Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Remove the name field from the security-rule SO mappings #154473

Merged
merged 1 commit into from
Apr 11, 2023
Merged

[Security Solution] Remove the name field from the security-rule SO mappings #154473

merged 1 commit into from
Apr 11, 2023

Conversation

banderror
Copy link
Contributor

@banderror banderror commented Apr 5, 2023
edited
Loading

Related to: https://github.com/elastic/security-team/issues/6268 (internal)

Summary

For each of our Saved Object types, we must:

  1. Remove any SO field mappings with index: false (or enabled: false, although a first pass was done in Cleanup enabled: false saved objects mappings #149102) from our SO mappings declarations
  2. Audit and remove any unused SO fields to minimize our footprint

This PR addresses these two requirements for this security-rule saved object type (prebuilt rule asset).

Details

Specifically, the PR removes the name field from the mappings because:

  • We don't filter, sort, search, or aggregate by it.
  • We might need to do it in the future for our prebuilt rule upgrade/installation workflows, but for now we're going to implement filtering, sorting, and pagination on the client side, thus there's no need for this mapping server-side.

Screenshot 2023-04-05 at 15 19 10

Also, we may need to add more fields to this mapping in the future to implement further improvements for the prebuilt rule installation, upgrade, or deprecation workflows.

Checklist

@banderror banderror added technical debt Improvement of the software architecture and operational architecture release_note:skip Skip the PR/issue when compiling release notes Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules v8.8.0 labels Apr 5, 2023
@banderror banderror self-assigned this Apr 5, 2023
@banderror banderror force-pushed the remove-name-from-security-rule-so-mappings branch from 23fa2d0 to f795b8d Compare April 6, 2023 09:58
@banderror banderror force-pushed the remove-name-from-security-rule-so-mappings branch from f795b8d to 5f84262 Compare April 6, 2023 13:10
@kibana-ci
Copy link
Collaborator

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Security Solution Tests #3 / timeline flyout button the (+) button popover menu owns focus

Metrics [docs]

Saved Objects .kibana field count

Every field in each saved object type adds overhead to Elasticsearch. Kibana needs to keep the total field count below Elasticsearch's default limit of 1000 fields. Only specify field mappings for the fields you wish to search on or query. See https://www.elastic.co/guide/en/kibana/master/saved-objects-service.html#_mappings

id before after diff
security-rule 4 3 -1
Unknown metric groups

ESLint disabled line counts

id before after diff
securitySolution 433 436 +3

Total ESLint disabled count

id before after diff
securitySolution 513 516 +3

History

  • 💔 Build #118246 failed f795b8d9acd9f6e46de706a6dbe537c607389928
  • 💔 Build #118082 failed 23fa2d0af41818fa15ad2a19ef83cdaf5b101388

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @banderror

@banderror banderror requested a review from xcrzx April 6, 2023 16:18
@banderror banderror marked this pull request as ready for review April 6, 2023 16:18
@banderror banderror requested review from a team as code owners April 6, 2023 16:18
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

afharo
afharo approved these changes Apr 10, 2023
View reviewed changes
Copy link
Member

@afharo afharo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@banderror banderror merged commit 798fb4d into elastic:main Apr 11, 2023
@kibanamachine kibanamachine added the backport:skip This commit does not require backporting label Apr 11, 2023
@banderror banderror deleted the remove-name-from-security-rule-so-mappings branch April 11, 2023 08:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@afharo afharo afharo approved these changes

@xcrzx xcrzx xcrzx approved these changes

Assignees

@banderror banderror

Labels
backport:skip This commit does not require backporting Feature:Prebuilt Detection Rules Security Solution Prebuilt Detection Rules release_note:skip Skip the PR/issue when compiling release notes Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture v8.8.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@banderror @kibana-ci @elasticmachine @xcrzx @afharo @kibanamachine