Skip to content

Commit

Permalink
[8.16] [Security Solution][Detection Engine] fixes ES|QL data tier fi…
Browse files Browse the repository at this point in the history
…lter from adv settings (elastic#196390) (elastic#196698)

# Backport

This will backport the following commits from `main` to `8.16`:
- [[Security Solution][Detection Engine] fixes ES|QL data tier filter
from adv settings
(elastic#196390)](elastic#196390)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Vitalii
Dmyterko","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-17T13:28:14Z","message":"[Security
Solution][Detection Engine] fixes ES|QL data tier filter from adv
settings (elastic#196390)\n\n## Summary\r\n\r\n- fixes absent data tier filter
for ES|QL rule\r\n- followup to
https://github.com/elastic/kibana/pull/186908\r\n\r\n###
Demo\r\n\r\n\r\nhttps://github.com/user-attachments/assets/a6f1290f-ea77-43bf-8def-42712ca5d1b0\r\n\r\n\r\n\r\n###
How to test\r\n\r\nCreate a deployment with cold and frozen data tiers
and use following\r\ncommands to create index and
ILM\r\n\r\n\r\n<details>\r\n<summary>Data tiers
commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n
\"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"1m\"\r\n
}\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n
\"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\":
\"10m\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n }\r\n }\r\n },\r\n \"cold\": {\r\n \"min_age\": \"1m\",\r\n
\"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n },\r\n \"set_priority\": {\r\n \"priority\": 0\r\n }\r\n }\r\n
},\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n
\"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\n\r\nPUT
/_index_template/filtering_data_tiers_template\r\n{\r\n
\"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n
\"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\":
\"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\":
\"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\":
{\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n
\"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n
\"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n
\"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\":
{\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n
}\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n
\"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\":
\"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>","sha":"c79f0ae78633c81beebd3f95735326cc872be7f6","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections
and Resp","Team: SecuritySolution","backport:prev-minor","Team:Detection
Engine","v8.16.0"],"title":"[Security Solution][Detection Engine] fixes
ES|QL data tier filter from adv
settings","number":196390,"url":"https://github.com/elastic/kibana/pull/196390","mergeCommit":{"message":"[Security
Solution][Detection Engine] fixes ES|QL data tier filter from adv
settings (elastic#196390)\n\n## Summary\r\n\r\n- fixes absent data tier filter
for ES|QL rule\r\n- followup to
https://github.com/elastic/kibana/pull/186908\r\n\r\n###
Demo\r\n\r\n\r\nhttps://github.com/user-attachments/assets/a6f1290f-ea77-43bf-8def-42712ca5d1b0\r\n\r\n\r\n\r\n###
How to test\r\n\r\nCreate a deployment with cold and frozen data tiers
and use following\r\ncommands to create index and
ILM\r\n\r\n\r\n<details>\r\n<summary>Data tiers
commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n
\"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"1m\"\r\n
}\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n
\"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\":
\"10m\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n }\r\n }\r\n },\r\n \"cold\": {\r\n \"min_age\": \"1m\",\r\n
\"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n },\r\n \"set_priority\": {\r\n \"priority\": 0\r\n }\r\n }\r\n
},\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n
\"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\n\r\nPUT
/_index_template/filtering_data_tiers_template\r\n{\r\n
\"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n
\"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\":
\"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\":
\"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\":
{\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n
\"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n
\"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n
\"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\":
{\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n
}\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n
\"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\":
\"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>","sha":"c79f0ae78633c81beebd3f95735326cc872be7f6"}},"sourceBranch":"main","suggestedTargetBranches":["8.16"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/196390","number":196390,"mergeCommit":{"message":"[Security
Solution][Detection Engine] fixes ES|QL data tier filter from adv
settings (elastic#196390)\n\n## Summary\r\n\r\n- fixes absent data tier filter
for ES|QL rule\r\n- followup to
https://github.com/elastic/kibana/pull/186908\r\n\r\n###
Demo\r\n\r\n\r\nhttps://github.com/user-attachments/assets/a6f1290f-ea77-43bf-8def-42712ca5d1b0\r\n\r\n\r\n\r\n###
How to test\r\n\r\nCreate a deployment with cold and frozen data tiers
and use following\r\ncommands to create index and
ILM\r\n\r\n\r\n<details>\r\n<summary>Data tiers
commands</summary>\r\n\r\n```JSON\r\n\r\nPUT /_cluster/settings\r\n{\r\n
\"persistent\": {\r\n \"indices.lifecycle.poll_interval\": \"1m\"\r\n
}\r\n}\r\n\r\n\r\nPUT /_ilm/policy/filtering_data_tiers\r\n{\r\n
\"policy\": {\r\n \"phases\": {\r\n \"frozen\": {\r\n \"min_age\":
\"10m\",\r\n \"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n }\r\n }\r\n },\r\n \"cold\": {\r\n \"min_age\": \"1m\",\r\n
\"actions\": {\r\n \"searchable_snapshot\": {\r\n
\"snapshot_repository\": \"found-snapshots\",\r\n \"force_merge_index\":
true\r\n },\r\n \"set_priority\": {\r\n \"priority\": 0\r\n }\r\n }\r\n
},\r\n \"hot\": {\r\n \"min_age\": \"0ms\",\r\n \"actions\": {\r\n
\"set_priority\": {\r\n \"priority\": 100\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\n\r\nPUT
/_index_template/filtering_data_tiers_template\r\n{\r\n
\"index_patterns\": [\r\n \"filtering_data_tiers*\"\r\n ],\r\n
\"template\": {\r\n \"settings\": {\r\n \"index.lifecycle.name\":
\"filtering_data_tiers\",\r\n \"index.lifecycle.rollover_alias\":
\"test-filtering_data_tiers\"\r\n },\r\n \"mappings\": {\r\n \"_meta\":
{\r\n \"version\": \"1.6.0\"\r\n },\r\n \"properties\": {\r\n
\"@timestamp\": {\r\n \"type\": \"date\"\r\n },\r\n \"host\": {\r\n
\"properties\": {\r\n \"name\": {\r\n \"type\": \"keyword\",\r\n
\"ignore_above\": 1024\r\n }\r\n }\r\n }\r\n }\r\n }\r\n
}\r\n}\r\n\r\nPUT /filtering_data_tiers-000001\r\n{\r\n \"aliases\":
{\r\n \"filtering_data_tiers\": {\r\n \"is_write_index\": true\r\n }\r\n
}\r\n}\r\n\r\n\r\nPOST filtering_data_tiers/_doc\r\n{\r\n
\"@timestamp\": \"2024-07-08T17:00:01.000Z\",\r\n \"host.name\":
\"test-0\"\r\n}\r\n\r\n\r\n```\r\n\r\n</details>","sha":"c79f0ae78633c81beebd3f95735326cc872be7f6"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Co-authored-by: Vitalii Dmyterko <[email protected]>
  • Loading branch information
kibanamachine and vitaliidm authored Oct 17, 2024
1 parent 4105d35 commit ec90dae
Show file tree
Hide file tree
Showing 4 changed files with 70 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ import { buildReasonMessageForEsqlAlert } from '../utils/reason_formatters';
import type { RulePreviewLoggedRequest } from '../../../../../common/api/detection_engine/rule_preview/rule_preview.gen';
import type { CreateRuleOptions, RunOpts, SignalSource } from '../types';
import { logEsqlRequest } from '../utils/logged_requests';
import { getDataTierFilter } from '../utils/get_data_tier_filter';
import * as i18n from '../translations';

import {
Expand Down Expand Up @@ -90,6 +91,10 @@ export const esqlExecutor = async ({
return withSecuritySpan('esqlExecutor', async () => {
const result = createSearchAfterReturnType();
let size = tuple.maxSignals;
const dataTiersFilters = await getDataTierFilter({
uiSettingsClient: services.uiSettingsClient,
});

try {
while (
result.createdSignalsCount <= tuple.maxSignals &&
Expand All @@ -100,7 +105,7 @@ export const esqlExecutor = async ({
from: tuple.from.toISOString(),
to: tuple.to.toISOString(),
size,
filters: [],
filters: dataTiersFilters,
primaryTimestamp,
secondaryTimestamp,
exceptionFilter,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ import { getCreateEsqlRulesSchemaMock } from '@kbn/security-solution-plugin/comm
import { RuleExecutionStatusEnum } from '@kbn/security-solution-plugin/common/api/detection_engine/rule_monitoring';

import { getMaxSignalsWarning as getMaxAlertsWarning } from '@kbn/security-solution-plugin/server/lib/detection_engine/rule_types/utils/utils';
import { EXCLUDED_DATA_TIERS_FOR_RULE_EXECUTION } from '@kbn/security-solution-plugin/common/constants';
import {
getPreviewAlerts,
previewRule,
Expand All @@ -25,6 +26,7 @@ import {
scheduleRuleRun,
stopAllManualRuns,
waitForBackfillExecuted,
setAdvancedSettings,
} from '../../../../utils';
import {
deleteAllRules,
Expand Down Expand Up @@ -1428,6 +1430,12 @@ export default ({ getService }: FtrProviderContext) => {
await indexEnhancedDocuments({ documents: [doc1], interval, id });
});

afterEach(async () => {
await setAdvancedSettings(supertest, {
[EXCLUDED_DATA_TIERS_FOR_RULE_EXECUTION]: [],
});
});

it('should not return requests property when not enabled', async () => {
const { logs } = await previewRule({
supertest,
Expand Down Expand Up @@ -1463,6 +1471,35 @@ export default ({ getService }: FtrProviderContext) => {
'POST /ecs_compliant/_search?ignore_unavailable=true'
);
});
it('should not return requests with any data tier filter', async () => {
const { logs } = await previewRule({
supertest,
rule,
timeframeEnd: new Date('2020-10-28T06:30:00.000Z'),
enableLoggedRequests: true,
});

const requests = logs[0].requests;

expect(requests![0].request).not.toContain('data_frozen');
});
it('should return requests with included data tiers filters from advanced settings', async () => {
await setAdvancedSettings(supertest, {
[EXCLUDED_DATA_TIERS_FOR_RULE_EXECUTION]: ['data_frozen'],
});
const { logs } = await previewRule({
supertest,
rule,
timeframeEnd: new Date('2020-10-28T06:30:00.000Z'),
enableLoggedRequests: true,
});

const requests = logs[0].requests;

expect(requests![0].request).toMatch(
/"must_not":\s*\[\s*{\s*"terms":\s*{\s*"_tier":\s*\[\s*"data_frozen"\s*\]/
);
});
});
});
};
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,4 @@ export * from './get_stats';
export * from './get_detection_metrics_from_body';
export * from './get_stats_url';
export * from './combine_to_ndjson';
export * from './set_advanced_settings';
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import {
ELASTIC_HTTP_VERSION_HEADER,
X_ELASTIC_INTERNAL_ORIGIN_REQUEST,
} from '@kbn/core-http-common';

import type SuperTest from 'supertest';

export const setAdvancedSettings = async (
supertest: SuperTest.Agent,
settings: Record<string, string[] | string | number | boolean>
) => {
return supertest
.post('/internal/kibana/settings')
.set('kbn-xsrf', 'true')
.set(ELASTIC_HTTP_VERSION_HEADER, '1')
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
.send({ changes: settings })
.expect(200);
};

0 comments on commit ec90dae

Please sign in to comment.