Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][CTI] Add non-ECS Security Solution and CTI mappings (RAC) #101547

Closed
wants to merge 4 commits into from
Closed

[Security Solution][CTI] Add non-ECS Security Solution and CTI mappings (RAC) #101547

wants to merge 4 commits into from

Conversation

ecezalp
Copy link
Contributor

@ecezalp ecezalp commented Jun 7, 2021
edited by nkhristinin
Loading

Summary

There are some non-ECS fields within the Security Solution that need to be added to be added to the RAC implementation of rules for backwards compatibility. This commit ensures that all mappings that existed within the security solution continue to exist.

Checklist

Delete any items that are not applicable to this PR.

Risk Matrix

Delete this section if it is not applicable to this PR.

Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release.

When forming the risk matrix, consider some of the following examples and how they may potentially impact the change:

Risk Probability Severity Mitigation/Notes
Multiple Spaces—unexpected behavior in non-default Kibana Space. Low High Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces.
Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. High Low Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure.
Code should gracefully handle cases when feature X or plugin Y are disabled. Medium High Unit tests will verify that any feature flag or plugin combination still results in our service operational.
See more potential risk examples

For maintainers

@ecezalp ecezalp added release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.14.0 Team: CTI labels Jun 7, 2021
@ecezalp ecezalp requested review from rylnd and a team June 7, 2021 23:02
@ecezalp ecezalp self-assigned this Jun 7, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

rylnd
rylnd reviewed Jun 9, 2021
View reviewed changes
Copy link
Contributor

@rylnd rylnd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good! I had one note about the ECS compatibility that we'll need to resolve before this can be merged.

@ecezalp could we pair on running this locally? I'd like to see the final output that this produces but I'm a bit behind the RAC curve here.

x-pack/plugins/security_solution/server/lib/detection_engine/assets/cti_field_map.ts
array: false,
required: false,
},
'threat.indicator.geo.city_name': {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are removing the as, geo, and most other nested fields from threat.indicator as per the current RFC.

If these mappings will be used in 7.14, the current implementation makes sense. If these aren't going to be in effect until 7.15, we should strive to use the fields as presented in the RFC.

x-pack/plugins/security_solution/server/lib/detection_engine/assets/security_field_map.ts
* 2.0.
*/

export const securityFieldMap = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For posterity: what was the logic used to generate this list of fields?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Answered offline: these are all the fields in the existing signals index that were NOT either:

  1. part of ECS
  2. identified as past/current/future CTI fields.

@ecezalp
Copy link
Contributor Author

ecezalp commented Jun 14, 2021

@elasticmachine merge upstream

@ecezalp
Copy link
Contributor Author

ecezalp commented Jun 16, 2021

@elasticmachine merge upstream

@spalger
Copy link
Contributor

spalger commented Jun 16, 2021

jenkins, test this

(restarting due to jenkins upgrade)

@ecezalp
Copy link
Contributor Author

ecezalp commented Jun 23, 2021

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
apm 4.3MB 4.3MB +50.0B
observability 453.2KB 453.3KB +50.0B
total +100.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @ecezalp

@spalger spalger added v7.15.0 and removed v7.14.0 labels Jun 30, 2021
@ecezalp
Copy link
Contributor Author

ecezalp commented Aug 11, 2021

closing as duplicate of #107977

@ecezalp ecezalp closed this Aug 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rylnd rylnd rylnd left review comments

Assignees
No one assigned
Labels
release_note:skip Skip the PR/issue when compiling release notes Team: CTI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.15.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ecezalp @elasticmachine @spalger @kibanamachine @rylnd