elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
20.01k stars 8.25k forks source link

[SecuritySolution] Service Entity Store #202344

Closed machadoum closed 4 days ago

machadoum commented 2 weeks ago

Summary

Service Definition:

https://github.com/elastic/kibana/pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1

Acceptance Criteria

Stored Entity

{
          "@timestamp": "2024-12-02T10:43:13.856Z",
          "event": {
            "ingested": "2024-12-02T10:51:28.987428Z"
          },
          "entity": {
            "name": "test123 name",
            "id": "test123 name",
            "source": "logs-blito",
            "type": "service"
          },
          "service": {
            "node": {
              "roles": [
                "test123 node roles"
              ],
              "name": [
                "test123 node name"
              ]
            },
            "environment": [
              "test123 environment"
            ],
            "address": [
              "test123 address"
            ],
            "name": "test123 name",
            "id": [
              "test123 id"
            ],
            "state": [
              "test123 state"
            ],
            "ephemeral_id": [
              "test123 ephemeral_id"
            ],
            "type": [
              "test123 type"
            ],
            "version": [
              "test123 version"
            ]
          }
}

How to test it?

PUT /logs-test
{
  "mappings": {
    "properties": {      
      "service.name": {
        "type": "keyword"
      },
      "service.address": {
        "type": "keyword"
      },
      "service.environment": {
        "type": "keyword"
      },
      "service.ephemeral_id": {
        "type": "keyword"
      },
      "service.id": {
        "type": "keyword"
      },
      "service.node.name": {
        "type": "keyword"
      },
      "service.node.roles": {
        "type": "keyword"
      },
      "service.state": {
        "type": "keyword"
      },
      "service.type": {
        "type": "keyword"
      },
      "service.version": {
        "type": "keyword"
      },
      "@timestamp": {
        "type": "date"
      }
    }
  }
}

Create document ``` PUT /logs-test POST logs-test/_doc { "service": { "name": "test123 name", "address": "test123 address", "environment": "test123 environment", "ephemeral_id": "test123 ephemeral_id", "id": "test123 id", "node.roles": "test123 node roles", "node.name": "test123 node name", "state": "test123 state", "type": "test123 type", "version": "test123 version" }, "@timestamp": "2024-12-02T10:43:13.856Z" } ````

Open Questions

elasticmachine commented 1 week ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 1 week ago

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

jcoyne-elastic commented 1 week ago

@jcoyne-elastic Hi Jordyn. This PR captures the new Service entity fields we are targeting for the next release. Does customer 0 include or use service.name values in your events? Are these service.* fields satisfactory?

We do use service.name in some autditbeat logs, @aarju do you know when service.* is specifically used and what fields we would look to add to a service entity store if relevant?

machadoum commented 1 week ago

@joedatlive @jaredburgettelastic On this PR, I am collecting all values for all service fields. We might want to store only the most recent value for some fields, as we do for risk score and asset criticality. If so, let me know which field should have this behaviour.

Some candidates: service.state and service.version

kibanamachine commented 4 days ago

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12240705761

elasticmachine commented 4 days ago

:yellow_heart: Build succeeded, but was flaky

Failed CI Steps

Test Failures

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 14.6MB 14.6MB +136.0B

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 87.8KB 87.9KB +29.0B

History

cc @machadoum

kibanamachine commented 4 days ago

💔 All backports failed

Status Branch Result
8.x Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 202344

Questions ?

Please refer to the Backport tool documentation

machadoum commented 3 days ago

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation