-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable Kibana Diagnostic to be Space Aware for Rules #578
Comments
Heh, was just looking at this yesterday. Ideally, we could get the alerting connectors / rules directly from ES, and not Kibana. But I think the problem with that approach is the diagnostic tool either points to ES when getting ES diags, or Kibana when getting Kibana diags, so when running the Kibana diags, the ES url is not available. I say "ideally", but honestly not sure - there may be some reason it would be preferable to get the data from Kibana. I think the ES versions will likely have "more stuff" than the Kibana versions, which seems like a good thing. @mikecote ? If we want to continue down the path of just using the Kibana URL, we'll need to get all the spaces, then for each space, do what's currently being done with the At some point, connectors / rules will be shareable across spaces, so I guess if we continue down the path of using the Kibana APIs, we'd end up having dups of rules/connectors that are shared. Not a huge problem, but one we won't have if we query the rules right from ES. |
In general, the diagnostic has avoided reading from data indexes -- even system indexes -- to avoid scraping user data accidentally. Having an API in Kibana would be ideal for the diagnostic because then the diagnostic would not need to be changed for any unanticipated changes to the data structure (or indexes for that matter), and Kibana can be responsible for removing content we shouldn't have. |
From @pickypg's update, I believe we're confirming going with @pmuellr update
As mini-step-forward, I've filed #580 to pull Kibana Spaces which'll at least allow introspection that non-default-space data's missing. I'm guessing some variant of @CamiloSierraH's #514 PR, we'll want to grab spaces and then iterate pulling per space:
|
The data returned from Elasticsearch directly would contain encrypted attributes like API keys for alerting rules and configuration / passwords for connectors (if we export connectors). Going through Kibana will remove those encrypted attributes when using the APIs. In Kibana, there is such a way when not using authorization (by using the saved object repository) to get a list of saved-objects across all the spaces. This is how we handle the alerting health API => https://github.com/elastic/kibana/blob/main/x-pack/plugins/alerting/server/health/get_health.ts#L37 |
But they are encrypted :-). Ya, probably best to make sure these aren't exported, so if we did use ES, we'd have to filter those away.
The diagnostic tool uses HTTP endpoints to get it's data, so I don't think this will help. I'm guessing someday we'll have a role of "alerting admin" or such, that would be kinda super-user for alerting things only, and then we could make some endpoints available only for those roles or something. Guessing that will be a while though. |
I think that path makes sense as a starting point, even if starts with diagnostics purposes. We could make the API internal, protected behind a certain privilege that would give space agnostic information. |
I don't think we had an issue open for this already, so opened a new one, which should get linked back to this issue: elastic/kibana#137352 |
👋🏼 @mikecote @pmuellr may we review this again? Cross-posted elastic/kibana#137352 is now closed Jan3. And user-facing elastic/kibana#140449 is also complete but not (currently/yet/?) in Kibana diagnostics. The current workaround, is to have the user supplement diagnostic by pulling
It may be possible for Alerting & DetectionEngine statuses to disagree (e.g. https://github.com/elastic/sdh-security-team/issues/584) so for List Detection Rules, may also consider polling the following
|
It feels like PR #580 moved us a little closer, now we have a list of the spaces. So, now it feels like we should use that list, and iterate through each space, collect the rules/connectors like we currently do. We'll have to figure out some convention to name the files, maybe an index of the space in the spaces list, so would be like |
cc @XavierM for the request to list all the rules across all the spaces in the diagnostic bundle. |
I suppose looking to elastic/kibana#140449 However given the API has prefix |
I don't think that's an appropriate API to use for this - at least I'm not aware of anyone asking for execution data like this. It should be possible to use public APIs to iterate through all the Kibana spaces, and then do the same processing we're doing for the default space, in those spaces. |
Noting this will relatively soon also effect Fleet: elastic/kibana#132559, elastic/kibana#172964, elastic/kibana#175831 |
Attempt to make Kibana Diag APIs space aware #721 |
Consolidating parallel conversations in this repository (#479, #514, #512, elastic/kibana#124382). The Kibana diagnostic is not currently space aware though Kibana (SIEM) Rules have been space delineated since at least 7.10.
This implicates that the Kibana diagnostic only captures (SIEM) Rule info from
space:default
& misses any/all other spaces. (You can determine this from an export because the Task Manager Health API will have scheduled Rule counts surpassing your exported Rule counts.)SIEM appears more highly impacted because industry Security practices frequently suggest avoiding allocating users to a product's default space rather than purposely creating a new non-default space for them.
Example here: #514 (comment).
cc: @pmuellr @pickypg @CamiloSierraH @111andre111 @mikecote
The text was updated successfully, but these errors were encountered: