[Security Solution][Detection Engine] move lists to data stream

[vitaliidm]

Summary

• addresses https://github.com/elastic/security-team/issues/7198
• moves list/items indices to data stream
  • adds @timestamp mapping to indices mappings
  • migrate to data stream if indices already exist(for customers < 8.11) or create data stream(for customers 8.11+ or serverless)
  • adds DLM to index templates
  • replaces update/delete queries with update_by_query/delete_by_query which supported in data streams
  • fixes existing issues with update/patch APIs for lists/items
    • update/patch for lists didn't save version parameter in ES
    • update and patch APIs for lists/items were identical, i.e. for both routes was called the same update method w/o any changes

Technical detail on moving API to (update/delete)_by_query

update_by_query, delete_by_query do not support refresh=wait_for, only false/true values. Which might break some of the use cases on UI(when list is removed, we refetch all lists. Deleted list will be returned for some time. Default refresh time is 1s). So, we retry refetching deleted/updated document before finishing request, to return reindexed document

update_by_query does not support OCC as update API.
Which is supported in both list/list item updates through _version parameter.
_version is base64 encoded "_seq_no", "_primary_term" props used for OCC

So, to keep it without breaking changes: implemented check for version conflict within update method

Checklist

Delete any items that are not applicable to this PR.

• Unit or functional tests were updated or added to match the most common scenarios

[vitaliidm]

there is still one failing test: #163197
Doesn't seem to be related to functionality in this PR and does not fail locally(on this PR) or on main, only in scope of all tests on CI

[dasansol92]

We need to ensure that this still works with artifact-packager task which reads from .lists and packages Endpoint Exceptions, Trusted Apps, etc for the Endpoint.

We have our automated Defend Workflows Endpoint cypress tests which stand up real Endpoints and create artifacts, so if those pass, the basic create, read, and edit should work.

fyi @dasansol92 - could you also review this PR?

@kevinlog The x-pack/test/security_solution_endpoint/apps/integrations/artifact_entries_list.ts FTR test should ensure the artifact-packager task is still running as we expect.

[dasansol92]

hey @vitaliidm , are these changes affecting also the exceptions lists/items types or only the regular lists/items? Thanks!

[vitaliidm]

hey @vitaliidm , are these changes affecting also the exceptions lists/items types or only the regular lists/items? Thanks!

hey @dasansol92 , only .lists-*, .items-* indices, which moved to data stream in this PR. They can be used in exceptions, but it should not affect exceptions workflows

[e40pud]

Great work! I left a few comments, let me know what you think about those.

[e40pud]

what if it does not exist? or this is not possible?

[vitaliidm]

this is going to be handled down the function execution, few lines below this one

  const list = await lists.patchList({ _version, description, id, meta, name, version });
        if (list == null) {
          return siemResponse.error({
            body: `list id: "${id}" not found`,
``

[e40pud]

same as my previous question

[vitaliidm]

same as https://github.com/elastic/kibana/pull/162508/files/c85531e2424f32db708a93db06719010d63af87c#r1297165741

[e40pud]

I see that it was implemented this way earlier, but just curios whether we should do this check before setting templates above? since we know that this is an invalid request and we gonna return 409 error maybe we should not do any modifications and throw an exception earlier

[vitaliidm]

I don't know the reason it was done like this before, but I can guess, if there are any updates to templates, that would the only way to update them - by calling that API. Otherwise, if no updates were made to templates, that action won't have any effect

[e40pud]

Is it possible that listItemDataStreamExists = true and listDataStreamExists = false? In case of indices we check that both exist listIndexExists and listItemIndexExists

[vitaliidm]

I think, this could only happen, if you use patch/update listItem API, before loading Security Solution page(which performs migration to DS). Very unlikely, because, you have to use direct API call, since these APIs are not used in UI.
And those migration in patch/update was added recently, after delete method was migrated.

Thanks for noticing, I have updated the code, so it will account for this

[e40pud]

These IF statements are not going to work as initially intended.

First if (listDataStreamExists || listItemDataStreamExists) { will handle three out of four possible cases:

1. listDataStreamExists = true && listItemDataStreamExists = true
2. listDataStreamExists = false && listItemDataStreamExists = true
3. listDataStreamExists = true && listItemDataStreamExists = false

Then, second if (!listDataStreamExists && listItemDataStreamExists) { statement will handle the last possible case:

4. listDataStreamExists = false && listItemDataStreamExists = false

This means, that last two statements (if (!listItemDataStreamExists && listDataStreamExists) { and final else case) will never be called.

[vitaliidm]

Yes, you are right - I think, probably, its initial implementation meant to have the firs statement as AND, in that case the rest of statements would make sense.
I will change it AND, thanks for catching this

[e40pud]

same as one of the previous questions about possibility of indexExists = false

[vitaliidm]

similar to same questions, it's going to be handled below these lines

        const listItem = await lists.patchListItem({
          _version,
          id,
          meta,
          value,
        });
        if (listItem == null) {
          return siemResponse.error({
            body: `list item id: "${id}" not found`,
            statusCode: 404,
          });
        } else {

[e40pud]

same here

[vitaliidm]

https://github.com/elastic/kibana/pull/162508/files/c85531e2424f32db708a93db06719010d63af87c#r1297169997

[e40pud]

LGTM!

[dasansol92]

For changes affecting exceptions items/lists, would be nice having this test passing in CI when it's enabled: #164473
Thanks!

[kibana-ci]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: 61c13e8

Failed CI Steps

• Defend Workflows Endpoint Cypress Tests #2

Test Failures

• [job] [logs] Defend Workflows Endpoint Cypress Tests #2 / Automated Response Actions From alerts "after all" hook for "should have generated endpoint and rule" "after all" hook for "should have generated endpoint and rule"
• [job] [logs] Defend Workflows Endpoint Cypress Tests #2 / Automated Response Actions From alerts "before all" hook for "should have generated endpoint and rule" "before all" hook for "should have generated endpoint and rule"

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
lists	261	262	+1
securitySolution	4444	4451	+7
total			+8

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/securitysolution-es-utils	62	76	+14
@kbn/securitysolution-io-ts-list-types	515	519	+4
lists	94	96	+2
total			+20

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
lists	145.3KB	145.4KB	+81.0B
securitySolution	15.7MB	15.7MB	+89.0B
total			+170.0B

Unknown metric groups

API count

id	before	after	diff
@kbn/securitysolution-es-utils	68	87	+19
@kbn/securitysolution-io-ts-list-types	528	532	+4
lists	210	222	+12
total			+35

Unreferenced deprecated APIs

id	before	after	diff
lists	0	4	+4

History

• 💔 Build #152262 failed 561b3e6
• 💛 Build #151557 was flaky 65fc067
• 💔 Build #151478 failed ee45572
• 💛 Build #150469 was flaky c85531e
• 💚 Build #148835 succeeded fc8cb43

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @vitaliidm