[8.x] [SecuritySolution] Add service enrichment to detection engine (#206582) #207708
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…c#206582) ## Summary * Add alert enrichment for `service.asset.criticality`, `service.risk.calculated_level` and `service.risk.calculated_score_norm` fields * Add `Service Risk Level` and `Service Criticality` columns to the alerts table  ### How to test? * Enable the flag `serviceEntityStoreEnabled ` * Start an empty kibana instance * Add data using the document generator with the `yarn start entity-store` command. * Add a seed when prompted * Assign asset criticality for the service entity you are testing with * Ensure the service entity you are testing with has a risk score. * You can run the engine from the Risk score page if needed. * Add more data using the same seed * Force the created rule to run so it generates new alerts * Check if the alerts created for the new batch of data have the new field populated. ### How does enrichment work? When alerts are created, the current asset criticality and risk score are fetched and merged into the alert document. These values won't get updated if the risk score or asset changes. ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] [Flaky Test Runner](https://ci-stats.kibana.dev/trigger_flaky_test_runner/1) was used on any tests changed - [ ] The PR description includes the appropriate Release Notes section, and the correct `release_note:*` label is applied per the [guidelines](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) (cherry picked from commit 888dd24) # Conflicts: # x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/enrichments/index.test.ts # x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/rule_types/utils/enrichments/index.ts
3 tasks
hop-dev
approved these changes
Jan 22, 2025
💚 Build Succeeded
Metrics [docs]Async chunks
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport
This will backport the following commits from
mainto8.x:Questions ?
Please refer to the Backport tool documentation