Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Asset criticality alert enrichment (#171241)
## Summary This will allow analysts to filter alerts by the analyst-defined criticality of the related host or user. This introduces two new kibana fields to alerts. These fields allow us to model the criticality of the alert's most relevant host and user, in context of analyst workflows. | field name | type | description | example | | -- | -- | -- | -- | | `kibana.alert.host.criticality_level` | keyword | Contains an enum describing the criticality of the host, as defined by the analyst in a previously used workflow. Used by analysts to filter alerts by host criticality. | 'very important' | | `kibana.alert.user.criticality_level` | keyword | Contains an enum describing the criticality of the user, as defined by the analyst in a previously used workflow. Used by analysts to filter alerts by user criticality. | 'very important' | ## Design Analysts can assign criticality to their assets. These are stored in the asset criticality index (`.asset-criticality.asset-criticality-${space}`). This PR will detect user names and host names in events, query the asset criticality index for the associated criticality (if any) and then add that value to the resulting alert under `kibana.alert.host.criticality_level` or `kibana.alert.user.criticality_level` ## Design Exploration ### What if we want to filter by other criticalities? We may want to allow analysts to filter on the criticality of other entities. For example, alerts can refer to multiple users and multiple hosts. Also, we may introduce other types of entities, e.g. IP addresses, files, registry keys. If we were to follow the same approach as we did here, that could lead to a mapping explosion if we had a lot. However: * we don't think we'll add very many classes of entities. less than 8 more. * we don't necessarily want to filter alerts by other ones. ### Using keyword vs nested or flattened We could use a flattened or nested field here to store more criticalities and have them all indexed. However we don't need to sort or order alerts by their entity's criticalities so we don't see a need. ### KQL support The fields we proposed here are of `keyword` type. This type of field works intuitively for KQL and since analyst workflows are the focus of this change, this lines up well. ## How to test until asset criticality UI is not enabled let's create a mapping for asset criticality and index some docs ``` PUT .asset-criticality.asset-criticality-default { "mappings": { "properties": { "id_value": { "type": "keyword" }, "id_field": { "type": "keyword" }, "criticality_level": { "type": "keyword" }, "@timestamp": { "type": "date" }, "updated_at": { "type": "date" } } } } ``` ``` POST .asset-criticality.asset-criticality-default/_doc { "id_field": "user.name", "id_value": "User 1", "criticality_level": "very important", "@timestamp": 1701860267617 } POST .asset-criticality.asset-criticality-default/_doc { "id_field": "host.name", "id_value": "Host 3", "criticality_level": "normal", "@timestamp": 1701860267617 } ``` Then create rules, which have alerts from events with `host.name` or `user.name` which match asset criticality documents. Then add fields to the alerts table, you should see some values in those columns <img width="1201" alt="Screenshot 2023-12-07 at 11 24 24" src="https://github.com/elastic/kibana/assets/7609147/fb8c07bf-4cc6-4273-95b0-34af9d3f2e72"> ### Checklist Delete any items that are not applicable to this PR. - [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials - [ ] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios - [ ] Any UI touched in this PR is usable by keyboard only (learn more about [keyboard accessibility](https://webaim.org/techniques/keyboard/)) - [ ] Any UI touched in this PR does not create any new axe failures (run axe in browser: [FF](https://addons.mozilla.org/en-US/firefox/addon/axe-devtools/), [Chrome](https://chrome.google.com/webstore/detail/axe-web-accessibility-tes/lhdoppojpmngadmnindnejefpokejbdd?hl=en-US)) - [ ] If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the [docker list](https://github.com/elastic/kibana/blob/main/src/dev/build/tasks/os_packages/docker_generator/resources/base/bin/kibana-docker) - [ ] This renders correctly on smaller devices using a responsive layout. (You can test this [in your browser](https://www.browserstack.com/guide/responsive-testing-on-local-server)) - [ ] This was checked for [cross-browser compatibility](https://www.elastic.co/support/matrix#matrix_browsers) ### Risk Matrix Delete this section if it is not applicable to this PR. Before closing this PR, invite QA, stakeholders, and other developers to identify risks that should be tested prior to the change/feature release. When forming the risk matrix, consider some of the following examples and how they may potentially impact the change: | Risk | Probability | Severity | Mitigation/Notes | |---------------------------|-------------|----------|-------------------------| | Multiple Spaces—unexpected behavior in non-default Kibana Space. | Low | High | Integration tests will verify that all features are still supported in non-default Kibana Space and when user switches between spaces. | | Multiple nodes—Elasticsearch polling might have race conditions when multiple Kibana nodes are polling for the same tasks. | High | Low | Tasks are idempotent, so executing them multiple times will not result in logical error, but will degrade performance. To test for this case we add plenty of unit tests around this logic and document manual testing procedure. | | Code should gracefully handle cases when feature X or plugin Y are disabled. | Medium | High | Unit tests will verify that any feature flag or plugin combination still results in our service operational. | | [See more potential risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) | ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Nikita Khristinin <nkhristinin@gmail.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Khristinin Nikita <nikita.khristinin@elastic.co>
- Loading branch information