Skip to content

[8.18] [Security Solution][Detection Engine] adds async ES|QL query (#216667)#218585

Merged
vitaliidm merged 3 commits intoelastic:8.18from
vitaliidm:backport/8.18/pr-216667
Apr 17, 2025
Merged

[8.18] [Security Solution][Detection Engine] adds async ES|QL query (#216667)#218585
vitaliidm merged 3 commits intoelastic:8.18from
vitaliidm:backport/8.18/pr-216667

Conversation

@vitaliidm
Copy link
Contributor

@vitaliidm vitaliidm commented Apr 17, 2025

Backport

This will backport the following commits from main to 8.18:

Questions ?

Please refer to the Backport tool documentation

@vitaliidm
[Security Solution][Detection Engine] adds async ES|QL query (elastic…
b450207 
…#216667)

## Summary

- addresses elastic/security-team#11116 (list
item 2)

Introducing async query would allow to overcome ES request timeout for
long running rules and queries.

Timeout for ES request is [defined in alerting
framework](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/alerting/server/lib/get_es_request_timeout.ts#L21)
and is smaller value out of rule execution timeout or default ES request
timeout(which is 5m and hardcoded
[here](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/alerting/server/lib/get_rule_task_timeout.ts)).

If ES|QL rule performs a single long-running ES query, it can time out
after 5m due to this ES request timeout. This value can't be changed,
unlike rule execution timeout. It can be overwritten in Kibana config

```
xpack.alerting.rules.run:
  timeout: '10m'
  ruleTypeOverrides:
    - id:  'siem.esqlRule'
      timeout: '15m'
```
So, we can encounter situations when rule fails execution after 5m due
to ES request timeout, despite a fact it configured with longer timeout
of 15m

By using async query, we can overcome this limitation and can poll async
query results until it completes or rule timeouts

More details in internal
[issue](elastic/sdh-security-team#1224)

---------

Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
(cherry picked from commit 3d7aac1)

# Conflicts:
#	x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_preview/api/preview_rules/route.ts
#	x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/esql/esql.ts
@vitaliidm vitaliidm added the backport This PR is a backport of another PR label Apr 17, 2025
@vitaliidm vitaliidm enabled auto-merge (squash) April 17, 2025 15:49
@vitaliidm vitaliidm mentioned this pull request Apr 17, 2025
Merged
@vitaliidm
Copy link
Contributor Author

vitaliidm commented Apr 17, 2025

/ci

@vitaliidm vitaliidm merged commit d8e5155 into elastic:8.18 Apr 17, 2025
8 checks passed
@elasticmachine
Copy link
Contributor

elasticmachine commented Apr 17, 2025

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
alerting 846 847 +1
Unknown metric groups

API count

id before after diff
alerting 879 880 +1

History

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marshallmain marshallmain marshallmain approved these changes

@kibanamachine kibanamachine Awaiting requested review from kibanamachine kibanamachine is a code owner

Assignees

No one assigned

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vitaliidm @elasticmachine @marshallmain @kibanamachine