[Security Solution][Detection Engine] add deprecation warning for non-migrated signals #204247
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…-migrated signals
vitaliidm
added
Team:Detections and Resp
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
vitaliidm
added
backport:prev-minor
|
Hi 👋 Code looks good however I am having difficulty testing with the steps provided. For testing on localhost, I checked out this PR, started up ES locally and kibana, started auditbeat, ran the FTR script, went to detections page and created a rule that created alerts, but when I navigate to the upgrade assistant page there are no warnings. Am I missing a step here? As for the steps to test in cloud, I am confused with step 3 Should I upgrade my cloud env from 7.17.x to 8.18 or create a new 8.18 cloud deployment and use the snapshot from 7.17.x in the new 8.18 env? |
what does this API says? https://www.elastic.co/guide/en/security/current/signals-migration-api.html#migration-1
I advice using snapshot from 7.17. |
dhurley14
approved these changes
Jan 7, 2025
There was a problem hiding this comment.
LGTM! Thanks for walking me through the steps to reproduce and test this out. Glad we have a good workflow for this corner-case.
During testing @vitaliidm and I came across a situation related to custom signals index naming.
In 7.x we allowed for custom signals index names via a configuration key xpack.securitySolution.signalsIndex: my-siem-index. If customers on 7.x are using this and upgrade from 7.x to 9.x it could lead to some difficulty in migrating these signals if these signals (alerts) are still being used for investigations etc. We can discuss this further in our meeting but wanted to post a quick summary of our findings here.
|
Starting backport for target branches: 8.x |
💚 Build Succeeded
Metrics [docs]
History
cc @vitaliidm |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Jan 8, 2025
…-migrated signals (elastic#204247) ## Summary - addresses partly elastic/security-team#10878 - shows deprecation warning if siem index was not migrated ### How to test #### How to create legacy siem index? run script that used for FTR tests ```bash node scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index node scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index_non_default_space ``` These would create legacy siem indices. But be aware, it might break Kibana .alerts indices creation. But sufficient for testing Visit also detection rules page, to ensure alerts index created. Otherwise, https://www.elastic.co/guide/en/security/current/signals-migration-api.html#migration-1 API might not show these indices outdated #### How to test deprecated feature? 1. Observe warning feature deprecation on Kibana Upgrade page, if you set up legacy siem signals <details> <summary> Kibana Upgrade feature deprecation flyout </summary> <img width="2540" alt="Screenshot 2024-12-17 at 16 59 04" src="https://github.com/user-attachments/assets/c6aa420f-af69-4545-8400-6a6513f613a9" /> </details> #### Test outdated indices created in 7.x 1. Create cloud env of 7.x version 2. Create rule, generate alerts for .siem-signals 3. Create cloud env of 8.18 from existing 7.x snapshot (from previous steps) 4. Connect local Kibana to 8.18 from mirror branch of this one(elastic#204621) 5. Add to Kibana dev config following options to enable Upgrade assistant(UA) showing outdated indices ```yml xpack.upgrade_assistant.featureSet: mlSnapshots: true migrateDataStreams: true migrateSystemIndices: true reindexCorrectiveActions: true ``` 6. Go to Detection rules page, ensure rule is running and new .alerts index has been created (visiting rules table page should be enough) 7. Open UA, ensure Kibana deprecations show signals are not migrated 8. Open UA, check Elasticsearch deprecations 9. Find outdated siem-signals index 10. Migrate it 11. Check Kibana deprecations still signals are not migrated 12. Migrate signals using https://www.elastic.co/guide/en/security/current/signals-migration-api.html API 13. Ensure Kibana deprecations does not show that space as not migrated Demo video of migration .siem-signal from another-3 Kibana space https://github.com/user-attachments/assets/d2729482-d2c8-4a23-a780-ad19d4f52c73 (cherry picked from commit 9cccd30)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
crespocarlos
pushed a commit
to crespocarlos/kibana
that referenced
this pull request
Jan 8, 2025
…-migrated signals (elastic#204247) ## Summary - addresses partly elastic/security-team#10878 - shows deprecation warning if siem index was not migrated ### How to test #### How to create legacy siem index? run script that used for FTR tests ```bash node scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index node scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index_non_default_space ``` These would create legacy siem indices. But be aware, it might break Kibana .alerts indices creation. But sufficient for testing Visit also detection rules page, to ensure alerts index created. Otherwise, https://www.elastic.co/guide/en/security/current/signals-migration-api.html#migration-1 API might not show these indices outdated #### How to test deprecated feature? 1. Observe warning feature deprecation on Kibana Upgrade page, if you set up legacy siem signals <details> <summary> Kibana Upgrade feature deprecation flyout </summary> <img width="2540" alt="Screenshot 2024-12-17 at 16 59 04" src="https://github.com/user-attachments/assets/c6aa420f-af69-4545-8400-6a6513f613a9" /> </details> #### Test outdated indices created in 7.x 1. Create cloud env of 7.x version 2. Create rule, generate alerts for .siem-signals 3. Create cloud env of 8.18 from existing 7.x snapshot (from previous steps) 4. Connect local Kibana to 8.18 from mirror branch of this one(elastic#204621) 5. Add to Kibana dev config following options to enable Upgrade assistant(UA) showing outdated indices ```yml xpack.upgrade_assistant.featureSet: mlSnapshots: true migrateDataStreams: true migrateSystemIndices: true reindexCorrectiveActions: true ``` 6. Go to Detection rules page, ensure rule is running and new .alerts index has been created (visiting rules table page should be enough) 7. Open UA, ensure Kibana deprecations show signals are not migrated 8. Open UA, check Elasticsearch deprecations 9. Find outdated siem-signals index 10. Migrate it 11. Check Kibana deprecations still signals are not migrated 12. Migrate signals using https://www.elastic.co/guide/en/security/current/signals-migration-api.html API 13. Ensure Kibana deprecations does not show that space as not migrated Demo video of migration .siem-signal from another-3 Kibana space https://github.com/user-attachments/assets/d2729482-d2c8-4a23-a780-ad19d4f52c73
kibanamachine
added a commit
that referenced
this pull request
Jan 8, 2025
…or non-migrated signals (#204247) (#205858) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution][Detection Engine] add deprecation warning for non-migrated signals (#204247)](#204247) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Vitalii Dmyterko","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-08T10:28:35Z","message":"[Security Solution][Detection Engine] add deprecation warning for non-migrated signals (#204247)\n\n## Summary\r\n\r\n- addresses partly https://github.com/elastic/security-team/issues/10878\r\n - shows deprecation warning if siem index was not migrated\r\n\r\n\r\n### How to test\r\n\r\n#### How to create legacy siem index?\r\n\r\nrun script that used for FTR tests\r\n\r\n```bash\r\nnode scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index\r\n\r\nnode scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index_non_default_space\r\n```\r\nThese would create legacy siem indices. But be aware, it might break\r\nKibana .alerts indices creation. But sufficient for testing\r\n\r\nVisit also detection rules page, to ensure alerts index created.\r\nOtherwise,\r\nhttps://www.elastic.co/guide/en/security/current/signals-migration-api.html#migration-1\r\nAPI might not show these indices outdated\r\n\r\n#### How to test deprecated feature?\r\n1. Observe warning feature deprecation on Kibana Upgrade page, if you\r\nset up legacy siem signals\r\n\r\n<details>\r\n<summary> Kibana Upgrade feature deprecation flyout </summary>\r\n\r\n<img width=\"2540\" alt=\"Screenshot 2024-12-17 at 16 59 04\"\r\nsrc=\"https://github.com/user-attachments/assets/c6aa420f-af69-4545-8400-6a6513f613a9\"\r\n/>\r\n\r\n\r\n\r\n </details>\r\n\r\n#### Test outdated indices created in 7.x\r\n\r\n1. Create cloud env of 7.x version\r\n2. Create rule, generate alerts for .siem-signals\r\n3. Create cloud env of 8.18 from existing 7.x snapshot (from previous\r\nsteps)\r\n4. Connect local Kibana to 8.18 from mirror branch of this\r\none(https://github.com/elastic/kibana/pull/204621)\r\n5. Add to Kibana dev config following options to enable Upgrade\r\nassistant(UA) showing outdated indices\r\n ```yml\r\n xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n migrateDataStreams: true\r\n migrateSystemIndices: true\r\n reindexCorrectiveActions: true\r\n ``` \r\n6. Go to Detection rules page, ensure rule is running and new .alerts\r\nindex has been created (visiting rules table page should be enough)\r\n7. Open UA, ensure Kibana deprecations show signals are not migrated\r\n8. Open UA, check Elasticsearch deprecations\r\n9. Find outdated siem-signals index\r\n10. Migrate it\r\n11. Check Kibana deprecations still signals are not migrated\r\n12. Migrate signals using\r\nhttps://www.elastic.co/guide/en/security/current/signals-migration-api.html\r\nAPI\r\n13. Ensure Kibana deprecations does not show that space as not migrated\r\n\r\nDemo video of migration .siem-signal from another-3 Kibana space\r\n\r\n\r\nhttps://github.com/user-attachments/assets/d2729482-d2c8-4a23-a780-ad19d4f52c73","sha":"9cccd303ef91686fc6097c24ba697bf3d8875e01","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Detections and Resp","backport:prev-minor","Team:Detection Engine","v8.18.0"],"title":"[Security Solution][Detection Engine] add deprecation warning for non-migrated signals","number":204247,"url":"https://github.com/elastic/kibana/pull/204247","mergeCommit":{"message":"[Security Solution][Detection Engine] add deprecation warning for non-migrated signals (#204247)\n\n## Summary\r\n\r\n- addresses partly https://github.com/elastic/security-team/issues/10878\r\n - shows deprecation warning if siem index was not migrated\r\n\r\n\r\n### How to test\r\n\r\n#### How to create legacy siem index?\r\n\r\nrun script that used for FTR tests\r\n\r\n```bash\r\nnode scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index\r\n\r\nnode scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index_non_default_space\r\n```\r\nThese would create legacy siem indices. But be aware, it might break\r\nKibana .alerts indices creation. But sufficient for testing\r\n\r\nVisit also detection rules page, to ensure alerts index created.\r\nOtherwise,\r\nhttps://www.elastic.co/guide/en/security/current/signals-migration-api.html#migration-1\r\nAPI might not show these indices outdated\r\n\r\n#### How to test deprecated feature?\r\n1. Observe warning feature deprecation on Kibana Upgrade page, if you\r\nset up legacy siem signals\r\n\r\n<details>\r\n<summary> Kibana Upgrade feature deprecation flyout </summary>\r\n\r\n<img width=\"2540\" alt=\"Screenshot 2024-12-17 at 16 59 04\"\r\nsrc=\"https://github.com/user-attachments/assets/c6aa420f-af69-4545-8400-6a6513f613a9\"\r\n/>\r\n\r\n\r\n\r\n </details>\r\n\r\n#### Test outdated indices created in 7.x\r\n\r\n1. Create cloud env of 7.x version\r\n2. Create rule, generate alerts for .siem-signals\r\n3. Create cloud env of 8.18 from existing 7.x snapshot (from previous\r\nsteps)\r\n4. Connect local Kibana to 8.18 from mirror branch of this\r\none(https://github.com/elastic/kibana/pull/204621)\r\n5. Add to Kibana dev config following options to enable Upgrade\r\nassistant(UA) showing outdated indices\r\n ```yml\r\n xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n migrateDataStreams: true\r\n migrateSystemIndices: true\r\n reindexCorrectiveActions: true\r\n ``` \r\n6. Go to Detection rules page, ensure rule is running and new .alerts\r\nindex has been created (visiting rules table page should be enough)\r\n7. Open UA, ensure Kibana deprecations show signals are not migrated\r\n8. Open UA, check Elasticsearch deprecations\r\n9. Find outdated siem-signals index\r\n10. Migrate it\r\n11. Check Kibana deprecations still signals are not migrated\r\n12. Migrate signals using\r\nhttps://www.elastic.co/guide/en/security/current/signals-migration-api.html\r\nAPI\r\n13. Ensure Kibana deprecations does not show that space as not migrated\r\n\r\nDemo video of migration .siem-signal from another-3 Kibana space\r\n\r\n\r\nhttps://github.com/user-attachments/assets/d2729482-d2c8-4a23-a780-ad19d4f52c73","sha":"9cccd303ef91686fc6097c24ba697bf3d8875e01"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/204247","number":204247,"mergeCommit":{"message":"[Security Solution][Detection Engine] add deprecation warning for non-migrated signals (#204247)\n\n## Summary\r\n\r\n- addresses partly https://github.com/elastic/security-team/issues/10878\r\n - shows deprecation warning if siem index was not migrated\r\n\r\n\r\n### How to test\r\n\r\n#### How to create legacy siem index?\r\n\r\nrun script that used for FTR tests\r\n\r\n```bash\r\nnode scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index\r\n\r\nnode scripts/es_archiver --kibana-url=http://elastic:changeme@localhost:5601 --es-url=http://elastic:changeme@localhost:9200 load x-pack/test/functional/es_archives/signals/legacy_signals_index_non_default_space\r\n```\r\nThese would create legacy siem indices. But be aware, it might break\r\nKibana .alerts indices creation. But sufficient for testing\r\n\r\nVisit also detection rules page, to ensure alerts index created.\r\nOtherwise,\r\nhttps://www.elastic.co/guide/en/security/current/signals-migration-api.html#migration-1\r\nAPI might not show these indices outdated\r\n\r\n#### How to test deprecated feature?\r\n1. Observe warning feature deprecation on Kibana Upgrade page, if you\r\nset up legacy siem signals\r\n\r\n<details>\r\n<summary> Kibana Upgrade feature deprecation flyout </summary>\r\n\r\n<img width=\"2540\" alt=\"Screenshot 2024-12-17 at 16 59 04\"\r\nsrc=\"https://github.com/user-attachments/assets/c6aa420f-af69-4545-8400-6a6513f613a9\"\r\n/>\r\n\r\n\r\n\r\n </details>\r\n\r\n#### Test outdated indices created in 7.x\r\n\r\n1. Create cloud env of 7.x version\r\n2. Create rule, generate alerts for .siem-signals\r\n3. Create cloud env of 8.18 from existing 7.x snapshot (from previous\r\nsteps)\r\n4. Connect local Kibana to 8.18 from mirror branch of this\r\none(https://github.com/elastic/kibana/pull/204621)\r\n5. Add to Kibana dev config following options to enable Upgrade\r\nassistant(UA) showing outdated indices\r\n ```yml\r\n xpack.upgrade_assistant.featureSet:\r\n mlSnapshots: true\r\n migrateDataStreams: true\r\n migrateSystemIndices: true\r\n reindexCorrectiveActions: true\r\n ``` \r\n6. Go to Detection rules page, ensure rule is running and new .alerts\r\nindex has been created (visiting rules table page should be enough)\r\n7. Open UA, ensure Kibana deprecations show signals are not migrated\r\n8. Open UA, check Elasticsearch deprecations\r\n9. Find outdated siem-signals index\r\n10. Migrate it\r\n11. Check Kibana deprecations still signals are not migrated\r\n12. Migrate signals using\r\nhttps://www.elastic.co/guide/en/security/current/signals-migration-api.html\r\nAPI\r\n13. Ensure Kibana deprecations does not show that space as not migrated\r\n\r\nDemo video of migration .siem-signal from another-3 Kibana space\r\n\r\n\r\nhttps://github.com/user-attachments/assets/d2729482-d2c8-4a23-a780-ad19d4f52c73","sha":"9cccd303ef91686fc6097c24ba697bf3d8875e01"}},{"branch":"8.x","label":"v8.18.0","branchLabelMappingKey":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Vitalii Dmyterko <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
How to test
How to create legacy siem index?
run script that used for FTR tests
These would create legacy siem indices. But be aware, it might break Kibana .alerts indices creation. But sufficient for testing
Visit also detection rules page, to ensure alerts index created.
Otherwise, https://www.elastic.co/guide/en/security/current/signals-migration-api.html#migration-1 API might not show these indices outdated
How to test deprecated feature?
Kibana Upgrade feature deprecation flyout
Test outdated indices created in 7.x
Demo video of migration .siem-signal from another-3 Kibana space
Screen.Recording.2024-12-17.at.17.08.38.mov