[RAC] - Update field names#107857
Conversation
yctercero
added
Feature:RAC
x-pack/plugins/rule_registry/server/utils/create_lifecycle_rule_type.test.ts
Outdated
Show resolved
Hide resolved
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/apm-ui (Team:apm) |
yctercero
added
the
release_note:skip
ecezalp
left a comment
ecezalp
left a comment
There was a problem hiding this comment.
LGTM - thanks for consolidating the fields!
...lib/detection_engine/rule_execution_log/rule_registry_log_client/rule_registry_log_client.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/timelines/server/search_strategy/timeline/index.ts
Outdated
Show resolved
Hide resolved
michaelolo24
left a comment
michaelolo24
left a comment
There was a problem hiding this comment.
Thank you for doing this! Tested locally with @machadoum and looks great, just one minor comment 😄
gmmorris
left a comment
gmmorris
left a comment
There was a problem hiding this comment.
Reviewed the Alerting code- looks like the only change is the input and output of a couple of unit tests and looks like it was made to make maintenance easier so all I can say is thanks Yara :)
LGTM
|
Just a comment to uncomment these when it's all sorted: #108034 |
| const ECS_VERSION = 'ecs.version' as const; | ||
| const EVENT_ACTION = 'event.action' as const; | ||
| const EVENT_KIND = 'event.kind' as const; | ||
| const RULE_CATEGORY = 'rule.category' as const; |
There was a problem hiding this comment.
rule.* should only refer to source/event document fields, not our kibana rules.
| [Fields.ALERT_PRODUCER]: { type: 'keyword' }, | ||
| [Fields.ALERT_RULE_TYPE_ID]: { type: 'keyword', required: true }, | ||
| [Fields.ALERT_RULE_CONSUMER]: { type: 'keyword', required: true }, | ||
| [Fields.ALERT_RULE_PRODUCER]: { type: 'keyword' }, |
There was a problem hiding this comment.
Producer can be derived from the rule type id (apm.error_count) --> apm , so while convenient, we don't need to require it as long as we have the consumer and rule type id, we have enough for rbac.
yctercero
added
the
auto-backport
|
@elasticmachine merge upstream |
yctercero
force-pushed
the
update_ss_field_names
branch
from
cb03411 to
759decb
Compare
@michaelolo24 Note that after most recent CI failure, took the opportunity to make these changes here so once this goes in, should be golden 👍🏽 |
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: cc @yctercero |
### Summary ### Fields used moving forward `kibana.alert.rule.consumer` will refer to the context in which a rule instance is created. Rules created in: - stack --> `alerts` - security solution --> `siem` - apm --> `apm` `kibana.alert.rule.producer` will refer to the plugin that registered a rule type. Rules registered in: - stack --> `alerts` - security solution --> `siem` - apm --> `apm` So an `apm.error_rate` rule created in stack will have: - consumer: `alerts` and producer: `apm` An `apm.error_rate` rule created in apm will have: - consumer: `apm` and producer: `apm` `kibana.alert.rule.rule_type_id` will refer to a rule's rule type id. Examples: - `apm.error_rate` - `siem.signals` - `siem.threshold` Also renamed the following because `rule.*` fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields. `rule.name` --> `kibana.alert.rule.name` will refer to the rule's name. `rule.category` --> `kibana.alert.rule.category` will refer to the rule's category. `rule.id` --> `kibana.alert.rule.uuid` will refer to the rule's uuid.
💚 Backport successful
This backport PR will be merged automatically after passing CI. |
### Summary ### Fields used moving forward `kibana.alert.rule.consumer` will refer to the context in which a rule instance is created. Rules created in: - stack --> `alerts` - security solution --> `siem` - apm --> `apm` `kibana.alert.rule.producer` will refer to the plugin that registered a rule type. Rules registered in: - stack --> `alerts` - security solution --> `siem` - apm --> `apm` So an `apm.error_rate` rule created in stack will have: - consumer: `alerts` and producer: `apm` An `apm.error_rate` rule created in apm will have: - consumer: `apm` and producer: `apm` `kibana.alert.rule.rule_type_id` will refer to a rule's rule type id. Examples: - `apm.error_rate` - `siem.signals` - `siem.threshold` Also renamed the following because `rule.*` fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields. `rule.name` --> `kibana.alert.rule.name` will refer to the rule's name. `rule.category` --> `kibana.alert.rule.category` will refer to the rule's category. `rule.id` --> `kibana.alert.rule.uuid` will refer to the rule's uuid. Co-authored-by: Yara Tercero <yctercero@users.noreply.github.com>
10 participants
Summary
Trying to align on field naming. In the code there seems to be the following that are all referencing the context in which a rule instance was created (rules created in stack have consumer of
alerts):rule.consumerskibana.alert.consumerkibana.alert.consumerskibana.alert.rule.consumerskibana.alert.ownerIn the code there are also the following all referencing a rule's alert type (ex:
apm.error_rate):rule.idkibana.alert.rule.rule_type_idIt's my understanding that these are all meant to refer to the same thing - the single feature which created the rule instance. So if a rule was created in security solution, the consumer is
siem, if created in apm it'sapm. Observability and the rule registry were usingkibana.alert.ownerthough it'd been on the list to update tokibana.alert.consumerand security solution was usingkibana.alert.owners. The other ones were there as fields but not being used.I think there is some confusion as to what
consumeris meant to denote. It should denote the same thing it does for rules rbac. If there's other context we want to save on an alert, that should be considered a different field, theconsumerfield was meant to be specific to role based access logic shared with alerting framework.Fields used moving forward
kibana.alert.rule.consumerwill refer to the context in which a rule instance is created. Rules created in:alertssiemapmkibana.alert.rule.producerwill refer to the plugin that registered a rule type. Rules registered in:alertssiemapmSo an
apm.error_raterule created in stack will have:alertsand producer:apmAn
apm.error_raterule created in apm will have:apmand producer:apmkibana.alert.rule.rule_type_idwill refer to a rule's rule type id. Examples:apm.error_ratesiem.signalssiem.thresholdAlso renamed the following because
rule.*fields are meant to be ecs fields pulled from the source/event document, not refer to our rule fields.rule.name-->kibana.alert.rule.namewill refer to the rule's name.rule.category-->kibana.alert.rule.categorywill refer to the rule's category.rule.id-->kibana.alert.rule.uuidwill refer to the rule's uuid.To test
Add the following to your
kibana.dev.yml:Create a custom rule with query
*:*.Run
yarn test:generatewithinx-pack/plugins/security_solutionObserve the magic (alerts should show up in table).