Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] Update signals template if outdated and rollover indices #80019

Merged
merged 10 commits into from
Oct 15, 2020

Conversation

marshallmain
Copy link
Contributor

@marshallmain marshallmain commented Oct 8, 2020

Summary

This PR updates create_index_route so that it checks if the template needs to be upgraded before creating the index if it doesn't exist. In the case where the index already exists but the template was upgraded, the index rolls over so that the write index has the upgraded mapping.

This will cause a breaking change with old mappings that have risk_score mapped as a keyword in some places. In the current mapping, signal.rule.risk_score is a float so after rolling over there will be a conflict between the old and new signal.rule.risk_score for some features like aggregations.

Checklist

Delete any items that are not applicable to this PR.

For maintainers

@marshallmain marshallmain requested review from a team as code owners October 8, 2020 16:04
@marshallmain marshallmain added v7.10.0 v7.11.0 v8.0.0 Feature:Detection Rules Security Solution rules and Detection Engine release_note:skip Skip the PR/issue when compiling release notes Team:SIEM labels Oct 8, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@marshallmain marshallmain added release_note:breaking and removed release_note:skip Skip the PR/issue when compiling release notes labels Oct 8, 2020
@spong
Copy link
Member

spong commented Oct 12, 2020

@elasticmachine merge upstream

@@ -121,6 +125,7 @@ describe('useSignalIndex', () => {
loading: false,
signalIndexExists: false,
signalIndexName: null,
signalIndexTemplateOutdated: null,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should there be a test for when signalIndexTemplateOutdated === true?

@marshallmain
Copy link
Contributor Author

jenkins test this

@marshallmain
Copy link
Contributor Author

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

async chunks size

id before after diff
securitySolution 10.9MB 10.9MB +2.0KB

distributable file count

id before after diff
default 48494 48495 +1

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@marshallmain marshallmain merged commit 0c7ca14 into elastic:master Oct 15, 2020
@marshallmain marshallmain deleted the update-signals-template branch October 15, 2020 06:11
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 15, 2020
…nd rollover indices (elastic#80019)

* Modify create_index_route to update template in place if outdated

* Update frontend to always call create_index_route

* Add template status to GET route

* Clean up parameter type

* Fix tests and types

* Add test

Co-authored-by: Kibana Machine <[email protected]>
marshallmain added a commit to marshallmain/kibana that referenced this pull request Oct 15, 2020
…nd rollover indices (elastic#80019)

* Modify create_index_route to update template in place if outdated

* Update frontend to always call create_index_route

* Add template status to GET route

* Clean up parameter type

* Fix tests and types

* Add test

Co-authored-by: Kibana Machine <[email protected]>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Oct 15, 2020
* master: (102 commits)
  [Resolver] Fix flaky test (elastic#80576)
  Update Security Solution Bug Report Template (elastic#80668)
  [Observability] Kibana home page Observability link pointing to `/landing` (elastic#80636)
  [APM] Update User Experience app callout code to reflect new name (elastic#80641)
  [APM] Add missing ML privileges (elastic#80553)
  [DOCS] Adds intro line to the ML plugin readme file (elastic#80631)
  [ML] Functional tests - fix and re-enable validation API tests (elastic#80617)
  remove non-existing dependency from uptime plugin (elastic#80623)
  [ML] Fix job selection flyout overflow (elastic#80621)
  Move dashboard code in codeowner files to canvas team (elastic#80345)
  [Security Solution][Detections] Update signals template if outdated and rollover indices (elastic#80019)
  Sort service list by TPM if health is not shown (elastic#80447)
  Add in cluster version for sec telemetry sender. (elastic#80545)
  [Usage Collection] Usage collection add saved objects client to collector fetch context (elastic#80554)
  Change tag from experimental to beta (elastic#80443)
  [Metrics UI] Inventory view cleanup (elastic#79881)
  [Security Solutions][Detection Engine] Critical bug where value lists were not operational (elastic#80368)
  [Security Solution] Fix networkTopNFlow search strategy response (elastic#80362)
  [build] Retry docker pull (elastic#80432)
  add template for Security Solution bugs (elastic#80574)
  ...
marshallmain added a commit that referenced this pull request Oct 15, 2020
…nd rollover indices (#80019) (#80615)

* Modify create_index_route to update template in place if outdated

* Update frontend to always call create_index_route

* Add template status to GET route

* Clean up parameter type

* Fix tests and types

* Add test

Co-authored-by: Kibana Machine <[email protected]>

Co-authored-by: Kibana Machine <[email protected]>
marshallmain added a commit that referenced this pull request Oct 15, 2020
…nd rollover indices (#80019) (#80616)

* Modify create_index_route to update template in place if outdated

* Update frontend to always call create_index_route

* Add template status to GET route

* Clean up parameter type

* Fix tests and types

* Add test

Co-authored-by: Kibana Machine <[email protected]>

Co-authored-by: Kibana Machine <[email protected]>
@gchaps
Copy link
Contributor

gchaps commented Oct 16, 2020

@marshallmain For this PR to be included in the breaking changes doc, I need a write up with a paragraphs on details and impact. See this breaking changes doc for an example:

@marshallmain
Copy link
Contributor Author

Details: The Security Solution now checks the .siem-signals mapping version and upgrades the mapping if it is outdated when an admin visits the app. This makes new fields that are necessary for new features, such as signal.group.id, available automatically after the upgrade process.

Impact: signal.rule.risk_score was mapped as a keyword prior to 7.9 and was changed to float in 7.9. .siem-signals indices that currently have signal.rule.risk_score mapped as keyword will see mapping conflicts when attempting to aggregate on signal.rule.risk_score.

@gchaps gchaps mentioned this pull request Nov 3, 2020
1 task
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 22, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Detection Rules Security Solution rules and Detection Engine release_note:breaking Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.10.0 v7.11.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants