Skip to content

Commit

Permalink
[Entity Store] [Asset Inventory] Universal entity definition (#202888)
Browse files Browse the repository at this point in the history
## Summary

This PR adds a universal entity definition.
A universal entity uses `related.entity` as an identifier field and
includes an extra processor step that parses the field
`entities.keyword` and extracts all the entities in said field (whose
original data comes from `related.entities`).

See this
[doc](https://docs.google.com/document/d/1D8xDtn3HHP65i1Y3eIButacD6ZizyjZZRJB7mxlXzQY/edit?tab=t.0#heading=h.9fz3qtlfzjg7)
for more details.

To accomplish this, we need to allow describing an entity along with
extra entity store resources required for that entity's engine.
This PR reworks the current entity store by introducing an `Entity
Description`, which has all that required information. From it, we can
build an `EntityEngineDescription` which adds all the needed data that
must be computed (as opposed to hardcoded) and is then used to generate
all the resources needed for that Entity's engine (entity definition,
pipeline, enrich policy, index mappings, etc).

<img width="3776" alt="EntityDescriptions"
src="https://github.com/user-attachments/assets/bdf7915f-1981-47e6-a815-31163f24ad03">

This required a refactoring of the current `UnitedEntityDefinition`,
which has now been removed in favour of more contextual functions for
all the different parts.
The intention is to decouple the Entity Description schema from the
schemas required for field retention, entity manager and pipeline. We
can then freely expand on our Entity Description as required, and simply
alter the conversion functions when needed.

## How to test

1. On a fresh ES cluster, add some entity data
* For hosts and user, use the [security documents
generator](https://github.com/elastic/security-documents-generator)
   * For universal, there are a few more steps:
      1. Create the `entity.keyword` builder pipeline
      2. Add it to a index template
      3. Post some docs to the corresponding index 
2. Initialise the universal entity engine via: `POST
kbn:/api/entity_store/engines/universal/init {}`
* Note that using the UI does not work, as we've specifically removed
the Universal engine from the normal Entity Store workflow
3. Check the status of the store is `running` via `GET
kbn:/api/entity_store/status`
4. Once the transform runs, you can query `GET entities*/_search` to see
the created entities

Note that universal entities do not show up in the dashboard Entities
List.


### Code to ingest data
<details>
<summary>Pipeline</summary>

```js
PUT _ingest/pipeline/entities-keyword-builder
{
   "description":"Serialize entities.metadata into a keyword field",
   "processors":[
      {
         "script":{
            "lang":"painless",
            "source":"""
String jsonFromMap(Map map) {
    StringBuilder json = new StringBuilder("{");
    boolean first = true;

    for (entry in map.entrySet()) {
        if (!first) {
            json.append(",");
        }
        first = false;

        String key = entry.getKey().replace("\"", "\\\"");
        Object value = entry.getValue();

        json.append("\"").append(key).append("\":");

        if (value instanceof String) {
            String escapedValue = ((String) value).replace("\"", "\\\"").replace("=", ":");
            json.append("\"").append(escapedValue).append("\"");
        } else if (value instanceof Map) {
            json.append(jsonFromMap((Map) value));
        } else if (value instanceof List) {
            json.append(jsonFromList((List) value));
        } else if (value instanceof Boolean || value instanceof Number) {
            json.append(value.toString());
        } else {
            // For other types, treat as string
            String escapedValue = value.toString().replace("\"", "\\\"").replace("=", ":");
            json.append("\"").append(escapedValue).append("\"");
        }
    }

    json.append("}");
    return json.toString();
}

String jsonFromList(List list) {

    StringBuilder json = new StringBuilder("[");
    boolean first = true;

    for (item in list) {
        if (!first) {
            json.append(",");
        }
        first = false;

        if (item instanceof String) {
            String escapedItem = ((String) item).replace("\"", "\\\"").replace("=", ":");
            json.append("\"").append(escapedItem).append("\"");
        } else if (item instanceof Map) {
            json.append(jsonFromMap((Map) item));
        } else if (item instanceof List) {
            json.append(jsonFromList((List) item));
        } else if (item instanceof Boolean || item instanceof Number) {
            json.append(item.toString());
        } else {
            // For other types, treat as string
            String escapedItem = item.toString().replace("\"", "\\\"").replace("=", ":");
            json.append("\"").append(escapedItem).append("\"");
        }
    }

    json.append("]");
    return json.toString();
}

def metadata = jsonFromMap(ctx['entities']['metadata']);
ctx['entities']['keyword'] = metadata;
"""

            }
        }
    ]
}
```
</details>

<details>
<summary>Index template</summary>

```js
PUT /_index_template/entity_store_index_template
{
   "index_patterns":[
      "logs-store"
   ],
   "template":{
      "settings":{
         "index":{
            "default_pipeline":"entities-keyword-builder"
         }
      },
      "mappings":{
         "properties":{
            "@timestamp":{
               "type":"date"
            },
            "message":{
               "type":"text"
            },
            "event":{
               "properties":{
                  "action":{
                     "type":"keyword"
                  },
                  "category":{
                     "type":"keyword"
                  },
                  "type":{
                     "type":"keyword"
                  },
                  "outcome":{
                     "type":"keyword"
                  },
                  "provider":{
                     "type":"keyword"
                  },
                  "ingested":{
                    "type": "date"
                  }
               }
            },
            "related":{
               "properties":{
                  "entity":{
                     "type":"keyword"
                  }
               }
            },
            "entities":{
               "properties":{
                  "metadata":{
                     "type":"flattened"
                  },
                  "keyword":{
                     "type":"keyword"
                  }
               }
            }
         }
      }
   }
}
```
</details>

<details>
<summary>Example source doc</summary>

```js
POST /logs-store/_doc/
{
   "@timestamp":"2024-11-29T10:01:00Z",
   "message":"Eddie",
   "event": {
      "type":[
         "creation"
      ],
      "ingested": "2024-12-03T10:01:00Z"
   },
   "related":{
      "entity":[
         "AKIAI44QH8DHBEXAMPLE"
      ]
   },
   "entities":{
      "metadata":{
         "AKIAI44QH8DHBEXAMPLE":{
            "entity":{
               "id":"AKIAI44QH8DHBEXAMPLE",
               "category":"Access Management",
               "type":"AWS IAM Access Key"
            },
            "cloud":{
               "account":{
                  "id":"444455556666"
               }
            }
         }
      }
   }
}
```
</details>

### To do

- [x] Add/Improve [Unit or functional
tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)
- [x] Feature flag


----
#### Update:

Added `assetInventoryStoreEnabled` Feature Flag. It is disabled by
default and even when enabled, the `/api/entity_store/enable` route does
not initialize the Universal Entity Engine.
`/api/entity_store/engines/universal/init` needs to be manually called
to initialize it

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Rômulo Farias <[email protected]>
Co-authored-by: jaredburgettelastic <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>
  • Loading branch information
5 people authored Jan 3, 2025
1 parent e51b581 commit c6b0a31
Show file tree
Hide file tree
Showing 54 changed files with 1,128 additions and 1,128 deletions.
2 changes: 2 additions & 0 deletions oas_docs/output/kibana.serverless.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -47250,6 +47250,7 @@ components:
- user
- host
- service
- universal
type: string
Security_Entity_Analytics_API_HostEntity:
type: object
Expand Down Expand Up @@ -47320,6 +47321,7 @@ components:
- host.name
- user.name
- service.name
- related.entity
type: string
Security_Entity_Analytics_API_IndexPattern:
type: string
Expand Down
2 changes: 2 additions & 0 deletions oas_docs/output/kibana.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54126,6 +54126,7 @@ components:
- user
- host
- service
- universal
type: string
Security_Entity_Analytics_API_HostEntity:
type: object
Expand Down Expand Up @@ -54196,6 +54197,7 @@ components:
- host.name
- user.name
- service.name
- related.entity
type: string
Security_Entity_Analytics_API_IndexPattern:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
import { z } from '@kbn/zod';

export type IdField = z.infer<typeof IdField>;
export const IdField = z.enum(['host.name', 'user.name', 'service.name']);
export const IdField = z.enum(['host.name', 'user.name', 'service.name', 'related.entity']);
export type IdFieldEnum = typeof IdField.enum;
export const IdFieldEnum = IdField.enum;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ components:
- 'host.name'
- 'user.name'
- 'service.name'
- 'related.entity'
AssetCriticalityRecordIdParts:
type: object
properties:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
import { z } from '@kbn/zod';

export type EntityType = z.infer<typeof EntityType>;
export const EntityType = z.enum(['user', 'host', 'service']);
export const EntityType = z.enum(['user', 'host', 'service', 'universal']);
export type EntityTypeEnum = typeof EntityType.enum;
export const EntityTypeEnum = EntityType.enum;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ components:
- user
- host
- service
- universal

EngineDescriptor:
type: object
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ describe('parseAssetCriticalityCsvRow', () => {

// @ts-ignore result can now only be InvalidRecord
expect(result.error).toMatchInlineSnapshot(
`"Invalid entity type \\"invalid\\", expected to be one of: user, host, service"`
`"Invalid entity type \\"invalid\\", expected to be one of: user, host, service, universal"`
);
});

Expand All @@ -57,7 +57,7 @@ describe('parseAssetCriticalityCsvRow', () => {

// @ts-ignore result can now only be InvalidRecord
expect(result.error).toMatchInlineSnapshot(
`"Invalid entity type \\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...\\", expected to be one of: user, host, service"`
`"Invalid entity type \\"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx...\\", expected to be one of: user, host, service, universal"`
);
});

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ export const IDENTITY_FIELD_MAP: Record<EntityType, IdField> = {
[EntityTypeEnum.host]: 'host.name',
[EntityTypeEnum.user]: 'user.name',
[EntityTypeEnum.service]: 'service.name',
[EntityTypeEnum.universal]: 'related.entity',
};

export const getAvailableEntityTypes = (): EntityType[] =>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,12 @@ export const allowedExperimentalValues = Object.freeze({
*/
crowdstrikeRunScriptEnabled: false,

/**
* Enables the Asset Inventory Entity Store feature.
* Allows initializing the Universal Entity Store via the API.
*/
assetInventoryStoreEnabled: false,

/**
* Enables the Asset Inventory feature
*/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ components:
- user
- host
- service
- universal
type: string
HostEntity:
type: object
Expand Down Expand Up @@ -1145,6 +1146,7 @@ components:
- host.name
- user.name
- service.name
- related.entity
type: string
IndexPattern:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1075,6 +1075,7 @@ components:
- user
- host
- service
- universal
type: string
HostEntity:
type: object
Expand Down Expand Up @@ -1145,6 +1146,7 @@ components:
- host.name
- user.name
- service.name
- related.entity
type: string
IndexPattern:
type: string
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ const entityTypeByIdField = {
'host.name': 'host',
'user.name': 'user',
'service.name': 'service',
'related.entity': 'universal',
} as const;

export const getImplicitEntityFields = (record: AssetCriticalityUpsertWithDeleted) => {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,18 +10,24 @@ import {
EngineComponentResourceEnum,
type EngineComponentStatus,
} from '../../../../../common/api/entity_analytics';
import type { UnitedEntityDefinition } from '../united_entity_definitions';
import type { EntityEngineInstallationDescriptor } from '../installation/types';

const getComponentTemplateName = (definitionId: string) => `${definitionId}-latest@platform`;

interface Options {
unitedDefinition: UnitedEntityDefinition;
/**
* The entity engine description id
**/
id: string;
esClient: ElasticsearchClient;
}

export const createEntityIndexComponentTemplate = ({ unitedDefinition, esClient }: Options) => {
const { entityManagerDefinition, indexMappings } = unitedDefinition;
const name = getComponentTemplateName(entityManagerDefinition.id);
export const createEntityIndexComponentTemplate = (
description: EntityEngineInstallationDescriptor,
esClient: ElasticsearchClient
) => {
const { id, indexMappings } = description;
const name = getComponentTemplateName(id);
return esClient.cluster.putComponentTemplate({
name,
body: {
Expand All @@ -35,9 +41,8 @@ export const createEntityIndexComponentTemplate = ({ unitedDefinition, esClient
});
};

export const deleteEntityIndexComponentTemplate = ({ unitedDefinition, esClient }: Options) => {
const { entityManagerDefinition } = unitedDefinition;
const name = getComponentTemplateName(entityManagerDefinition.id);
export const deleteEntityIndexComponentTemplate = ({ id, esClient }: Options) => {
const name = getComponentTemplateName(id);
return esClient.cluster.deleteComponentTemplate(
{ name },
{
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,12 +6,14 @@
*/

import type { ElasticsearchClient, Logger } from '@kbn/core/server';
import type { EnrichPutPolicyRequest } from '@elastic/elasticsearch/lib/api/types';
import type { EntityType } from '../../../../../common/api/entity_analytics';
import { EngineComponentResourceEnum } from '../../../../../common/api/entity_analytics';
import { getEntitiesIndexName } from '../utils';
import type { UnitedEntityDefinition } from '../united_entity_definitions';
import type { EntityEngineInstallationDescriptor } from '../installation/types';

type DefinitionMetadata = Pick<UnitedEntityDefinition, 'namespace' | 'entityType' | 'version'>;
type DefinitionMetadata = Pick<EntityEngineInstallationDescriptor, 'entityType' | 'version'> & {
namespace: string;
};

export const getFieldRetentionEnrichPolicyName = ({
namespace,
Expand All @@ -21,69 +23,79 @@ export const getFieldRetentionEnrichPolicyName = ({
return `entity_store_field_retention_${entityType}_${namespace}_v${version}`;
};

const getFieldRetentionEnrichPolicy = (
unitedDefinition: UnitedEntityDefinition
): EnrichPutPolicyRequest => {
const { namespace, entityType, fieldRetentionDefinition } = unitedDefinition;
return {
name: getFieldRetentionEnrichPolicyName(unitedDefinition),
match: {
indices: getEntitiesIndexName(entityType, namespace),
match_field: fieldRetentionDefinition.matchField,
enrich_fields: fieldRetentionDefinition.fields.map(({ field }) => field),
},
};
};

export const createFieldRetentionEnrichPolicy = async ({
esClient,
unitedDefinition,
description,
options,
}: {
esClient: ElasticsearchClient;
unitedDefinition: UnitedEntityDefinition;
description: EntityEngineInstallationDescriptor;
options: { namespace: string };
}) => {
const policy = getFieldRetentionEnrichPolicy(unitedDefinition);
return esClient.enrich.putPolicy(policy);
return esClient.enrich.putPolicy({
name: getFieldRetentionEnrichPolicyName({
namespace: options.namespace,
entityType: description.entityType,
version: description.version,
}),
match: {
indices: getEntitiesIndexName(description.entityType, options.namespace),
match_field: description.identityField,
enrich_fields: description.fields.map(({ destination }) => destination),
},
});
};

export const executeFieldRetentionEnrichPolicy = async ({
esClient,
unitedDefinition,
entityType,
version,
logger,
options,
}: {
unitedDefinition: DefinitionMetadata;
entityType: EntityType;
version: string;
esClient: ElasticsearchClient;
logger: Logger;
options: { namespace: string };
}): Promise<{ executed: boolean }> => {
const name = getFieldRetentionEnrichPolicyName(unitedDefinition);
const name = getFieldRetentionEnrichPolicyName({
namespace: options.namespace,
entityType,
version,
});
try {
await esClient.enrich.executePolicy({ name });
return { executed: true };
} catch (e) {
if (e.statusCode === 404) {
return { executed: false };
}
logger.error(
`Error executing field retention enrich policy for ${unitedDefinition.entityType}: ${e.message}`
);
logger.error(`Error executing field retention enrich policy for ${entityType}: ${e.message}`);
throw e;
}
};

export const deleteFieldRetentionEnrichPolicy = async ({
unitedDefinition,
description,
options,
esClient,
logger,
attempts = 5,
delayMs = 2000,
}: {
unitedDefinition: DefinitionMetadata;
description: EntityEngineInstallationDescriptor;
options: { namespace: string };
esClient: ElasticsearchClient;
logger: Logger;
attempts?: number;
delayMs?: number;
}) => {
const name = getFieldRetentionEnrichPolicyName(unitedDefinition);
const name = getFieldRetentionEnrichPolicyName({
namespace: options.namespace,
entityType: description.entityType,
version: description.version,
});
let currentAttempt = 1;
while (currentAttempt <= attempts) {
try {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
*/

import type { ElasticsearchClient, Logger } from '@kbn/core/server';
import type { MappingTypeMapping } from '@elastic/elasticsearch/lib/api/types';
import {
EngineComponentResourceEnum,
type EngineComponentStatus,
Expand All @@ -14,6 +15,8 @@ import {
import { getEntitiesIndexName } from '../utils';
import { createOrUpdateIndex } from '../../utils/create_or_update_index';

import type { EntityEngineInstallationDescriptor } from '../installation/types';

interface Options {
entityType: EntityType;
esClient: ElasticsearchClient;
Expand Down Expand Up @@ -58,3 +61,51 @@ export const getEntityIndexStatus = async ({

return { id: index, installed: exists, resource: EngineComponentResourceEnum.index };
};

export type MappingProperties = NonNullable<MappingTypeMapping['properties']>;

export const generateIndexMappings = (
description: EntityEngineInstallationDescriptor
): MappingTypeMapping => {
const identityFieldMappings: MappingProperties = {
[description.identityField]: {
type: 'keyword',
fields: {
text: {
type: 'match_only_text',
},
},
},
};

const otherFieldMappings = description.fields
.filter(({ mapping }) => mapping)
.reduce((acc, { destination, mapping }) => {
acc[destination] = mapping;
return acc;
}, {} as MappingProperties);

return {
properties: { ...BASE_ENTITY_INDEX_MAPPING, ...identityFieldMappings, ...otherFieldMappings },
};
};

export const BASE_ENTITY_INDEX_MAPPING: MappingProperties = {
'@timestamp': {
type: 'date',
},
'asset.criticality': {
type: 'keyword',
},
'entity.name': {
type: 'keyword',
fields: {
text: {
type: 'match_only_text',
},
},
},
'entity.source': {
type: 'keyword',
},
};
Loading

0 comments on commit c6b0a31

Please sign in to comment.