Skip to content

Comments

[8.19] [Attack Discovery][Scheduling] Improved duplicates logging (#227666)#227857

Merged
kibanamachine merged 5 commits intoelastic:8.19from
kibanamachine:backport/8.19/pr-227666
Jul 15, 2025
Merged

[8.19] [Attack Discovery][Scheduling] Improved duplicates logging (#227666)#227857
kibanamachine merged 5 commits intoelastic:8.19from
kibanamachine:backport/8.19/pr-227666

Conversation

@kibanamachine
Copy link
Contributor

@kibanamachine kibanamachine commented Jul 14, 2025

Backport

This will backport the following commits from main to 8.19:

Questions ?

Please refer to the Backport tool documentation

@e40pud
[Attack Discovery][Scheduling] Improved duplicates logging (elastic#2…
87b0efa 
…27666)

## Summary

Main ticket ([Internal
link](elastic/security-team#10142))

With these changes we improve the attack discovery alerts duplicates
logging.

### Info level logging examples

**Manually generated**:

> Ad-hoc Attack Discovery: Found 1 duplicate alert(s), skipping report
for those.

**Scheduled generations**:

> Attack Discovery Schedule: Found 1 duplicate alert(s), skipping report
for those.

### Additional debug level logging examples

**Manually generated**:

```
Ad-hoc Attack Discovery: Duplicated alerts:
[
  "{{attack-discovery-alert-id}}"
]
```

**Scheduled generations**:

```
Attack Discovery Schedule: Duplicated alerts:
[
  "{{attack-discovery-alert-id}}"
]
```

### To Test

1. Create Attack Discovery Schedule which runs over the same alerts
multiple time (for example set alerts query time to 24h)
2. Wait until schedule runs several times and produces duplicated attack
discoveries
3. Check kibana server logs

### Example of logging

<img width="1536" height="101" alt="Screenshot 2025-07-11 at 16 07 09"
src="https://github.com/user-attachments/assets/fe43d195-6166-483e-ad25-75aaa0f0da09"
/>

## NOTES

The feature is hidden behind the feature flag (in `kibana.dev.yml`):

```
feature_flags.overrides:
  securitySolution.attackDiscoveryAlertsEnabled: true
  securitySolution.assistantAttackDiscoverySchedulingEnabled: true
```

(cherry picked from commit 996eb11)
@kibanamachine kibanamachine added the backport This PR is a backport of another PR label Jul 14, 2025
@kibanamachine kibanamachine enabled auto-merge (squash) July 14, 2025 15:25
@kibanamachine kibanamachine mentioned this pull request Jul 14, 2025
Merged
@elasticmachine
Copy link
Contributor

elasticmachine commented Jul 15, 2025
edited
Loading

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

‼️ ERROR: no builds found for mergeBase sha [14d3d51]

History

cc @e40pud

@kibanamachine kibanamachine merged commit 4dcad9d into elastic:8.19 Jul 15, 2025
7 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

@e40pud e40pud

Labels

backport This PR is a backport of another PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kibanamachine @elasticmachine @e40pud