diff --git a/docs/upgrade-notes.asciidoc b/docs/upgrade-notes.asciidoc index cf56a600ee8fd..ab26d5e71615c 100644 --- a/docs/upgrade-notes.asciidoc +++ b/docs/upgrade-notes.asciidoc @@ -1505,6 +1505,43 @@ Enable X-Pack Security. NOTE: For the complete Elastic Security solution release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_]. +[discrete] +[[breaking-201810]] +.Remove original user and host risk scoring and all associated UIs (9.0.0) +[%collapsible] +==== +*Details* + +-- +The original host and risk score modules have been superseded since v8.10.0 by the Risk Engine. + +In 9.0.0 these modules will no longer be supported, the scores will no longer display in the UI +and all UI controls associated with managing or upgrading the legacy modules will be removed. +-- + +*Impact* + +As well as the legacy risk scores not being shown in the UI, alerts will no longer have the legacy risk score added to them in the `.risk.calculated_level` +and `.risk.calculated_score_norm` fields. + +The legacy risk scores are stored in the `ml_host_risk_score_` and `ml_user_risk_score_` +indices, these indices will not be deleted if the user chooses not to upgrade. + +Legacy risk scores are generated by the following transforms: + +- `ml_hostriskscore_pivot_transform_` +- `ml_hostriskscore_latest_transform_` +- `ml_userriskscore_pivot_transform_` +- `ml_userriskscore_latest_transform_` + +If a user does not upgrade to use the Risk Engine, these transforms will continue to run in 9.0.0, but it will be up to the user to manage them. + +*Action* + + +Upgrade to use the Risk Engine in all spaces which use the legacy risk scoring modules: + +- In the main menu, go to *Security > Manage > Entity Risk Score*. +- If the original user and host risk score modules are enabled, you'll see a button to "Start update". Click the button, and follow the instructions. +==== + [discrete] [[breaking-161806]] .[Elastic Defend] Converted filterQuery to KQL.(8.11) diff --git a/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts b/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts index 98eb58b45bfde..37e4a1886e934 100644 --- a/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts +++ b/src/platform/packages/shared/kbn-doc-links/src/get_doc_links.ts @@ -504,6 +504,7 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D riskScorePrerequisites: `${SECURITY_SOLUTION_DOCS}ers-requirements.html`, entityRiskScoring: `${SECURITY_SOLUTION_DOCS}entity-risk-scoring.html`, assetCriticality: `${SECURITY_SOLUTION_DOCS}asset-criticality.html`, + legacyRiskScoreModuleDeprecation: `${KIBANA_DOCS}breaking-changes-summary.html#breaking-201810`, }, detectionEngineOverview: `${SECURITY_SOLUTION_DOCS}detection-engine-overview.html`, aiAssistant: `${SECURITY_SOLUTION_DOCS}security-assistant.html`, diff --git a/src/platform/packages/shared/kbn-doc-links/src/types.ts b/src/platform/packages/shared/kbn-doc-links/src/types.ts index 7019e439f8087..02cb037036d93 100644 --- a/src/platform/packages/shared/kbn-doc-links/src/types.ts +++ b/src/platform/packages/shared/kbn-doc-links/src/types.ts @@ -372,6 +372,7 @@ export interface DocLinks { readonly riskScorePrerequisites: string; readonly entityRiskScoring: string; readonly assetCriticality: string; + readonly legacyRiskScoreModuleDeprecation: string; }; readonly detectionEngineOverview: string; readonly signalsMigrationApi: string; diff --git a/x-pack/plugins/security_solution/server/deprecations/register_risk_score_modules_deprecation.ts b/x-pack/plugins/security_solution/server/deprecations/register_risk_score_modules_deprecation.ts new file mode 100644 index 0000000000000..71b2a2ef5e2c6 --- /dev/null +++ b/x-pack/plugins/security_solution/server/deprecations/register_risk_score_modules_deprecation.ts @@ -0,0 +1,83 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; +import type { + DeprecationsServiceSetup, + DocLinksServiceSetup, + IScopedClusterClient, +} from '@kbn/core/server'; + +interface Dependencies { + deprecationsService: DeprecationsServiceSetup; + docLinks: DocLinksServiceSetup; +} + +/* + * Deprecations are not space aware, so we look for the presence of the legacy risk engine in at least one space. + * This is done by checking if at least one legacy transform is present. + * Legacy transforms are deleted as part of the upgrade process, so if they are present, the user has not yet upgraded. + */ +const isModuleInAtLeastOneSpace = async ({ + esClient, +}: { + esClient: IScopedClusterClient; +}): Promise => { + // space is the last part of the transform id + const transformPrefixes = [ + 'ml_hostriskscore_pivot_transform_*', + 'ml_hostriskscore_latest_transform_*', + 'ml_userriskscore_pivot_transform_*', + 'ml_userriskscore_latest_transform_*', + ]; + + const { transforms } = await esClient.asInternalUser.transform.getTransform({ + transform_id: transformPrefixes, + size: 1, + }); + + return transforms.length > 0; +}; + +export const registerRiskScoreModulesDeprecation = ({ + deprecationsService, + docLinks, +}: Dependencies) => { + deprecationsService.registerDeprecations({ + getDeprecations: async ({ esClient }) => { + if (!(await isModuleInAtLeastOneSpace({ esClient }))) { + return []; + } + + return [ + { + documentationUrl: + docLinks.links.securitySolution.entityAnalytics.legacyRiskScoreModuleDeprecation, + title: i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.title', { + defaultMessage: 'The original user and host risk score modules are deprecated.', + }), + message: i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.message', { + defaultMessage: `We have detected that you have the original user and host risk score modules installed in at least one space. These modules are deprecated, and your risk score data will not be displayed after you upgrade (your data will not be deleted). Please migrate to the latest risk engine in each space before upgrading.`, + }), + level: 'warning', + deprecationType: 'feature', + correctiveActions: { + manualSteps: [ + i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.manualStep1', { + defaultMessage: 'In the main menu, go to Security > Manage > Entity Risk Score.', + }), + i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.manualStep3', { + defaultMessage: + 'If the original user and host risk score modules are enabled, you\'ll see a button to "Start update". Click the button, and follow the instructions.', + }), + ], + }, + }, + ]; + }, + }); +}; diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index e14db5d383f68..7698f71145ebe 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -128,6 +128,7 @@ import { turnOffAgentPolicyFeatures } from './endpoint/migrations/turn_off_agent import { getCriblPackagePolicyPostCreateOrUpdateCallback } from './security_integrations'; import { scheduleEntityAnalyticsMigration } from './lib/entity_analytics/migrations'; import { SiemMigrationsService } from './lib/siem_migrations/siem_migrations_service'; +import { registerRiskScoreModulesDeprecation } from './deprecations/register_risk_score_modules_deprecation'; export type { SetupPlugins, StartPlugins, PluginSetup, PluginStart } from './plugin_contract'; @@ -442,6 +443,11 @@ export class Plugin implements ISecuritySolutionPlugin { this.completeExternalResponseActionsTask.setup({ taskManager: plugins.taskManager }); } + registerRiskScoreModulesDeprecation({ + deprecationsService: core.deprecations, + docLinks: core.docLinks, + }); + core .getStartServices() .then(async ([coreStart, depsStart]) => {