[8.x] [SecuritySolution] Update Entity analytics BE to support service entity type (#203409) #205384
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ty type (elastic#203409) ## Summary Update Entity Analytics BE to support the new entity type "service". * Hide all functionality behind an Experimental Flag (`serviceEntityStoreEnabled`) * Update asset criticality assignment * Update Bulk upload logic * Update Risk score calculation * Create plugin setup mappings migration * Add service to risk score indices and templates * Add service to asset criticality index * Create a reusable migration workflow where we only need to update the mappings and bump the version * Add a risk score transform migration when the schedule is now called * It will delete and reinstall the transform to apply the changes ### issues * I had to update the API doc to include service even though it is behind an Experimental Flag * The risk scope mappings migration runs on every space. If the users have thousands of spaces, it could take some time. ### What is not included? * UI changes ## Documentation for Entity Analytics future migrations ### How to add a new field to the risk score index and template mappings? * Update the mapping object [here](https://github.com/elastic/kibana/blob/6f8b5f6c51f5926929e2ae17450b11686085a980/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/configurations.ts#L102) * Pump the `mappingsVersion` version [here](https://github.com/elastic/kibana/blob/8333bea86febd6dab97198d51bc3bb8f8cfa07ed/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_engine/utils/saved_object_configuration.ts#L31) ### How to add a new field to the asset criticality index? * Update the mapping object [here](https://github.com/elastic/kibana/blob/8333bea86febd6dab97198d51bc3bb8f8cfa07ed/x-pack/plugins/security_solution/server/lib/entity_analytics/asset_criticality/constants.ts#L22) * Pump the `ASSET_CRITICALITY_MAPPINGS_VERSIONS` version [here](https://github.com/elastic/kibana/blob/8333bea86febd6dab97198d51bc3bb8f8cfa07ed/x-pack/plugins/security_solution/server/lib/entity_analytics/asset_criticality/constants.ts#L20) ### How to update the risk score transform config? * Update the transform config [here](https://github.com/elastic/kibana/blob/6f8b5f6c51f5926929e2ae17450b11686085a980/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/configurations.ts#L162) * Pump the `version` [here](https://github.com/elastic/kibana/blob/6f8b5f6c51f5926929e2ae17450b11686085a980/x-pack/plugins/security_solution/server/lib/entity_analytics/risk_score/configurations.ts#L190) *note: If you change the `latest` property, the transform will reinstall after the engine task runs ## How to test it? * Enable the fla `serviceEntityStoreEnabled` * Start ES and an old version of Kibana * Populate it with data, start the risk engine * You could also run the document generator `yarn start entity-store` * Make sure you have some alerts with `service.name` field populated * Migrate to the version on this PR * Run the risk engine * You should see risk score documents created for service entities * All asset criticality API should support `service` entities ## Checklist - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [x] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit 1fbd86f) # Conflicts: # x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/risk_engine/utils/saved_object_configuration.ts # x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/risk_score/calculate_risk_scores.test.ts # x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/risk_score/calculate_risk_scores.ts # x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/init_and_status_apis.ts
3 tasks
💚 Build Succeeded
Metrics [docs]Async chunks
History
|
jaredburgettelastic
approved these changes
Jan 3, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.x:Questions ?
Please refer to the Backport tool documentation