[Security] Alert Telemetry for the Security app#77200
Merged
tsg merged 27 commits intoelastic:masterfrom Sep 30, 2020
Merged
Conversation
Contributor
Author
|
@elasticmachine merge upstream |
6 tasks
This is using recursion now. Also, based on Xavier's review, moved up the try and the isSending check to avoid building up queries.
| // Allow list for the data we include in the events. True means that it is deep-cloned | ||
| // blindly. Object contents means that we only copy the fields that appear explicitly in | ||
| // the sub-object. | ||
| const allowlistEventFields: AllowlistFields = { |
Contributor
There was a problem hiding this comment.
This looks good to me. FYI @bfilar @pjhampton @jeska
spong
reviewed
Sep 29, 2020
x-pack/plugins/security_solution/server/lib/detection_engine/signals/send_telemetry_events.ts
Outdated
Show resolved
Hide resolved
…ignals/send_telemetry_events.ts Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
XavierM
reviewed
Sep 29, 2020
x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/telemetry/sender.ts
Outdated
Show resolved
Hide resolved
Contributor
|
Pinging @elastic/siem (Team:SIEM) |
Contributor
Author
|
@elasticmachine merge upstream |
XavierM
approved these changes
Sep 30, 2020
Contributor
|
@elasticmachine merge upstream |
6 tasks
Contributor
Author
|
@elasticmachine merge upstream |
Contributor
💚 Build SucceededMetrics [docs]distributable file count
History
To update your PR or re-run it, just comment with: |
phillipb
added a commit
to phillipb/kibana
that referenced
this pull request
Sep 30, 2020
…aly-detection-partition-field * 'master' of github.com:elastic/kibana: (37 commits) Fixes for the Ticket 78375 (elastic#79004) [Security] Alert Telemetry for the Security app (elastic#77200) [Search bar] Remove duplicate `popoverProps` (elastic#79025) [Security Solution][Detections] Add rule overrides for single event EQL rules (elastic#78876) [SECURITY_SOLUTION][ENDPOINT] Improve Endpoint Host data generator to also integrate with Ingest (elastic#74305) remove file accidentally checked in (elastic#79005) [ML] DF Analytics creation wizard: replace select input with job type cards with icons (elastic#78872) [Design] A couple fixes for 7.10 (elastic#78801) Fix KQL autocomplete value suggestions (elastic#78676) [Security Solution][Resolver] New mock with cursor (elastic#78863) Embeddables: basic documentation (elastic#78900) [security solution] only import beat_schema when needed (elastic#78708) [Reporting] API Integration tests: fix flaky tests for Spaces CSV formatting (elastic#78849) [Actions] Adds a "Test Connector" button on the Connectors List to make discovery of the Test tab easier (elastic#78746) [Discover] Fix functional time picker test permissions (elastic#78564) [ML] Fixing module datafeed overrides (elastic#78925) Adds some missing licenses to the CSV export (elastic#78719) [dev/cli] ensure plugins/ and all watch source dirs exist (elastic#78973) [Lens] Stop using scripted metric to collect telemetry (elastic#78687) [Lens] fix wrong message in fields accordion (elastic#78924) ...
tsg
added a commit
that referenced
this pull request
Oct 1, 2020
This adds a `TelemetryEventsSender` component that can be used to publish Endpoint alerts to our Telemetry service. The alerts are filtered by a set of allowed fields (for PII) and batched in a queue to be sent once per minute. There is a cap of 100 alerts per minute to be sent. The component respects the telemetry opt-in status and enriches the alerts with the cluster ID and name. The Detection Engine is slightly modified to send endpoint telemetry events via the `TelemetryEventsSender`. Only the "custom query" rule type is modified because that's the only one that can create Endpoint Alerts. Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com> Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
2 tasks
14 tasks
9 tasks
This was referenced Feb 18, 2021
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This adds a
TelemetryEventsSendercomponent that can be used to publish Endpoint alerts to our Telemetry service. The alerts are filtered by a set of allowed fields (for PII) and batched in a queue to be sent once per minute. There is a cap of 100 alerts per minute to be sent. The component respects the telemetry opt-in status and enriches the alerts with the cluster ID and name.The Detection Engine is slightly modified to send endpoint telemetry events via the
TelemetryEventsSender. Only the the "custom query" rule type is modified because that's the only one that can create Endpoint Alerts.Remaining TODOs:
Checklist
Delete any items that are not applicable to this PR.
[ ] Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support[ ] This was checked for keyboard-only and screenreader accessibility[ ] This renders correctly on smaller devices using a responsive layout. (You can test this in your browser[ ] This was checked for cross-browser compatibilityFor maintainers