Commit 4e397ad
[Entity Store] Add Upsert Entity API (#234454)
## Summary
Add Upsert Entity API which reflects changes made via the API directly
in the final entities index.
#### What is implemented
- Update documents
- Allowed fields:
- `entity.attributes.*`
- `entity.lifecyle.*`
- `entity.behavior.*`
- Force update documents
#### Added ES Assets:
- Component Template `security_${type}_default-updates@platform`
- Index Template
`entities_v1_updates_security_${type}_default_index_template`
- Index `.entities.v1.updates.security_${type}_default`
#### What is not implemented
- Create
- ILM Policy to delete update documents
#### How to test
Ingest entities and run in the dev console:
```
PUT kbn:/api/entity_store/entities/generic
{
"entity": {
"id": "<ID>",
"attributes": {
"StorageClass": "hot"
}
}
}
```
### How it works
Before explaining the API itself, a refresher on the entity store
<details>
<summary> Entity Store Diagram </summary>
```mermaid
flowchart TB
subgraph Main Flow
A[(.logs*)] ~~~~ B[Transform]
B ---> |Fetches raw entity data| A
B ---> | Sends Aggregated Data | G{Ingest Pipeline}
G --> | Combines new and old data and stores it| C[(.entity.v1.latest*)]
end
G -.-> | Fetches data older than transform retention policy| D[(.enrich-index-entities)]
subgraph Retention Policy Flow
direction LR
E((Kibana Task)) -->|trigger every hour| F[Enrich Policy Entities]
F -.->| Fetches most upto date entities| C
F --->| Stores data | D
end
```
</details>
Entity store works based on a Transform which has a look back period of X hours (current 3h). That means data older than look period won't be retained. To solve that an Enrich Policy is set in place that takes hourly snapshots of the current state of the entity store and makes it available to, via ingest pipeline, enrich entity updates and make sure that we have data older than look back period present. Awesome.
This adds complexity to this feature. The goal is add an api that once called reflects data changes immediately in the latest index. A few things were considered:
- ❌ Add a new document to an update index to be picked up by the transform.
- That doesn't satisfy the requirement because changes will be made available only after a transform finishes its run
- ❌ Perform update by query in the latest index.
- That works great if the entity in the latest index doesn't get any other update via the transform - what we can't guarantee of course.
So the arrived solution was to both perform update by query in the latest index and publish an update document to be picked up by the transform, this way we get the best of both worlds.
- So first Update by query on `.entities.v1.latest.security_$TYPE_default` (update made via painless)
- Indexes a new document on `.entities.v1.updates.security_$TYPE_default` to be picked up by the transform.
```mermaid
flowchart LR
A[User] -->|PUT /api/entity_store/entities/$TYPE| B[Kibana]
B --> |update by query| C[(.entities.v1.latest.security_$TYPE_default)]
B --> |create new doc| D[(.entities.v1.updates.security_$TYPE_default)]
```
We have considered adding a priority mechanism to the update index so we would make sure that documents published to it would be picked up. First we found out that we don't need to make sure a document is seen by the transform. By its definition, transforms process every document - it doesn't have any mechanism to drop documents in case processing is taking too long. Second, we can't do it because the aggregations we run on already sort to find latest values, and sort on multiple fields is not possible.
### Fields and Schema
Prior to this PR non generic entities (`user`, `host`, and `service`) had no exposure to concepts defined in the proposed `entity.*` ECS Schema. We had to address this to be able to make changes to `entity.attributes`, `entity.lifecyle` and `entity.behavior` fields.
[The current direction](elastic/ecs#2513) is that `entity.*` fields will be nested under `user`, `host`,`service` and `generic` for data input and the latest index, with the final entities, would have a root `entity.*` field set.
In other words, there is a difference between entity data input location and entity data output location.
The document
```json
{ "user": { "entity": { "id" : "romulo", "type": "aws-user" } } }
```
Will be represented in the latest index as
```json
{ "entity": { "id" : "romulo", "type": "aws-user" } }
```
Because of the current direction of the discussion we decided to go towards there already. Therefore this PR contains changes to the entity definitions themselves adding entity fields that uses data source `{TYPE}.entity.*` and as destination `entity.*` (`x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_definitions/entity_descriptions/common.ts`).
That also posed another question, what will be the input like? Will it accept entity "input" or entity "output" format?
I had decided to stay close to "output" format, therefore accept `entity.*` json fields and would be applied to the entity store. The reason behind it is simplicity of API. I believe that having a inconsistent placement for `entity` in the api isn't a great experience, therefore always accepting
```json
{ "entity": { "id" : "romulo", "type": "aws-user" } }
```
is better imo.
**That's contradictory to the input via logs however**. Curious to hear people's opinion.
There is another problem that further deviates the API from any ECS definition (input or output). For fields under `entity.attributes`, `entity.lifecyle` and `entity.behavior` we decided to define them on ECS. And because they are "custom fields" product would like them to have a `Capital_snake_case` format, which is not a traditional and developing with TS in such a case is not really allowed at the moment. To curb that, the api expose those fields as `snake_case` and before storing convert them to `Capital_snake_case`. That was the best way I found while still having field definition on OpenAPI spec.
---------
Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Mark Hopkin <[email protected]>1 parent 0cadb16 commit 4e397ad
File tree
69 files changed
+3340
-636
lines changed- oas_docs/output
- x-pack
- platform
- solutions/security
- plugins/security_solution
- common
- api
- entity_analytics/entity_store
- entities
- entity_analytics/entity_store
- docs/openapi
- ess
- serverless
- public/entity_analytics/components/entity_store
- components/engines_status/hooks
- scripts/endpoint/common/roles_users/serverless/es_serverless_resources
- server
- lib
- detection_engine/routes/__mocks__
- entity_analytics/entity_store
- elasticsearch_assets
- __snapshots__
- entity_definitions/entity_descriptions
- errors
- installation
- __snapshots__
- painless
- routes
- entity_crud
- utils
- test
- api_integration/services
- security_solution_api_integration
- config/services
- test_suites/entity_analytics/entity_store/trial_license_complete_tier
- infra
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
69 files changed
+3340
-636
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12223 | 12223 | | |
12224 | 12224 | | |
12225 | 12225 | | |
| 12226 | + | |
| 12227 | + | |
| 12228 | + | |
| 12229 | + | |
| 12230 | + | |
| 12231 | + | |
| 12232 | + | |
| 12233 | + | |
| 12234 | + | |
| 12235 | + | |
| 12236 | + | |
| 12237 | + | |
| 12238 | + | |
| 12239 | + | |
| 12240 | + | |
| 12241 | + | |
| 12242 | + | |
| 12243 | + | |
| 12244 | + | |
| 12245 | + | |
| 12246 | + | |
| 12247 | + | |
| 12248 | + | |
| 12249 | + | |
| 12250 | + | |
| 12251 | + | |
| 12252 | + | |
| 12253 | + | |
| 12254 | + | |
| 12255 | + | |
| 12256 | + | |
| 12257 | + | |
| 12258 | + | |
| 12259 | + | |
| 12260 | + | |
| 12261 | + | |
| 12262 | + | |
| 12263 | + | |
| 12264 | + | |
| 12265 | + | |
| 12266 | + | |
| 12267 | + | |
| 12268 | + | |
| 12269 | + | |
| 12270 | + | |
12226 | 12271 | | |
12227 | 12272 | | |
12228 | 12273 | | |
| |||
71577 | 71622 | | |
71578 | 71623 | | |
71579 | 71624 | | |
| 71625 | + | |
71580 | 71626 | | |
71581 | 71627 | | |
71582 | 71628 | | |
| |||
71682 | 71728 | | |
71683 | 71729 | | |
71684 | 71730 | | |
| 71731 | + | |
71685 | 71732 | | |
71686 | 71733 | | |
71687 | 71734 | | |
| |||
71736 | 71783 | | |
71737 | 71784 | | |
71738 | 71785 | | |
| 71786 | + | |
| 71787 | + | |
| 71788 | + | |
| 71789 | + | |
| 71790 | + | |
| 71791 | + | |
| 71792 | + | |
| 71793 | + | |
| 71794 | + | |
| 71795 | + | |
| 71796 | + | |
| 71797 | + | |
| 71798 | + | |
| 71799 | + | |
| 71800 | + | |
| 71801 | + | |
| 71802 | + | |
| 71803 | + | |
| 71804 | + | |
| 71805 | + | |
| 71806 | + | |
| 71807 | + | |
| 71808 | + | |
| 71809 | + | |
| 71810 | + | |
| 71811 | + | |
| 71812 | + | |
| 71813 | + | |
| 71814 | + | |
| 71815 | + | |
| 71816 | + | |
| 71817 | + | |
| 71818 | + | |
| 71819 | + | |
71739 | 71820 | | |
71740 | 71821 | | |
71741 | 71822 | | |
| |||
71819 | 71900 | | |
71820 | 71901 | | |
71821 | 71902 | | |
| 71903 | + | |
71822 | 71904 | | |
71823 | 71905 | | |
71824 | 71906 | | |
71825 | 71907 | | |
71826 | 71908 | | |
71827 | 71909 | | |
| 71910 | + | |
71828 | 71911 | | |
71829 | 71912 | | |
71830 | 71913 | | |
71831 | 71914 | | |
71832 | 71915 | | |
71833 | 71916 | | |
71834 | 71917 | | |
71835 | | - | |
71836 | | - | |
71837 | | - | |
71838 | | - | |
71839 | | - | |
71840 | | - | |
71841 | | - | |
71842 | | - | |
71843 | | - | |
71844 | | - | |
71845 | | - | |
71846 | | - | |
71847 | | - | |
71848 | | - | |
71849 | | - | |
71850 | | - | |
71851 | | - | |
71852 | | - | |
| 71918 | + | |
71853 | 71919 | | |
71854 | 71920 | | |
71855 | 71921 | | |
| 71922 | + | |
71856 | 71923 | | |
71857 | 71924 | | |
71858 | 71925 | | |
71859 | 71926 | | |
71860 | 71927 | | |
71861 | 71928 | | |
| 71929 | + | |
71862 | 71930 | | |
71863 | 71931 | | |
71864 | 71932 | | |
71865 | 71933 | | |
71866 | 71934 | | |
71867 | 71935 | | |
71868 | 71936 | | |
71869 | | - | |
71870 | | - | |
71871 | | - | |
71872 | | - | |
71873 | | - | |
71874 | | - | |
71875 | | - | |
71876 | | - | |
71877 | | - | |
71878 | | - | |
71879 | | - | |
71880 | | - | |
71881 | | - | |
71882 | | - | |
| 71937 | + | |
71883 | 71938 | | |
| 71939 | + | |
71884 | 71940 | | |
71885 | 71941 | | |
71886 | 71942 | | |
71887 | 71943 | | |
71888 | 71944 | | |
71889 | 71945 | | |
| 71946 | + | |
71890 | 71947 | | |
71891 | 71948 | | |
71892 | 71949 | | |
| |||
71897 | 71954 | | |
71898 | 71955 | | |
71899 | 71956 | | |
| 71957 | + | |
| 71958 | + | |
71900 | 71959 | | |
71901 | 71960 | | |
71902 | 71961 | | |
| |||
71924 | 71983 | | |
71925 | 71984 | | |
71926 | 71985 | | |
71927 | | - | |
71928 | 71986 | | |
71929 | 71987 | | |
71930 | 71988 | | |
| |||
72118 | 72176 | | |
72119 | 72177 | | |
72120 | 72178 | | |
| 72179 | + | |
72121 | 72180 | | |
72122 | 72181 | | |
72123 | 72182 | | |
72124 | 72183 | | |
72125 | 72184 | | |
72126 | 72185 | | |
| 72186 | + | |
72127 | 72187 | | |
72128 | 72188 | | |
72129 | 72189 | | |
72130 | 72190 | | |
72131 | 72191 | | |
72132 | 72192 | | |
72133 | 72193 | | |
72134 | | - | |
72135 | | - | |
72136 | | - | |
72137 | | - | |
72138 | | - | |
72139 | | - | |
72140 | | - | |
72141 | | - | |
72142 | | - | |
72143 | | - | |
72144 | | - | |
72145 | | - | |
72146 | | - | |
72147 | | - | |
| 72194 | + | |
72148 | 72195 | | |
| 72196 | + | |
72149 | 72197 | | |
72150 | 72198 | | |
72151 | 72199 | | |
72152 | 72200 | | |
72153 | 72201 | | |
72154 | 72202 | | |
| 72203 | + | |
72155 | 72204 | | |
72156 | 72205 | | |
| 72206 | + | |
| 72207 | + | |
72157 | 72208 | | |
72158 | 72209 | | |
72159 | 72210 | | |
72160 | 72211 | | |
72161 | 72212 | | |
72162 | 72213 | | |
72163 | 72214 | | |
72164 | | - | |
72165 | 72215 | | |
72166 | 72216 | | |
72167 | 72217 | | |
| |||
72237 | 72287 | | |
72238 | 72288 | | |
72239 | 72289 | | |
| 72290 | + | |
72240 | 72291 | | |
72241 | 72292 | | |
72242 | 72293 | | |
72243 | 72294 | | |
72244 | 72295 | | |
72245 | 72296 | | |
| 72297 | + | |
72246 | 72298 | | |
72247 | 72299 | | |
72248 | 72300 | | |
72249 | 72301 | | |
72250 | 72302 | | |
72251 | 72303 | | |
72252 | 72304 | | |
72253 | | - | |
72254 | | - | |
72255 | | - | |
72256 | | - | |
72257 | | - | |
72258 | | - | |
72259 | | - | |
72260 | | - | |
72261 | | - | |
72262 | | - | |
72263 | | - | |
72264 | | - | |
72265 | | - | |
72266 | | - | |
| 72305 | + | |
72267 | 72306 | | |
| 72307 | + | |
72268 | 72308 | | |
72269 | 72309 | | |
72270 | 72310 | | |
72271 | 72311 | | |
72272 | 72312 | | |
72273 | 72313 | | |
| 72314 | + | |
72274 | 72315 | | |
72275 | 72316 | | |
72276 | 72317 | | |
| |||
72297 | 72338 | | |
72298 | 72339 | | |
72299 | 72340 | | |
| 72341 | + | |
72300 | 72342 | | |
72301 | 72343 | | |
72302 | 72344 | | |
72303 | 72345 | | |
72304 | 72346 | | |
72305 | 72347 | | |
72306 | 72348 | | |
72307 | | - | |
72308 | 72349 | | |
72309 | 72350 | | |
72310 | 72351 | | |
| |||
0 commit comments