Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Serverless] Document impact of using logsDB for security users #6221

Merged
merged 15 commits into from
Dec 2, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/serverless/index.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,7 @@ include::./dashboards/rule-monitoring-dashboard.asciidoc[leveloffset=+3]

include::./rules/detection-engine-overview.asciidoc[leveloffset=+2]
include::./rules/detections-permissions-section.asciidoc[leveloffset=+3]
include::./rules/detections-logsdb-impact.asciidoc[leveloffset=+3]

include::./rules/about-rules.asciidoc[leveloffset=+2]
include::./rules/rules-ui-create.asciidoc[leveloffset=+3]
Expand Down
6 changes: 6 additions & 0 deletions docs/serverless/rules/detection-engine-overview.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -141,3 +141,9 @@ Refer to <<enable-detections-ui,Enable and access detections>> for a list of all
If you get this message, you do not have the
<<detections-permissions,required privileges>> to view the **Detections** feature,
and you should contact your project administrator.

[discrete]
[[detections-logsdb-index-mode]]
== Using logsDB index mode

LogsDB is enabled by default for Elastic serverless. Refer to <<detections-logsdb-index-mode-impact>> to learn more.
63 changes: 63 additions & 0 deletions docs/serverless/rules/detections-logsdb-impact.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
[[detections-logsdb-index-mode-impact]]
= Using logsDB index mode with {sec-serverless}

LogsDB is enabled by default for {serverless-full}. This topic explains the impact of using logsDB index mode with {sec-serverless}.

With logsDB index mode, the original `_source` field is not stored in the index but can be reconstructed using {ref}/mapping-source-field.html#synthetic-source[synthetic `_source`].

When the `_source` is reconstructed, {ref}/mapping-source-field.html#synthetic-source-modifications[modifications] are possible. Therefore, there could be a mismatch between user's expectations and how fields are formatted.

nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
Continue reading to find out how this affects specific {sec-serverless} components.

[discrete]
[[logsdb-alerts]]
== Alerts

When alerts are generated, the `_source` event is copied into the alert to retain the original data. When the logsDB index mode is applied, the `_source` event stored in the alert is reconstructed using synthetic `_source`.

If you're switching to use logsDB index mode, the `_source` field stored in the alert might look different in certain situations:

* {ref}/mapping-source-field.html#synthetic-source-modifications-leaf-arrays[Arrays can be reconstructed differently or deduplicated]
* {ref}/mapping-source-field.html#synthetic-source-modifications-field-names[Field names]
* `geo_point` data fields (refer to {ref}/mapping-source-field.html#synthetic-source-modifications-ranges[Representation of ranges] and {ref}/mapping-source-field.html#synthetic-source-precision-loss-for-point-types[Reduced precision of `geo_point` values] for more information)

Alerts generated by the following rule types could be affected:

* Custom query
* Event correlation (non-sequence only)
* Non-aggregate rule types (for example, {esql} rules that use non-aggregating queries)

Alerts that are generated by threshold, {ml}, and event correlation sequence rules are not affected since they do not contain copies of the original source.

[discrete]
[[logsdb-rule-actions]]
== Rule actions

While we do not recommend using `_source` for actions, in cases where the action relies on the `_source`, the same limitations and changes apply.

If you send alert notifications by enabling {kibana-ref}/alerting-getting-started.html#alerting-concepts-actions[actions] to the external systems that have workflows or automations based on fields formatted from the original source, they may be affected. In particular, this can happen when the fields used are arrays of objects.

We recommend checking and adjusting the rule actions using `_source` before switching to logsDB index mode.

[discrete]
[[logsdb-runtime-fields]]
== Runtime fields

Runtime fields that reference `_source` may be affected. Some runtime fields might not work and need to be adjusted. For example, if an event was indexed with the value of `agent.name` in the dot-notation form, it will be returned in the nested form and might not work.

The following is an example of accessing `_source` that works with the logsDB index mode enabled:

[source,console]
----
"source": """ emit(params._source.agent.name + "_____" + doc['agent.name'].value ); """
"source": """ emit(params._source['agent']['name'] + "_____" + doc['agent.name'].value ); """
"source": """ emit(field('agent.name').get(null) + "_____" + doc['agent.name'].value ); """
"source": """ emit($('agent.name', null) + "_____" + doc['agent.name'].value ); """
----

The following will not work with synthetic source (logsDB index mode enabled):

[source,console]
----
"source": """ emit(params._source['agent.name'] + "_____" + doc['agent.name'].value ); """
----