetz https://www.elastic.co/guide/en/security/8.15/add-exceptions.html#ex-nested-conditions this workflow might be affected by logsdb. Could you please check with your team what needs to be documented?

@yctercero
Copy link
Contributor

yctercero commented Nov 1, 2024

@marshallmain @YulNaumenko @vitaliidm would you mind reviewing the above to ensure accuracy? Let me know if I missed anything or any information is now out of date.

@nastasha-solomon nastasha-solomon added Feature: Alerts Feature: Rules Team: Detection Engine Priority: High Issues that are time-sensitive and/or are of high customer importance Effort: Large Issues that require significant planning, research, writing, and testing labels Nov 13, 2024
@nastasha-solomon nastasha-solomon self-assigned this Nov 13, 2024
@approksiu
Copy link
Contributor Author

approksiu commented Nov 21, 2024

Here's the draft document cc @yctercero @nastasha-solomon @vitaliidm @jmikell821

I think it makes sense to add this as a section at the end of this page: https://www.elastic.co/guide/en/security/current/detection-engine-overview.html.
The other option is to make a separate page just to document this impact, and reference it from the end of this page: https://www.elastic.co/guide/en/security/current/detection-engine-overview.html.

@gaurav-elastic
Copy link

Here's the draft document cc @yctercero @nastasha-solomon @vitaliidm @jmikell821

I think it makes sense to add this as a section at the end of this page: https://www.elastic.co/guide/en/security/current/detection-engine-overview.html. The other option is to make a separate page just to document this impact, and reference it from the end of this page: https://www.elastic.co/guide/en/security/current/detection-engine-overview.html.

Let's go with Option 2 : make a separate page just to document this impact, and reference it from the end of this page

@gaurav-elastic
Copy link

Github ticket for the equivalent serverless doc : #6181

@nastasha-solomon
Copy link
Contributor

Serverless docs published. Still need to port the docs to 8.17.

@nastasha-solomon
Copy link
Contributor

8.17 docs merged.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Effort: Large Issues that require significant planning, research, writing, and testing Feature: Alerts Feature: Rules Priority: High Issues that are time-sensitive and/or are of high customer importance Team: Detection Engine v8.17.0
Projects
None yet
Development

No branches or pull requests

4 participants