Skip to content

[8.19] [Security Solution][Detection Engine] adds async ES|QL query (#216667)#218567

Merged
kibanamachine merged 1 commit intoelastic:8.19from
kibanamachine:backport/8.19/pr-216667
Apr 17, 2025
Merged

[8.19] [Security Solution][Detection Engine] adds async ES|QL query (#216667)#218567
kibanamachine merged 1 commit intoelastic:8.19from
kibanamachine:backport/8.19/pr-216667

Conversation

@kibanamachine
Copy link
Contributor

@kibanamachine kibanamachine commented Apr 17, 2025

Backport

This will backport the following commits from main to 8.19:

Questions ?

Please refer to the Backport tool documentation

@vitaliidm @rylnd
[Security Solution][Detection Engine] adds async ES|QL query (elastic…
0dbcbb1 
…#216667)

## Summary

- addresses elastic/security-team#11116 (list
item 2)

Introducing async query would allow to overcome ES request timeout for
long running rules and queries.

Timeout for ES request is [defined in alerting
framework](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/alerting/server/lib/get_es_request_timeout.ts#L21)
and is smaller value out of rule execution timeout or default ES request
timeout(which is 5m and hardcoded
[here](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/alerting/server/lib/get_rule_task_timeout.ts)).

If ES|QL rule performs a single long-running ES query, it can time out
after 5m due to this ES request timeout. This value can't be changed,
unlike rule execution timeout. It can be overwritten in Kibana config

```
xpack.alerting.rules.run:
  timeout: '10m'
  ruleTypeOverrides:
    - id:  'siem.esqlRule'
      timeout: '15m'
```
So, we can encounter situations when rule fails execution after 5m due
to ES request timeout, despite a fact it configured with longer timeout
of 15m

By using async query, we can overcome this limitation and can poll async
query results until it completes or rule timeouts

More details in internal
[issue](elastic/sdh-security-team#1224)

---------

Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
(cherry picked from commit 3d7aac1)
@kibanamachine kibanamachine added the backport This PR is a backport of another PR label Apr 17, 2025
@kibanamachine kibanamachine enabled auto-merge (squash) April 17, 2025 14:29
@kibanamachine kibanamachine mentioned this pull request Apr 17, 2025
Merged
@kibanamachine kibanamachine merged commit 68d21e5 into elastic:8.19 Apr 17, 2025
11 checks passed
@elasticmachine
Copy link
Contributor

elasticmachine commented Apr 17, 2025

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
alerting 846 847 +1
Unknown metric groups

API count

id before after diff
alerting 880 881 +1

cc @vitaliidm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@vitaliidm vitaliidm

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kibanamachine @elasticmachine @vitaliidm