Closed spong closed 2 years ago
Pinging @elastic/security-solution (Team: SecuritySolution)
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Next refactoring steps:
buildSignalGroupFromSequence
and buildSignalFromEvent
to be passed in to EQL executor function in preparation for sharing with rule registry EQL implementation
buildSignalFromEvent
and buildBulkBody
are almost identical, can be merged into one function as part of the Remove near-duplicate functions (buildRule, bulkCreate) (TBD) tasksearchAfterAndBulkCreate
(issue describing bug around maxSignals and gap detection with threat match rules)signalRuleAlertType
specific utilities
signalRuleAlertType
. rule registry can use the new event log service to handle the returned warnings and errorssearchAfterBulkCreate
and up to top level so we get telemetry for all rule types? I haven't worked with this before so not 100% clear on this.Additional step:
ruleParams.outputIndex
as the index to query. This index will no longer exist in the RAC implementation, so we'll need to conditionally switch to querying the .alerts
index and processing alerts in that index appropriately.Gap remediation working branch: https://github.com/elastic/kibana/compare/master...madirey:rac-gap-remediation?expand=1
Next steps:
rule_registry
bootstrapping issues / race conditionseventCategoryOverride
and timestampOverride
@madirey_source
in any critical areas in the app? ((1) signals on signals / dupes, (2) Cases - mustache templating, (3) rule actions? -- edge case, but what's the impact?)
This is the meta ticket for tracking the modularization of the Detection Engine. The below is our first steps in supporting RAC (Rules/Alerts/Cases) everywhere, and all efforts are still open for discussion. 🙂
High level feature-sets
Exceptions
Within the main executor, the exceptions logic can be specific to certain rule types (e.g.
createThreatSignals()
&buildEqlSearchRequest()
), added generically as anesFilter
pre-query (threshold rules), or applied as a post-filter (e.g.filterEventsAgainstList()
for ML rules).Alert De-duplication
The alert de-duplication logic currently lives within single_bulk_create, and signal_rule_alert_type for EQL rules.
Gap Detection Remediation
Lives within signal_rule_alert_type and is injected into each rule type logic so they can perform the desired searches over the calculated gaps.
Monitoring Efforts
Removal of side-car SO for Rule Execution monitoring in favor of leveraging the Alerting
Event Log
https://github.com/elastic/kibana/pull/94143Task Breakdown
Potential additional efforts:
Move eventsTelemetry logic out of searchAfterBulkCreate and up to top level so we get telemetry for all rule types(low priority)Reference docs (internal):