[Security Solution] Fix cloud logs exclusion#130069
[Security Solution] Fix cloud logs exclusion#130069stephmilovic merged 22 commits intoelastic:mainfrom
Conversation
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@elasticmachine merge upstream |
x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/common/containers/sourcerer/index.tsx
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/public/common/containers/sourcerer/index.test.tsx
Show resolved
Hide resolved
andrew-goldstein
left a comment
There was a problem hiding this comment.
Thanks @stephmilovic for fixing 130753, and for ensuring exclude patterns are always applied at the end as a workaround for 86019! 🙏
In addition to the fix and workaround above, making the -*elastic-cloud-logs-* exclude pattern an explicit part of the securitySolution:defaultIndex (and removing the code that appended it automatically in some cases) makes it easier to reason about exclusions, and makes the Security Data View return consistent results when the data view is used in other parts of Kibana (outside of the security solution).
Release notes
DOCS team, please include this fix in the release notes, and communicate the following:
- This PR adds the
-*elastic-cloud-logs-*exclude pattern to the defaultsecuritySolution:defaultIndexsetting (in Kibana advanced settings) - Elastic Cloud users who modified the default
securitySolution:defaultIndexsetting may need to manually add-*elastic-cloud-logs-*to thesecuritySolution:defaultIndexsetting to exclude logs from Elastic Cloud that were automatically excluded prior to this fix - This PR includes a fix for 130753, which enables arbitrary exclude patterns to be added to the
securitySolution:defaultIndexsetting - This PR includes a workaround for 86019 by ensuring exclude patterns always appear at the end of the list of indexes
✅ Desk tested locally
LGTM 🚀
|
CC @paulewing |
| strict: false, | ||
| }) != null; | ||
|
|
||
| export const isAlertsOrRulesDetailsPage = (pathname: string): boolean => |
There was a problem hiding this comment.
Was this just dead code?
There was a problem hiding this comment.
yes. sorry, should've left a comment
| import { SelectedDataViewPayload } from './actions'; | ||
| import { sourcererModel } from '../model'; | ||
|
|
||
| export const sortWithExcludesAtEnd = (indices: string[]) => { |
There was a problem hiding this comment.
Nit: Can we add a quick unit test for the new helper?
| ]; | ||
|
|
||
| /** The comma-delimited list of Elasticsearch indices from which the SIEM app collects events, and the exclude index pattern */ | ||
| export const DEFAULT_INDEX_PATTERN = [...INCLUDE_INDEX_PATTERN, ...EXCLUDE_ELASTIC_CLOUD_INDICES]; |
There was a problem hiding this comment.
Does the change mean the elastic cloud index will always be excluded (unless the user modifies the advanced settings) as opposed to before when it was just if the logs-* existed or something?
yctercero
left a comment
There was a problem hiding this comment.
LGTM - one question left where just trying to better understand the behavior related to the cloud logs and what functionality is missed if they're always excluded (if that is the case).
machadoum
left a comment
There was a problem hiding this comment.
security-threat-hunting-explore changes LGTM!
| }); | ||
|
|
||
| it('Should NOT exclude elastic cloud alias when selected patterns does NOT include "logs-*" as an alias', async () => { | ||
| it('Should put any excludes in the index pattern at the end of the pattern list, and sort both the includes and excludes', async () => { |
There was a problem hiding this comment.
Nit: Can we add a quick unit test for the new helper?
@yctercero @machadoum the sortWithExcludesAtEnd function is tested through this test. would you prefer i explicitly add a test in helpers.test.ts?
|
@elasticmachine merge upstream |
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
Summary
.sort()outside of the exclude. There are some other inconsistencies with exclude patterns that are being addressed by the ES team: Multi-target syntax bug with datastream backing indices and excluded targets elasticsearch#86019Added additional log excludes:.ds-logs-elastic_agent*, .ds-logs-system-*as proposed in an SDHsecuritySolution:defaultIndexshould be applied to the default data view #130753