-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Entity Analytics] [Entity Store] Add audit logs #196847
Conversation
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
a84bf11
to
7fe4989
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
I left a few comments. Before merging the PR, I think we should answer all questions left as comments.
// This may change in the future, depending on the audit action. | ||
const outcome = error ? AUDIT_OUTCOME.FAILURE : AUDIT_OUTCOME.UNKNOWN; | ||
|
||
// QUESTION: For EXECUTE action: Maybe START is better: https://www.elastic.co/guide/en/ecs/8.11/ecs-allowed-values-event-type.html#ecs-event-type-start |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we clarify al questions before merging the PR? Otherwise, we will have inconsistent audit logs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We went through it at standup. I've removed the extra audit logs which makes the questions raised obsolete, so I've removed the comments.
Leaving the note one as I think that one is important for any future work here
const descriptor = await this.engineClient.get(entityType); | ||
if (!options?.force && descriptor.status !== ENGINE_STATUS.STOPPED) { | ||
throw new Error( | ||
`In namespace ${this.options.namespace}: Cannot start Entity engine for ${entityType} when current status is: ${descriptor.status}` | ||
`In namespace ${namespace}: Cannot start Entity engine for ${entityType} when current status is: ${descriptor.status}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unrelated: We should return the error message when the status is an error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But if we throw it just gets caught by any catch handlers in the requests, no?
const descriptor = await this.engineClient.get(entityType); | ||
|
||
if (descriptor.status !== ENGINE_STATUS.STARTED) { | ||
throw new Error( | ||
`In namespace ${this.options.namespace}: Cannot stop Entity engine for ${entityType} when current status is: ${descriptor.status}` | ||
`In namespace ${namespace}: Cannot stop Entity engine for ${entityType} when current status is: ${descriptor.status}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same thing here and all other similar checks
...ugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts
Outdated
Show resolved
Hide resolved
...ugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts
Outdated
Show resolved
Hide resolved
Starting backport for target branches: 8.16, 8.x |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
cc @tiansivive |
💔 All backports failed
Manual backportTo create the backport manually run:
Questions ?Please refer to the Backport tool documentation |
Summary
This PR adds audit logs for the different actions that can be performed on the entity store engines.