Skip to content

[Security Solution][Entity Analytics][Risk Scoring] Add Risk Scoring Alert Filtering - Backend Implementation #235770

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
abhishekbhatia1710 merged 29 commits into from
Oct 29, 2025
Merged

[Security Solution][Entity Analytics][Risk Scoring] Add Risk Scoring Alert Filtering - Backend Implementation #235770

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
29 commits
Select commit Hold shift + click to select a range
8bd6374
feat: Add Risk Scoring Alert Filtering - Backend Implementation
abhishekbhatia1710 Sep 19, 2025
d73d44e
Adding filters to the esql risk scoring
abhishekbhatia1710 Sep 25, 2025
02a3aa8
Adding filters for the preview API
abhishekbhatia1710 Sep 25, 2025
86502e6
Removing repeated code
abhishekbhatia1710 Sep 25, 2025
d177f02
[CI] Auto-commit changed files from 'node scripts/check_mappings_upda…
kibanamachine Sep 25, 2025
e8682e2
Implement entity-specific filtering for risk scoring
abhishekbhatia1710 Sep 25, 2025
9a918a2
Changing the filter query to filter out instead of filter in
abhishekbhatia1710 Sep 26, 2025
0042278
Fixing types
abhishekbhatia1710 Sep 26, 2025
1c1d3da
[CI] Auto-commit changed files from 'yarn openapi:bundle'
kibanamachine Sep 25, 2025
6cb9b1b
[CI] Auto-commit changed files from 'make api-docs'
kibanamachine Sep 25, 2025
c156926
[CI] Auto-commit changed files from 'node scripts/jest_integration -u…
kibanamachine Sep 25, 2025
ee348e8
Fixing tests : updating mappings version
abhishekbhatia1710 Sep 29, 2025
a7117dd
Add filters to ReadRiskEngineSettingsResponse
abhishekbhatia1710 Oct 14, 2025
050ec12
Ensure filter exclusion logic in risk calculations
abhishekbhatia1710 Oct 14, 2025
148a6d0
Backend changes readded after resolving merge conflicts for the Risk …
abhishekbhatia1710 Oct 15, 2025
e7bd7fc
Fixing types
abhishekbhatia1710 Oct 15, 2025
4f47704
Merge branch 'main' into ea-13606-alert-filtering-risk-score-backend
abhishekbhatia1710 Oct 27, 2025
fe38fe0
Snapshot updated manually as CI was failing while doing the same
abhishekbhatia1710 Oct 27, 2025
4a8c303
SO snapshot updates
abhishekbhatia1710 Oct 27, 2025
3179b69
Fixing tests
abhishekbhatia1710 Oct 28, 2025
5e77a2d
SO snapshot update...again
abhishekbhatia1710 Oct 28, 2025
70d2b3f
Fixing tests
abhishekbhatia1710 Oct 28, 2025
e1d1610
Fixing types
abhishekbhatia1710 Oct 28, 2025
e2ac559
Fixing tests...part 2
abhishekbhatia1710 Oct 28, 2025
2e994ec
Merge branch 'main' into ea-13606-alert-filtering-risk-score-backend
abhishekbhatia1710 Oct 29, 2025
a67aba5
Fixing tests...part 3
abhishekbhatia1710 Oct 29, 2025
68f14ee
Merge branch 'ea-13606-alert-filtering-risk-score-backend' of github.…
abhishekbhatia1710 Oct 29, 2025
98dd75b
Fixing integration tests ... part 3
abhishekbhatia1710 Oct 29, 2025
eab481d
Merge branch 'main' into ea-13606-alert-filtering-risk-score-backend
abhishekbhatia1710 Oct 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions oas_docs/output/kibana.serverless.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48398,6 +48398,25 @@ paths:
items:
type: string
type: array
filters:
items:
type: object
properties:
entity_types:
items:
enum:
- host
- user
- service
type: string
type: array
filter:
description: KQL filter string
type: string
required:
- entity_types
- filter
type: array
range:
type: object
properties:
Expand Down
19 changes: 19 additions & 0 deletions oas_docs/output/kibana.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53755,6 +53755,25 @@ paths:
items:
type: string
type: array
filters:
items:
type: object
properties:
entity_types:
items:
enum:
- host
- user
- service
type: string
type: array
filter:
description: KQL filter string
type: string
required:
- entity_types
- filter
type: array
range:
type: object
properties:
Expand Down
3 changes: 3 additions & 0 deletions packages/kbn-check-saved-objects-cli/current_fields.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -948,6 +948,9 @@
"enabled",
"excludeAlertStatuses",
"filter",
"filters",
"filters.entity_types",
"filters.filter",
"identifierType",
"interval",
"pageSize",
Expand Down
11 changes: 11 additions & 0 deletions packages/kbn-check-saved-objects-cli/current_mappings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3154,6 +3154,17 @@
"dynamic": false,
"properties": {}
},
"filters": {
"properties": {
"entity_types": {
"type": "keyword"
},
"filter": {
"type": "text"
}
},
"type": "nested"
},
"identifierType": {
"type": "keyword"
},
Expand Down
9 changes: 5 additions & 4 deletions src/core/server/integration_tests/ci_checks/saved_objects/check_registered_types.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
"privmon-api-key": "c06b1614786ce7271087378b47d465c956ab1537",
"product-doc-install-status": "f94e3e5ad2cc933df918f2cd159044c626e01011",
"query": "1966ccce8e9853018111fb8a1dee500228731d9e",
"risk-engine-configuration": "ad7bf1d048a5dad258c2dd8823265adb4debf9a6",
"risk-engine-configuration": "f5ca37ab60d0bb0756869c9a4171146afbdd67a7",
"rules-settings": "53f94e5ce61f5e75d55ab8adbc1fb3d0937d2e0b",
"sample-data-telemetry": "c38daf1a49ed24f2a4fb091e6e1e833fccf19935",
"search": "d81feb3845eb84c00dabfd3e89dc798c854c07dd",
Expand Down Expand Up @@ -997,8 +997,9 @@ describe('checking migration metadata changes on all registered SO types', () =>
"query|7.16.0: b1a3b62b35f9e5c5adef5983e5c83a0a174ac679",
"======================================================",
"risk-engine-configuration|global: 0ca55e55c439cebd5bad7ecec17d81a6264f4ea4",
"risk-engine-configuration|mappings: eeef5029f25635e3c973fb1047f6ef6d73ac7b9a",
"risk-engine-configuration|mappings: 20b5659d79a49b6d1850003dc9bb35a76d836b6f",
"risk-engine-configuration|schemas: da39a3ee5e6b4b0d3255bfef95601890afd80709",
"risk-engine-configuration|10.4.0: cb95557ad3ff0c0983274d3acf6cbde458424652",
"risk-engine-configuration|10.3.0: c859b4f9fe7e1e4c97ba3adc8715004f2b06c5e0",
"risk-engine-configuration|10.2.0: 9db1cd4b80df6c7b6198d7021623c8302b58a764",
"risk-engine-configuration|10.1.0: 6502b46de13e13ff2ce499d3a8188955f89b6e0d",
Expand Down Expand Up @@ -1345,7 +1346,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
"privmon-api-key": "10.0.0",
"product-doc-install-status": "10.1.0",
"query": "10.2.0",
"risk-engine-configuration": "10.3.0",
"risk-engine-configuration": "10.4.0",
"rules-settings": "10.1.0",
"sample-data-telemetry": "10.0.0",
"search": "10.9.0",
Expand Down Expand Up @@ -1492,7 +1493,7 @@ describe('checking migration metadata changes on all registered SO types', () =>
"privmon-api-key": "0.0.0",
"product-doc-install-status": "10.1.0",
"query": "10.2.0",
"risk-engine-configuration": "10.3.0",
"risk-engine-configuration": "10.4.0",
"rules-settings": "10.1.0",
"sample-data-telemetry": "0.0.0",
"search": "10.9.0",
Expand Down
11 changes: 11 additions & 0 deletions ...lution/common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.gen.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,17 @@ export const ConfigureRiskEngineSavedObjectRequestBody = z.object({
.optional(),
exclude_alert_tags: z.array(z.string()).optional(),
enable_reset_to_zero: z.boolean().optional(),
filters: z
.array(
z.object({
entity_types: z.array(z.enum(['host', 'user', 'service'])),
/**
* KQL filter string
*/
filter: z.string(),
})
)
.optional(),
});
export type ConfigureRiskEngineSavedObjectRequestBodyInput = z.input<
typeof ConfigureRiskEngineSavedObjectRequestBody
Expand Down
16 changes: 16 additions & 0 deletions ...n/common/api/entity_analytics/risk_engine/engine_configure_saved_object_route.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,22 @@ paths:
type: string
enable_reset_to_zero:
type: boolean
filters:
type: array
items:
type: object
properties:
entity_types:
type: array
items:
type: string
enum: [host, user, service]
filter:
type: string
description: KQL filter string
required:
- entity_types
- filter
responses:
"200":
description: Successful response
Expand Down
11 changes: 11 additions & 0 deletions ...ns/security_solution/common/api/entity_analytics/risk_engine/engine_settings_route.gen.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,4 +29,15 @@ export const ReadRiskEngineSettingsResponse = z.object({
* Whether to enable resetting risk scores to zero when there are no alerts in the selected date range
*/
enableResetToZero: z.boolean().optional(),
filters: z
.array(
z.object({
entity_types: z.array(z.enum(['host', 'user', 'service'])),
/**
* KQL filter string
*/
filter: z.string(),
})
)
.optional(),
});
16 changes: 16 additions & 0 deletions ...curity_solution/common/api/entity_analytics/risk_engine/engine_settings_route.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,19 @@ paths:
enableResetToZero:
type: boolean
description: Whether to enable resetting risk scores to zero when there are no alerts in the selected date range
filters:
type: array
items:
type: object
properties:
entity_types:
type: array
items:
type: string
enum: [host, user, service]
filter:
type: string
description: KQL filter string
required:
- entity_types
- filter
17 changes: 17 additions & 0 deletions ...ty/plugins/security_solution/common/api/entity_analytics/risk_engine/preview_route.gen.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,23 @@ export const RiskScoresPreviewRequest = z.object({
* A list of alert tags to exclude from the risk score calculation. If unspecified, all alert tags are included.
*/
exclude_alert_tags: z.array(z.string()).optional(),
/**
* Custom KQL filters to exclude from risk scoring queries, allowing more targeted risk analysis by filtering out specific alerts.
*/
filters: z
.array(
z.object({
/**
* The entity types this filter applies to
*/
entity_types: z.array(z.enum(['host', 'user', 'service'])),
/**
* KQL filter expression to exclude (alerts matching this filter will be excluded from risk score calculation)
*/
filter: z.string(),
})
)
.optional(),
});

export type RiskScoresPreviewResponse = z.infer<typeof RiskScoresPreviewResponse>;
Expand Down
18 changes: 18 additions & 0 deletions ...ugins/security_solution/common/api/entity_analytics/risk_engine/preview_route.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,24 @@ components:
type: array
items:
type: string
filters:
description: Custom KQL filters to exclude from risk scoring queries, allowing more targeted risk analysis by filtering out specific alerts.
type: array
items:
type: object
properties:
entity_types:
type: array
items:
type: string
enum: [host, user, service]
description: The entity types this filter applies to
filter:
type: string
description: KQL filter expression to exclude (alerts matching this filter will be excluded from risk score calculation)
required:
- entity_types
- filter


RiskScoresPreviewResponse:
Expand Down
19 changes: 19 additions & 0 deletions ...on/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1294,6 +1294,25 @@ paths:
items:
type: string
type: array
filters:
items:
type: object
properties:
entity_types:
items:
enum:
- host
- user
- service
type: string
type: array
filter:
description: KQL filter string
type: string
required:
- entity_types
- filter
type: array
range:
type: object
properties:
Expand Down
19 changes: 19 additions & 0 deletions .../openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1294,6 +1294,25 @@ paths:
items:
type: string
type: array
filters:
items:
type: object
properties:
entity_types:
items:
enum:
- host
- user
- service
type: string
type: array
filter:
description: KQL filter string
type: string
required:
- entity_types
- filter
type: array
range:
type: object
properties:
Expand Down
1 change: 1 addition & 0 deletions ...ecurity_solution/server/lib/entity_analytics/risk_engine/routes/configure_saved_object.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,7 @@ export const riskEngineConfigureSavedObjectRoute = (
range: request.body.range,
excludeAlertTags: request.body.exclude_alert_tags,
enableResetToZero: request.body.enable_reset_to_zero,
filters: request.body.filters,
});
return response.ok({ body: { risk_engine_saved_object_configured: true } });
} catch (e) {
Expand Down
4 changes: 4 additions & 0 deletions ...rity/plugins/security_solution/server/lib/entity_analytics/risk_engine/routes/settings.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,10 @@ export const riskEngineSettingsRoute = (router: EntityAnalyticsRoutesDeps['route
Array.isArray(result?.excludeAlertStatuses) &&
!result.excludeAlertStatuses.includes('closed'),
enableResetToZero: result.enableResetToZero,
filters: (result.filters || []).map((f) => ({
entity_types: f.entity_types as Array<'host' | 'user' | 'service'>,
filter: f.filter,
})),
},
});
} catch (e) {
Expand Down
Loading
Loading