[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log#207396
Merged
dhurley14 merged 22 commits intoelastic:mainfrom Jan 30, 2025
Conversation
dhurley14
changed the title
dhurley14
added
review
release_note:fix
v9.0.0
Team:Detection Engine
Contributor
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
rylnd
reviewed
Jan 23, 2025
...ins/security_solution/server/lib/detection_engine/rule_types/eql/build_eql_search_request.ts
Outdated
Show resolved
Hide resolved
| }, | ||
| // the allow_partial$ query parameters supersede xpack settings on cluster | ||
| // @ts-expect-error unknown property allow_partial_search_results | ||
| // TODO: remove this ts-expect when 8.18 elasticsearch client is released. |
Contributor
There was a problem hiding this comment.
Is there a PR/Issue we can reference, here?
Contributor
Author
There was a problem hiding this comment.
Good question.. Maybe this? elastic/elasticsearch-specification#3342
Contributor
Author
There was a problem hiding this comment.
v8.16.0 package.json:
Line 118 in d4cc532
Contributor
Author
There was a problem hiding this comment.
@yctercero @rylnd I just opened this ticket to track the missing type support. Wondering when the 8.18 client will be added to the codebase 🤔
Contributor
There was a problem hiding this comment.
Asking operations: https://elastic.slack.com/archives/C5UDAFZQU/p1738167614946439
...lutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/eql/eql.ts
Outdated
Show resolved
Hide resolved
yctercero
added
ci:cloud-deploy
yctercero
reviewed
Jan 27, 2025
|
|
||
| const { events, sequences } = response.hits; | ||
|
|
||
| if (shardFailures) { |
Contributor
There was a problem hiding this comment.
Chatted on Zoom, but to summarize - shardFailures is returned for both sequence and non-sequence queries, so we can't rely on this alone to determine what error message to display.
Testing it out, it looks great for non-sequence queries, but the same error displays for sequence queries. Still super helpful to show the shard failures for both types of queries, but for sequence queries we'll want to tweak the language just a bit to make it clear that no search was done, even on available shards.
3 tasks
…y vs eql event query
…, add comment ref to issue to track es client upgrade
rylnd
approved these changes
Jan 29, 2025
Contributor
rylnd
left a comment
rylnd
left a comment
There was a problem hiding this comment.
I was able to reproduce both the non-sequence warning:
As well as the error for sequence queries:
NB that you need the data necessary to find a sequence hit in order to reproduce the error.
| } from '@kbn/alerting-plugin/server'; | ||
| import type * as estypes from '@elastic/elasticsearch/lib/api/typesWithBodyKey'; | ||
| import type { Filter } from '@kbn/es-query'; | ||
|
|
Contributor
There was a problem hiding this comment.
I appreciate the addition of meaningful whitespace 👍
...lutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/eql/eql.ts
Outdated
Show resolved
Hide resolved
|
@dhurley14 what is the error message for EQL sequence failure with unavailable shards? |
Contributor
Author
|
Edit: Missed the suggested text in the slack message. I will update now. Sorry! |
Contributor
Author
|
@approksiu Updated it to match suggested text in slack: |
Contributor
⏳ Build in-progress, with failures
Failed CI StepsHistory
|
Contributor
|
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/13060174669 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 30, 2025
…ent queries on rule details page and in event log (elastic#207396) ## Summary Related: elastic/elasticsearch#116388 Adds support for shard failures for EQL event queries in the detection engine. (cherry picked from commit 4419390)
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Jan 30, 2025
…eql event queries on rule details page and in event log (#207396) (#209019) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)](#207396) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Devin W. Hurley","email":"devin.hurley@elastic.co"},"sourceCommit":{"committedDate":"2025-01-30T19:55:53Z","message":"[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)\n\n## Summary\r\n\r\nRelated: https://github.com/elastic/elasticsearch/pull/116388/\r\n\r\nAdds support for shard failures for EQL event queries in the detection\r\nengine.","sha":"441939028248c3ddc8d17d2f5647baad5aff3f7b","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["review","release_note:fix","v9.0.0","ci:cloud-deploy","ci:cloud-redeploy","Team:Detection Engine","backport:version","v8.18.0"],"title":"[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log","number":207396,"url":"https://github.com/elastic/kibana/pull/207396","mergeCommit":{"message":"[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)\n\n## Summary\r\n\r\nRelated: https://github.com/elastic/elasticsearch/pull/116388/\r\n\r\nAdds support for shard failures for EQL event queries in the detection\r\nengine.","sha":"441939028248c3ddc8d17d2f5647baad5aff3f7b"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207396","number":207396,"mergeCommit":{"message":"[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)\n\n## Summary\r\n\r\nRelated: https://github.com/elastic/elasticsearch/pull/116388/\r\n\r\nAdds support for shard failures for EQL event queries in the detection\r\nengine.","sha":"441939028248c3ddc8d17d2f5647baad5aff3f7b"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Devin W. Hurley <devin.hurley@elastic.co>
Contributor
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
marshallmain
pushed a commit
to marshallmain/kibana
that referenced
this pull request
Mar 7, 2025
…ent queries on rule details page and in event log (elastic#207396) ## Summary Related: elastic/elasticsearch#116388 Adds support for shard failures for EQL event queries in the detection engine. (cherry picked from commit 4419390)
marshallmain
added a commit
that referenced
this pull request
Mar 7, 2025
…eql event queries on rule details page and in event log (#207396) (#213616) # Backport This will backport the following commits from `main` to `9.0`: - [[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)](#207396) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Devin W. Hurley","email":"devin.hurley@elastic.co"},"sourceCommit":{"committedDate":"2025-01-30T19:55:53Z","message":"[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)\n\n## Summary\r\n\r\nRelated: https://github.com/elastic/elasticsearch/pull/116388/\r\n\r\nAdds support for shard failures for EQL event queries in the detection\r\nengine.","sha":"441939028248c3ddc8d17d2f5647baad5aff3f7b","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["review","release_note:fix","v9.0.0","ci:cloud-deploy","ci:cloud-redeploy","Team:Detection Engine","backport:version","v8.18.0"],"title":"[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log","number":207396,"url":"https://github.com/elastic/kibana/pull/207396","mergeCommit":{"message":"[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)\n\n## Summary\r\n\r\nRelated: https://github.com/elastic/elasticsearch/pull/116388/\r\n\r\nAdds support for shard failures for EQL event queries in the detection\r\nengine.","sha":"441939028248c3ddc8d17d2f5647baad5aff3f7b"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207396","number":207396,"mergeCommit":{"message":"[Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396)\n\n## Summary\r\n\r\nRelated: https://github.com/elastic/elasticsearch/pull/116388/\r\n\r\nAdds support for shard failures for EQL event queries in the detection\r\nengine.","sha":"441939028248c3ddc8d17d2f5647baad5aff3f7b"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/209019","number":209019,"state":"MERGED","mergeCommit":{"sha":"be9fcb6b3b35bb677a50362ca131ad5f972581ae","message":"[8.x] [Security Solution] [Detection Engine] Logs shard failures for eql event queries on rule details page and in event log (#207396) (#209019)\n\n# Backport\n\nThis will backport the following commits from `main` to `8.x`:\n- [[Security Solution] [Detection Engine] Logs shard failures for eql\nevent queries on rule details page and in event log\n(#207396)](https://github.com/elastic/kibana/pull/207396)\n\n\n\n### Questions ?\nPlease refer to the [Backport tool\ndocumentation](https://github.com/sqren/backport)\n\n\n\nCo-authored-by: Devin W. Hurley <devin.hurley@elastic.co>"}}]}] BACKPORT--> Co-authored-by: Devin W. Hurley <devin.hurley@elastic.co>
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Related: elastic/elasticsearch#116388
Adds support for shard failures for EQL event queries in the detection engine.
How to test:
any where agent.type == "auditbeat" or broken == 1Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
release_note:*label is applied per the guidelines