Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Extend event_log plugin with functionality required for Rule Execution Log #106347

Closed
1 of 7 tasks
Tracked by #118324
peluja1012 opened this issue Jul 21, 2021 · 5 comments
Closed
1 of 7 tasks
Tracked by #118324

[Security Solution] Extend event_log plugin with functionality required for Rule Execution Log #106347

peluja1012 opened this issue Jul 21, 2021 · 5 comments
Labels
Feature:EventLog Feature:RAC label obsolete Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete

Comments

@peluja1012
Copy link
Contributor

peluja1012 commented Jul 21, 2021
edited by banderror
Loading

Parent ticket: #118324

Summary

The Security Solution needs to store rule execution events and metrics to power various rule monitoring workflows. Based on all the previous discussions, we decided that Kibana event_log plugin is a good fit for this purpose. We will need to extend it to fully support Security Solution use cases.

We anticipate that we will need to be able to execute the following types of queries to event log:

  1. Write execution logs from rule type executors.
  2. Fetch N last log entries for 1 rule.
    • Context: Rule Details Page.
    • Rule id is known beforehand.
  3. Fetch N aggregations (of rule execution events or metrics) for M rules.
    • Context: Rule Monitoring table, fetching N*M values for the whole table in a single request to Elasticsearch.
    • M rule ids are known beforehand.
  4. Fetch N rules sorted by K metrics (indexing time, query time, etc). Some kind of aggregations with sorting.
    • Context: Rule Management/Monitoring table, sorting by columns.
    • Rule ids are not known beforehand.
  5. Fetch K current metrics across all rules. E.g., average indexing time during the last execution across all rules, etc.
    • Context: Rule Management/Monitoring table.
    • Rule ids are not known beforehand.
  6. Fetch the last event (status change) across all rules (similar to num 5).
    • Context: Rule Management/Monitoring table.
    • Rule ids are not known beforehand.
  7. Fetch Nth percentile of a current metric across all rules (similar to num 5).
    • Context: Rule Management/Monitoring table.
    • Rule ids are not known beforehand.
  8. Fetch the number of rules matching criteria (for example, rules with status=warning etc).
    • Context: Rule Management/Monitoring table.
    • Rule ids are not known beforehand.

This list is not full or final, we might not need some of these queries, and we might need others. It depends on the final requirements and UX wireframes. What we can see from these types of queries, though, is:

  • Most of the queries will require the ability to define free-formed Elasticsearch DSL queries (with filters, aggregations, limiting _source, sorting by multiple fields, etc) on the Security Solution side.
  • Some of the queries are rule-agnostic (calculate something across all rules). Current RBAC model of event_log require developers to provide references to at least 1 saved object (in our case it would be at least 1 rule) when fetching from the log, which makes it impossible to execute such queries.

We think that event_log plugin should be a good fit for these rule monitoring needs but it will need to be extended to provide additional functionality.

Requirements

TBD. We will define technical requirements and a proposal for software design in a dedicated RFC for extending event_log plugin with RBAC and flexible search API. This section will be updated.

Draft:

  • [DONE] It should be possible to extend event_log schema with standard ECS and custom fields needed for implementing Rule Execution Log.
  • We should be able to filter events by solution (consumer), kibana space id, rule instance id, etc.
  • When querying the log via event_log, we should be able to execute free-formed Elasticsearch DSL queries. The plugin should provide a flexible .search() method ideally with the same signature that ElasticsearchClient exposes.
  • event_log should support RBAC based on Alerting feature privileges. We should be able to grant those privileges via our existing "Security" feature privileges:

Sub-tasks
@peluja1012 peluja1012 added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete labels Jul 21, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

This was referenced Jul 21, 2021
Open
Closed
Closed
@banderror banderror changed the title [Security Solution] Extend event_log plugin with functionality required for Rule Execution Log [RAC][Security Solution][Detections] Extend event_log plugin with functionality required for Rule Execution Log Jul 21, 2021
@banderror banderror added Feature:EventLog Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Jul 21, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@gmmorris gmmorris added the Feature:RAC label obsolete label Aug 11, 2021
@gmmorris
Copy link
Contributor

Adding Feature:RAC to disambiguate this issue from the backlog of Feature:EventLog issues owned by the Alerting team.

@banderror banderror mentioned this issue Sep 14, 2021
Closed
@peluja1012 peluja1012 added Team:Detection Rule Management Security Detection Rule Management Team Feature:Rule Management Security Solution Detection Rule Management area labels Sep 15, 2021
@banderror banderror mentioned this issue Nov 11, 2021
Open
19 tasks
@banderror banderror removed their assignment Nov 24, 2021
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
@banderror banderror changed the title [RAC][Security Solution][Detections] Extend event_log plugin with functionality required for Rule Execution Log [Security Solution] Extend event_log plugin with functionality required for Rule Execution Log Nov 24, 2022
@banderror
Copy link
Contributor

Outdated

@banderror banderror closed this as not planned Won't fix, can't repro, duplicate, stale Jul 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:EventLog Feature:RAC label obsolete Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gmmorris @peluja1012 @kobelb @banderror @elasticmachine