Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RAC][Security Solution][Detections] Integrate Rule Execution Log into Detection Engine #106465

Closed
Tracked by #101013
banderror opened this issue Jul 21, 2021 · 3 comments
Closed
Tracked by #101013

[RAC][Security Solution][Detections] Integrate Rule Execution Log into Detection Engine #106465

banderror opened this issue Jul 21, 2021 · 3 comments
Assignees
@xcrzx
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete

Comments

@banderror
Copy link
Contributor

Parent ticket: #101013

Summary

Integrate the implementation developed in #106461 into the new incarnation of Detection Engine being migrated to rule_registry.

  • Integrate with BaseSecurity rule type implemented in [RAC][Security Solution] Add base Security Rule Type #105096.
    • Pass in generic status writer. Executors call generic status writer to write warning and errors during execution.
    • Integration with BaseSecurity rule type should be straightforward. We already have a "decorator" that can wrap rule types and inject a logger instance (Link).
  • Make sure to write status change events both from generic parts of the execution logic (e.g. top-level exception handling, gap detection) and from specific rule type executors (e.g. ML rules have specific error logging). Go through the old Detection Engine and double-check that all statuses ("going to run", "warning", "failed", "succeeded") are written in all cases.
  • Make sure to write all execution metrics as well.
@banderror banderror added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jul 21, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@banderror banderror mentioned this issue Jul 21, 2021
Closed
11 tasks
@banderror banderror changed the title [Security Solution][Detections] Integrate Rule Execution Log into Detection Engine [RAC][Security Solution][Detections] Integrate Rule Execution Log into Detection Engine Jul 21, 2021
@banderror banderror added Feature:Detection Rules Security Solution rules and Detection Engine Theme: rac label obsolete labels Jul 21, 2021
@xcrzx xcrzx mentioned this issue Aug 4, 2021
Merged
1 task
@xcrzx
Copy link
Contributor

xcrzx commented Aug 4, 2021

Implemented in #107624

@xcrzx xcrzx closed this as completed Aug 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xcrzx xcrzx

Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Theme: rac label obsolete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xcrzx @banderror @elasticmachine