[Security Solution][Detection Engine] adds preview logged requests for new terms, threshold, query, ML rule types#203320
Merged
vitaliidm merged 46 commits intoelastic:mainfrom Jan 28, 2025
Conversation
…r the rest of rules
vitaliidm
added
v9.0.0
Team:Detections and Resp
…aliidm/kibana into de_8_18/adds-logged-requests
…aliidm/kibana into de_8_18/adds-logged-requests
# Conflicts: # x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/logged_requests/log_search_request.test.ts # x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/logged_requests/log_search_request.ts
…aliidm/kibana into de_8_18/adds-logged-requests
…aliidm/kibana into de_8_18/adds-logged-requests
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
Contributor
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
Contributor
marshallmain
left a comment
marshallmain
left a comment
There was a problem hiding this comment.
The overall approach looks good, but we need to find a way to stringify search requests that don't use the body key.
|
|
||
| const url = `/${index}/_search${urlParams ? `?${urlParams}` : ''}`; | ||
|
|
||
| if (body) { |
Contributor
There was a problem hiding this comment.
The body key is going away in 9.0 (#204858) so we should try to avoid relying on it.
Contributor
Author
There was a problem hiding this comment.
I've seen that PR, my idea was to get this one merged first before FF.
Then help to resolve conflicts in #204858, since there are multiple places changed in both PRs
Contributor
There was a problem hiding this comment.
Won't we have to completely change the way we stringify the query after #204858 ? It seems like resolving the conflicts in that PR will essentially require re-implementing this PR, no?
Contributor
Author
There was a problem hiding this comment.
I think it's only this function that needs to be changed.
Utilities that do ES query call have been refactored to not use body parameter.
So, I would need handle this
| const url = `/${index}/_search${urlParams ? `?${urlParams}` : ''}`; | ||
|
|
||
| if (body) { | ||
| return `POST ${url}\n${JSON.stringify({ ...body }, null, 2)}`; |
Contributor
There was a problem hiding this comment.
Is there a significant difference in response size when we return stringified JSON with whitespace included vs returning a normal JSON object in the response? Including the whitespace seems like it would make the response larger but save CPU on the client since it wouldn't have to parse that large JSON query.
Contributor
Author
There was a problem hiding this comment.
@marshallmain No, there is no significant difference.
I did quick tests:
- for small queries like query, ML rule it's the same size
- for large queries (new_terms), current implementation's response is 10% larger
Another advantages of current implementation, we don't need to pass large JSON object in response with multiple nested fields which is difficult to type.
| isLoggedRequestsEnabled: boolean | undefined, | ||
| sortIds: estypes.SortResults | undefined, | ||
| page: number | ||
| ): LoggedRequestsEnabled | undefined => { |
Contributor
There was a problem hiding this comment.
I think we should change the name of the type LoggedRequestsEnabled since it sounds like a boolean but it's a config object
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
cc @vitaliidm |
jkelas
approved these changes
Jan 28, 2025
Contributor
jkelas
left a comment
jkelas
left a comment
There was a problem hiding this comment.
I reviewed the changes owned by rule management team and I approve.
I also confirm the functionality works correct, the author walked me through it.
marshallmain
approved these changes
Jan 28, 2025
Contributor
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/13015404906 |
kibanamachine
added a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 28, 2025
…r new terms, threshold, query, ML rule types (elastic#203320) ## Summary - partially addresses elastic#202545 (except of IM rule type) - extends logged requests preview for: - [x] New terms - [x] Query - [x] ML - [x] Threshold - For Threshold, Query, New terms rule type introduced Page view, where each loop of rule execution is presented as a separate page - Only first 2 search queries requests of each type are logged for performance reasons(rule can have very a large and multiple requests). That's why property **request** was made not mandatory in `rule_preview.schema.yaml` ### DEMO https://github.com/user-attachments/assets/abfbd3ff-d06c-4892-b805-0f05084042ed --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 0f996c3)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jan 28, 2025
…sts for new terms, threshold, query, ML rule types (#203320) (#208581) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution][Detection Engine] adds preview logged requests for new terms, threshold, query, ML rule types (#203320)](#203320) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"92328789+vitaliidm@users.noreply.github.com"},"sourceCommit":{"committedDate":"2025-01-28T16:50:00Z","message":"[Security Solution][Detection Engine] adds preview logged requests for new terms, threshold, query, ML rule types (#203320)\n\n## Summary\r\n\r\n- partially addresses https://github.com/elastic/kibana/issues/202545\r\n(except of IM rule type)\r\n- extends logged requests preview for:\r\n - [x] New terms\r\n - [x] Query\r\n - [x] ML\r\n - [x] Threshold\r\n- For Threshold, Query, New terms rule type introduced Page view, where\r\neach loop of rule execution is presented as a separate page\r\n- Only first 2 search queries requests of each type are logged for\r\nperformance reasons(rule can have very a large and multiple requests).\r\nThat's why property **request** was made not mandatory in\r\n`rule_preview.schema.yaml`\r\n\r\n\r\n### DEMO\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/abfbd3ff-d06c-4892-b805-0f05084042ed\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"0f996c36151d2128f56246cb69d9315c8ea6d085","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","Team:Detections and Resp","Team: SecuritySolution","release_note:feature","Team:Detection Engine","backport:version","v8.18.0"],"title":"[Security Solution][Detection Engine] adds preview logged requests for new terms, threshold, query, ML rule types","number":203320,"url":"https://github.com/elastic/kibana/pull/203320","mergeCommit":{"message":"[Security Solution][Detection Engine] adds preview logged requests for new terms, threshold, query, ML rule types (#203320)\n\n## Summary\r\n\r\n- partially addresses https://github.com/elastic/kibana/issues/202545\r\n(except of IM rule type)\r\n- extends logged requests preview for:\r\n - [x] New terms\r\n - [x] Query\r\n - [x] ML\r\n - [x] Threshold\r\n- For Threshold, Query, New terms rule type introduced Page view, where\r\neach loop of rule execution is presented as a separate page\r\n- Only first 2 search queries requests of each type are logged for\r\nperformance reasons(rule can have very a large and multiple requests).\r\nThat's why property **request** was made not mandatory in\r\n`rule_preview.schema.yaml`\r\n\r\n\r\n### DEMO\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/abfbd3ff-d06c-4892-b805-0f05084042ed\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"0f996c36151d2128f56246cb69d9315c8ea6d085"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203320","number":203320,"mergeCommit":{"message":"[Security Solution][Detection Engine] adds preview logged requests for new terms, threshold, query, ML rule types (#203320)\n\n## Summary\r\n\r\n- partially addresses https://github.com/elastic/kibana/issues/202545\r\n(except of IM rule type)\r\n- extends logged requests preview for:\r\n - [x] New terms\r\n - [x] Query\r\n - [x] ML\r\n - [x] Threshold\r\n- For Threshold, Query, New terms rule type introduced Page view, where\r\neach loop of rule execution is presented as a separate page\r\n- Only first 2 search queries requests of each type are logged for\r\nperformance reasons(rule can have very a large and multiple requests).\r\nThat's why property **request** was made not mandatory in\r\n`rule_preview.schema.yaml`\r\n\r\n\r\n### DEMO\r\n\r\n\r\n\r\nhttps://github.com/user-attachments/assets/abfbd3ff-d06c-4892-b805-0f05084042ed\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"0f996c36151d2128f56246cb69d9315c8ea6d085"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Vitalii Dmyterko <92328789+vitaliidm@users.noreply.github.com>
This was referenced Jan 28, 2025
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
rule_preview.schema.yamlDEMO
Screen.Recording.2025-01-22.at.18.33.10.mov