[Discuss] Increasing availability of profile_uid outside of interactive sessions
#167459
Labels
enhancement
New value added to drive a business result
Team:Detections and Resp
Security Detection Response Team
Comments
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
This was referenced Nov 16, 2023
marshallmain
added a commit
that referenced
this issue
Dec 5, 2023
This PR populates the existing `kibana.alert.workflow_user` field in the alerts-as-data mappings with the `profile_uid` of the last user to modify the status of the alert. It also adds a new field, `kibana.alert.workflow_status_updated_at`, to track the last time the workflow status was updated and populates it with a timestamp. Similar to the alert assignment PR, `workflow_user` renders in the table with a user avatar instead of the raw `profile_uid` value stored in the alert. The filter in/out buttons on the row cell automatically add a filter that uses the raw value so that filtering works correctly. Due to limitations of Kibana's user profile implementation, `workflow_user` is only populated if a user changes the alert status using the alert status route (`POST /api/detection_engine/signals/status`) within an interactive session, i.e. logs in rather than passes credentials with each API request ([related issue](#167459)). ## Alerts table  ## Alert details  ### Checklist - [ ] Functional changes are hidden behind a feature flag. If not hidden, the PR explains why these changes are being implemented in a long-living feature branch. - [x] Functional changes are covered with a test plan and automated tests. - [x] Stability of new and changed tests is verified using the [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner). - Flaky test run: https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/4130 - [ ] Comprehensive manual testing is done by two engineers: the PR author and one of the PR reviewers. Changes are tested in both ESS and Serverless. - [x] Mapping changes are accompanied by a technical design document. It can be a GitHub issue or an RFC explaining the changes. The design document is shared with and approved by the appropriate teams and individual stakeholders. - elastic/security-team#4820 - [x] Functional changes are communicated to the Docs team. A ticket or PR is opened in https://github.com/elastic/security-docs. The following information is included: any feature flags used, affected environments (Serverless, ESS, or both). - elastic/security-docs#4325
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use Case
Alerts generated by the Security Solution's detection rules have a few fields that can be modified by users - status, assignee, and tags. Until now, we've had no record of who modified these fields and when. We would like to start keeping these records and
profile_uidappears to be the best single identifier to track which user made some modification. We envision 2 types of records in this use case: (1) a record of the last update, stored in the alert document, and (2) a record of all updates, where each update to the alert gets a separate document in some log index. Since we will likely want to store a record of the last update for each mutable field in an alert (status, assignee, tags, potentially more in the future) it would be ideal to minimize the number of fields we need to store for each "last update" record in the alert document.In this plan, the "record of all updates" in a separate log index could contain more detailed information about the user's authentication, like auth type, realm, etc. This would provide the authoritative audit info and allow us to distinguish between different auth methods for the same
profile_uid. Even with the enhancements proposed in this issue,profile_uidmay still be unavailable in some cases - the separate log index with detailed auth info would provide the audit trail for these cases.Even if
profile_uidis not available in all cases, keeping a record of the last update in the alert document itself is useful to enable simple queries involving alerts and these update records, e.g. "show me alerts updated by user X", "show me alerts updated in the last 24 hours", etc. We would like to useprofile_uidas the unique user identifier in the alert document for consistency, since it will also be used for tracking the user assigned to an alert, and it has good integration with other aspects of Kibana, like avatars. I expect we'll be able to re-use UI elements that can translate fromprofile_uidto a readable username or add a query filter byprofile_uidwithout requiring a user to directly interact with the ID value. These use cases are improved ifprofile_uidis available more often, even if it is not always available.Proposal
profile_uidis currently only available within interactive user sessions. Security Solution users are known to use the HTTP API and automation scripts to manage alerts. We would like to explore ways to makeprofile_uidavailable even outside of interactive sessions so that we can still capture theprofile_uidfor API users. One approach might be to allow APIs to specify if a profile should be activated for that API even outside of interactive sessions. We could then pay the cost of profile activation only for specific APIs that we know will rely onprofile_uid, like the API that changes the status of an alert.In general, auditing APIs that write data would be our primary use case for obtaining a
profile_uidoutside of existing interactive sessions. APIs that only read data would generally be lower priority for obtainingprofile_uidoutside of interactive sessions.The text was updated successfully, but these errors were encountered: