[RAC,Security Solution]Update alerts mappings to ECS 1.12#118812
[RAC,Security Solution]Update alerts mappings to ECS 1.12#118812rylnd merged 10 commits intoelastic:mainfrom
Conversation
These files were moved in elastic#98935 but the script has become out of date.
This fieldmap was missing fields from ECS 1.11+. Notable ommissions were the threat.indicator and threat.enrichments fieldsets.
rylnd
added
v8.0.0
release_note:skip
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
These are incompatible with the current alerts framework.
This could probably be pared down further, as most of these fields are not critical for CTI features. Additionally, these additions now exceed the limit of 1000 fields and is causing an error in the ruleRegistry bootstrapping.
|
@jasonrhodes pinging you here as it appeared that these mappings were out of date (< ECS 1.11) and their absence was causing bugs in the Security Solution's CTI features. I initially added all the fields from the I can probably limit the additions here to not exceed that threshold, but that feels like a temporary solution at best. The non-additive changes, and ECS updates here in general, are outstanding questions and I'm not sure what the expected workflow is supposed to be here. Curious to hear your thoughts. |
These are not relevant for alerts, which will only have enrichments.
|
I removed all of the irrelevant |
|
It looks like the combination of the additional ECS fields with the Security Solution fields is pushing the combined index template over the limit of 1100, defined here https://github.com/elastic/kibana/blob/main/x-pack/plugins/rule_registry/server/rule_data_plugin_service/resource_installer.ts#L319. We can bump that limit up more to accommodate these fields. |
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @rylnd |
…8812) * Update output directory for generative script These files were moved in elastic#98935 but the script has become out of date. * Update ECS fieldmap with ECS 1.12 This fieldmap was missing fields from ECS 1.11+. Notable ommissions were the threat.indicator and threat.enrichments fieldsets. * Remove non-additive mappings changes These are incompatible with the current alerts framework. * Add only necessary threat fields for CTI features This could probably be pared down further, as most of these fields are not critical for CTI features. Additionally, these additions now exceed the limit of 1000 fields and is causing an error in the ruleRegistry bootstrapping. * Remove file.pe threat fields * Remove geo threat indicator fields * Remove all threat.indicator mappings These are not relevant for alerts, which will only have enrichments. * increments index mappings total fields limit to 1200 Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…119874) * Update output directory for generative script These files were moved in #98935 but the script has become out of date. * Update ECS fieldmap with ECS 1.12 This fieldmap was missing fields from ECS 1.11+. Notable ommissions were the threat.indicator and threat.enrichments fieldsets. * Remove non-additive mappings changes These are incompatible with the current alerts framework. * Add only necessary threat fields for CTI features This could probably be pared down further, as most of these fields are not critical for CTI features. Additionally, these additions now exceed the limit of 1000 fields and is causing an error in the ruleRegistry bootstrapping. * Remove file.pe threat fields * Remove geo threat indicator fields * Remove all threat.indicator mappings These are not relevant for alerts, which will only have enrichments. * increments index mappings total fields limit to 1200 Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
…8812) * Update output directory for generative script These files were moved in elastic#98935 but the script has become out of date. * Update ECS fieldmap with ECS 1.12 This fieldmap was missing fields from ECS 1.11+. Notable ommissions were the threat.indicator and threat.enrichments fieldsets. * Remove non-additive mappings changes These are incompatible with the current alerts framework. * Add only necessary threat fields for CTI features This could probably be pared down further, as most of these fields are not critical for CTI features. Additionally, these additions now exceed the limit of 1000 fields and is causing an error in the ruleRegistry bootstrapping. * Remove file.pe threat fields * Remove geo threat indicator fields * Remove all threat.indicator mappings These are not relevant for alerts, which will only have enrichments. * increments index mappings total fields limit to 1200 Co-authored-by: Ece Ozalp <ozale272@newschool.edu> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
7 participants
Summary
This updates the ECS mappings used by the ECS component template with the latest from the 1.12 branch. In Security Solution's switch to using alerts-as-data indices, the lack of mappings for
threatfieldsets were causing UI bugs related to CTI features.For maintainers