[SecuritySolution] Service Entity Store #202344
Merged
+417
−20
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
machadoum
force-pushed
the
siem-ea-11158
branch
from
ea729b0 to
7140a1e
Compare
machadoum
force-pushed
the
siem-ea-11158
branch
from
7140a1e to
7e0abbc
Compare
machadoum
added
v9.0.0
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
joedatlive
reviewed
Dec 2, 2024
There was a problem hiding this comment.
@jcoyne-elastic Hi Jordyn. This PR captures the new Service entity fields we are targeting for the next release. Does customer 0 include or use service.name values in your events? Are these service.* fields satisfactory?
We do use service.name in some autditbeat logs, @aarju do you know when service.* is specifically used and what fields we would look to add to a service entity store if relevant? |
tiansivive
reviewed
Dec 4, 2024
.../security_solution/public/entity_analytics/components/entity_store/hooks/use_entity_store.ts
Outdated
Show resolved
Hide resolved
.../security_solution/public/entity_analytics/components/entity_store/hooks/use_entity_store.ts
Outdated
Show resolved
Hide resolved
.../security_solution/public/entity_analytics/components/entity_store/hooks/use_entity_store.ts
Outdated
Show resolved
Hide resolved
|
@joedatlive @jaredburgettelastic On this PR, I am collecting all values for all service fields. We might want to store only the most recent value for some fields, as we do for risk score and asset criticality. If so, let me know which field should have this behaviour. Some candidates: |
machadoum
force-pushed
the
siem-ea-11158
branch
from
3b56151 to
6943a53
Compare
|
Starting backport for target branches: 8.x |
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Async chunks
Page load bundle
History
cc @machadoum |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Dec 9, 2024
## Summary ### Service Definition: https://github.com/elastic/kibana/pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1 ### Acceptance Criteria - [x] Upon installation of the entity store, the Service entity definition should be created by default - [x] The Service definition will be installed in the exact same way as the User and Host definitions - [x] The unique identifier for service entities will be `service.name` - [x] The fields captured for service entities should match the field mapping spreadsheet (see Implementation Notes below) ### Stored Entity ```json { "@timestamp": "2024-12-02T10:43:13.856Z", "event": { "ingested": "2024-12-02T10:51:28.987428Z" }, "entity": { "name": "test123 name", "id": "test123 name", "source": "logs-blito", "type": "service" }, "service": { "node": { "roles": [ "test123 node roles" ], "name": [ "test123 node name" ] }, "environment": [ "test123 environment" ], "address": [ "test123 address" ], "name": "test123 name", "id": [ "test123 id" ], "state": [ "test123 state" ], "ephemeral_id": [ "test123 ephemeral_id" ], "type": [ "test123 type" ], "version": [ "test123 version" ] } } ``` ### How to test it? * Start Kibana <details> <summary>Create mappings</summary> ``` PUT /logs-test { "mappings": { "properties": { "service.name": { "type": "keyword" }, "service.address": { "type": "keyword" }, "service.environment": { "type": "keyword" }, "service.ephemeral_id": { "type": "keyword" }, "service.id": { "type": "keyword" }, "service.node.name": { "type": "keyword" }, "service.node.roles": { "type": "keyword" }, "service.state": { "type": "keyword" }, "service.type": { "type": "keyword" }, "service.version": { "type": "keyword" }, "@timestamp": { "type": "date" } } } } ```` </details> <details> <summary>Create document</summary> ``` PUT /logs-test POST logs-test/_doc { "service": { "name": "test123 name", "address": "test123 address", "environment": "test123 environment", "ephemeral_id": "test123 ephemeral_id", "id": "test123 id", "node.roles": "test123 node roles", "node.name": "test123 node name", "state": "test123 state", "type": "test123 type", "version": "test123 version" }, "@timestamp": "2024-12-02T10:43:13.856Z" } ```` </details> * Init the entity store * Wait... * Query the service index `GET .entities.v1.latest.security_service_default/_search` ### Open Questions * Can we merge this PR without first updating all other features that will use service entities? * If we merge it, the service engine will be installed together with other entities, but it won't provide any functionality * Do we need an experimental flag? --------- Co-authored-by: kibanamachine <[email protected]>
Samiul-TheSoccerFan
pushed a commit
to Samiul-TheSoccerFan/kibana
that referenced
this pull request
Dec 10, 2024
## Summary ### Service Definition: https://github.com/elastic/kibana/pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1 ### Acceptance Criteria - [x] Upon installation of the entity store, the Service entity definition should be created by default - [x] The Service definition will be installed in the exact same way as the User and Host definitions - [x] The unique identifier for service entities will be `service.name` - [x] The fields captured for service entities should match the field mapping spreadsheet (see Implementation Notes below) ### Stored Entity ```json { "@timestamp": "2024-12-02T10:43:13.856Z", "event": { "ingested": "2024-12-02T10:51:28.987428Z" }, "entity": { "name": "test123 name", "id": "test123 name", "source": "logs-blito", "type": "service" }, "service": { "node": { "roles": [ "test123 node roles" ], "name": [ "test123 node name" ] }, "environment": [ "test123 environment" ], "address": [ "test123 address" ], "name": "test123 name", "id": [ "test123 id" ], "state": [ "test123 state" ], "ephemeral_id": [ "test123 ephemeral_id" ], "type": [ "test123 type" ], "version": [ "test123 version" ] } } ``` ### How to test it? * Start Kibana <details> <summary>Create mappings</summary> ``` PUT /logs-test { "mappings": { "properties": { "service.name": { "type": "keyword" }, "service.address": { "type": "keyword" }, "service.environment": { "type": "keyword" }, "service.ephemeral_id": { "type": "keyword" }, "service.id": { "type": "keyword" }, "service.node.name": { "type": "keyword" }, "service.node.roles": { "type": "keyword" }, "service.state": { "type": "keyword" }, "service.type": { "type": "keyword" }, "service.version": { "type": "keyword" }, "@timestamp": { "type": "date" } } } } ```` </details> <details> <summary>Create document</summary> ``` PUT /logs-test POST logs-test/_doc { "service": { "name": "test123 name", "address": "test123 address", "environment": "test123 environment", "ephemeral_id": "test123 ephemeral_id", "id": "test123 id", "node.roles": "test123 node roles", "node.name": "test123 node name", "state": "test123 state", "type": "test123 type", "version": "test123 version" }, "@timestamp": "2024-12-02T10:43:13.856Z" } ```` </details> * Init the entity store * Wait... * Query the service index `GET .entities.v1.latest.security_service_default/_search` ### Open Questions * Can we merge this PR without first updating all other features that will use service entities? * If we merge it, the service engine will be installed together with other entities, but it won't provide any functionality * Do we need an experimental flag? --------- Co-authored-by: kibanamachine <[email protected]>
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
machadoum
added a commit
to machadoum/kibana
that referenced
this pull request
Dec 10, 2024
## Summary ### Service Definition: https://github.com/elastic/kibana/pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1 ### Acceptance Criteria - [x] Upon installation of the entity store, the Service entity definition should be created by default - [x] The Service definition will be installed in the exact same way as the User and Host definitions - [x] The unique identifier for service entities will be `service.name` - [x] The fields captured for service entities should match the field mapping spreadsheet (see Implementation Notes below) ### Stored Entity ```json { "@timestamp": "2024-12-02T10:43:13.856Z", "event": { "ingested": "2024-12-02T10:51:28.987428Z" }, "entity": { "name": "test123 name", "id": "test123 name", "source": "logs-blito", "type": "service" }, "service": { "node": { "roles": [ "test123 node roles" ], "name": [ "test123 node name" ] }, "environment": [ "test123 environment" ], "address": [ "test123 address" ], "name": "test123 name", "id": [ "test123 id" ], "state": [ "test123 state" ], "ephemeral_id": [ "test123 ephemeral_id" ], "type": [ "test123 type" ], "version": [ "test123 version" ] } } ``` ### How to test it? * Start Kibana <details> <summary>Create mappings</summary> ``` PUT /logs-test { "mappings": { "properties": { "service.name": { "type": "keyword" }, "service.address": { "type": "keyword" }, "service.environment": { "type": "keyword" }, "service.ephemeral_id": { "type": "keyword" }, "service.id": { "type": "keyword" }, "service.node.name": { "type": "keyword" }, "service.node.roles": { "type": "keyword" }, "service.state": { "type": "keyword" }, "service.type": { "type": "keyword" }, "service.version": { "type": "keyword" }, "@timestamp": { "type": "date" } } } } ```` </details> <details> <summary>Create document</summary> ``` PUT /logs-test POST logs-test/_doc { "service": { "name": "test123 name", "address": "test123 address", "environment": "test123 environment", "ephemeral_id": "test123 ephemeral_id", "id": "test123 id", "node.roles": "test123 node roles", "node.name": "test123 node name", "state": "test123 state", "type": "test123 type", "version": "test123 version" }, "@timestamp": "2024-12-02T10:43:13.856Z" } ```` </details> * Init the entity store * Wait... * Query the service index `GET .entities.v1.latest.security_service_default/_search` ### Open Questions * Can we merge this PR without first updating all other features that will use service entities? * If we merge it, the service engine will be installed together with other entities, but it won't provide any functionality * Do we need an experimental flag? --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit fdedae0) # Conflicts: # oas_docs/output/kibana.serverless.yaml # x-pack/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts # x-pack/plugins/security_solution/server/request_context_factory.ts
machadoum
added a commit
that referenced
this pull request
Dec 10, 2024
# Backport This will backport the following commits from `main` to `8.x`: - [[SecuritySolution] Service Entity Store (#202344)](#202344) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Pablo Machado","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-09T17:12:51Z","message":"[SecuritySolution] Service Entity Store (#202344)\n\n## Summary\n\n\n### Service Definition:\n\nhttps://github.com//pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1\n\n\n### Acceptance Criteria\n- [x] Upon installation of the entity store, the Service entity\ndefinition should be created by default\n- [x] The Service definition will be installed in the exact same way as\nthe User and Host definitions\n- [x] The unique identifier for service entities will be `service.name`\n- [x] The fields captured for service entities should match the field\nmapping spreadsheet (see Implementation Notes below)\n\n\n### Stored Entity\n```json\n{\n \"@timestamp\": \"2024-12-02T10:43:13.856Z\",\n \"event\": {\n \"ingested\": \"2024-12-02T10:51:28.987428Z\"\n },\n \"entity\": {\n \"name\": \"test123 name\",\n \"id\": \"test123 name\",\n \"source\": \"logs-blito\",\n \"type\": \"service\"\n },\n \"service\": {\n \"node\": {\n \"roles\": [\n \"test123 node roles\"\n ],\n \"name\": [\n \"test123 node name\"\n ]\n },\n \"environment\": [\n \"test123 environment\"\n ],\n \"address\": [\n \"test123 address\"\n ],\n \"name\": \"test123 name\",\n \"id\": [\n \"test123 id\"\n ],\n \"state\": [\n \"test123 state\"\n ],\n \"ephemeral_id\": [\n \"test123 ephemeral_id\"\n ],\n \"type\": [\n \"test123 type\"\n ],\n \"version\": [\n \"test123 version\"\n ]\n }\n}\n```\n\n### How to test it?\n\n* Start Kibana\n<details>\n <summary>Create mappings</summary>\n \n```\nPUT /logs-test\n{\n \"mappings\": {\n \"properties\": { \n \"service.name\": {\n \"type\": \"keyword\"\n },\n \"service.address\": {\n \"type\": \"keyword\"\n },\n \"service.environment\": {\n \"type\": \"keyword\"\n },\n \"service.ephemeral_id\": {\n \"type\": \"keyword\"\n },\n \"service.id\": {\n \"type\": \"keyword\"\n },\n \"service.node.name\": {\n \"type\": \"keyword\"\n },\n \"service.node.roles\": {\n \"type\": \"keyword\"\n },\n \"service.state\": {\n \"type\": \"keyword\"\n },\n \"service.type\": {\n \"type\": \"keyword\"\n },\n \"service.version\": {\n \"type\": \"keyword\"\n },\n \"@timestamp\": {\n \"type\": \"date\"\n }\n }\n }\n}\n```` \n</details>\n\n\n<details>\n <summary>Create document</summary>\n \n```\nPUT /logs-test\nPOST logs-test/_doc\n{\n \"service\": {\n \"name\": \"test123 name\",\n \"address\": \"test123 address\",\n \"environment\": \"test123 environment\",\n \"ephemeral_id\": \"test123 ephemeral_id\",\n \"id\": \"test123 id\",\n \"node.roles\": \"test123 node roles\",\n \"node.name\": \"test123 node name\", \n \"state\": \"test123 state\",\n \"type\": \"test123 type\",\n \"version\": \"test123 version\"\n },\n \"@timestamp\": \"2024-12-02T10:43:13.856Z\"\n}\n\n```` \n</details>\n\n* Init the entity store\n* Wait...\n* Query the service index `GET\n.entities.v1.latest.security_service_default/_search`\n\n\n### Open Questions\n* Can we merge this PR without first updating all other features that\nwill use service entities?\n* If we merge it, the service engine will be installed together with\nother entities, but it won't provide any functionality\n* Do we need an experimental flag?\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"fdedae07b854280b37f142b652892f1b5ee44018","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["v9.0.0","Team: SecuritySolution","release_note:feature","Theme: entity_analytics","Feature:Entity Analytics","Team:Entity Analytics","backport:version","v8.18.0"],"number":202344,"url":"https://github.com/elastic/kibana/pull/202344","mergeCommit":{"message":"[SecuritySolution] Service Entity Store (#202344)\n\n## Summary\n\n\n### Service Definition:\n\nhttps://github.com//pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1\n\n\n### Acceptance Criteria\n- [x] Upon installation of the entity store, the Service entity\ndefinition should be created by default\n- [x] The Service definition will be installed in the exact same way as\nthe User and Host definitions\n- [x] The unique identifier for service entities will be `service.name`\n- [x] The fields captured for service entities should match the field\nmapping spreadsheet (see Implementation Notes below)\n\n\n### Stored Entity\n```json\n{\n \"@timestamp\": \"2024-12-02T10:43:13.856Z\",\n \"event\": {\n \"ingested\": \"2024-12-02T10:51:28.987428Z\"\n },\n \"entity\": {\n \"name\": \"test123 name\",\n \"id\": \"test123 name\",\n \"source\": \"logs-blito\",\n \"type\": \"service\"\n },\n \"service\": {\n \"node\": {\n \"roles\": [\n \"test123 node roles\"\n ],\n \"name\": [\n \"test123 node name\"\n ]\n },\n \"environment\": [\n \"test123 environment\"\n ],\n \"address\": [\n \"test123 address\"\n ],\n \"name\": \"test123 name\",\n \"id\": [\n \"test123 id\"\n ],\n \"state\": [\n \"test123 state\"\n ],\n \"ephemeral_id\": [\n \"test123 ephemeral_id\"\n ],\n \"type\": [\n \"test123 type\"\n ],\n \"version\": [\n \"test123 version\"\n ]\n }\n}\n```\n\n### How to test it?\n\n* Start Kibana\n<details>\n <summary>Create mappings</summary>\n \n```\nPUT /logs-test\n{\n \"mappings\": {\n \"properties\": { \n \"service.name\": {\n \"type\": \"keyword\"\n },\n \"service.address\": {\n \"type\": \"keyword\"\n },\n \"service.environment\": {\n \"type\": \"keyword\"\n },\n \"service.ephemeral_id\": {\n \"type\": \"keyword\"\n },\n \"service.id\": {\n \"type\": \"keyword\"\n },\n \"service.node.name\": {\n \"type\": \"keyword\"\n },\n \"service.node.roles\": {\n \"type\": \"keyword\"\n },\n \"service.state\": {\n \"type\": \"keyword\"\n },\n \"service.type\": {\n \"type\": \"keyword\"\n },\n \"service.version\": {\n \"type\": \"keyword\"\n },\n \"@timestamp\": {\n \"type\": \"date\"\n }\n }\n }\n}\n```` \n</details>\n\n\n<details>\n <summary>Create document</summary>\n \n```\nPUT /logs-test\nPOST logs-test/_doc\n{\n \"service\": {\n \"name\": \"test123 name\",\n \"address\": \"test123 address\",\n \"environment\": \"test123 environment\",\n \"ephemeral_id\": \"test123 ephemeral_id\",\n \"id\": \"test123 id\",\n \"node.roles\": \"test123 node roles\",\n \"node.name\": \"test123 node name\", \n \"state\": \"test123 state\",\n \"type\": \"test123 type\",\n \"version\": \"test123 version\"\n },\n \"@timestamp\": \"2024-12-02T10:43:13.856Z\"\n}\n\n```` \n</details>\n\n* Init the entity store\n* Wait...\n* Query the service index `GET\n.entities.v1.latest.security_service_default/_search`\n\n\n### Open Questions\n* Can we merge this PR without first updating all other features that\nwill use service entities?\n* If we merge it, the service engine will be installed together with\nother entities, but it won't provide any functionality\n* Do we need an experimental flag?\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"fdedae07b854280b37f142b652892f1b5ee44018"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202344","number":202344,"mergeCommit":{"message":"[SecuritySolution] Service Entity Store (#202344)\n\n## Summary\n\n\n### Service Definition:\n\nhttps://github.com//pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1\n\n\n### Acceptance Criteria\n- [x] Upon installation of the entity store, the Service entity\ndefinition should be created by default\n- [x] The Service definition will be installed in the exact same way as\nthe User and Host definitions\n- [x] The unique identifier for service entities will be `service.name`\n- [x] The fields captured for service entities should match the field\nmapping spreadsheet (see Implementation Notes below)\n\n\n### Stored Entity\n```json\n{\n \"@timestamp\": \"2024-12-02T10:43:13.856Z\",\n \"event\": {\n \"ingested\": \"2024-12-02T10:51:28.987428Z\"\n },\n \"entity\": {\n \"name\": \"test123 name\",\n \"id\": \"test123 name\",\n \"source\": \"logs-blito\",\n \"type\": \"service\"\n },\n \"service\": {\n \"node\": {\n \"roles\": [\n \"test123 node roles\"\n ],\n \"name\": [\n \"test123 node name\"\n ]\n },\n \"environment\": [\n \"test123 environment\"\n ],\n \"address\": [\n \"test123 address\"\n ],\n \"name\": \"test123 name\",\n \"id\": [\n \"test123 id\"\n ],\n \"state\": [\n \"test123 state\"\n ],\n \"ephemeral_id\": [\n \"test123 ephemeral_id\"\n ],\n \"type\": [\n \"test123 type\"\n ],\n \"version\": [\n \"test123 version\"\n ]\n }\n}\n```\n\n### How to test it?\n\n* Start Kibana\n<details>\n <summary>Create mappings</summary>\n \n```\nPUT /logs-test\n{\n \"mappings\": {\n \"properties\": { \n \"service.name\": {\n \"type\": \"keyword\"\n },\n \"service.address\": {\n \"type\": \"keyword\"\n },\n \"service.environment\": {\n \"type\": \"keyword\"\n },\n \"service.ephemeral_id\": {\n \"type\": \"keyword\"\n },\n \"service.id\": {\n \"type\": \"keyword\"\n },\n \"service.node.name\": {\n \"type\": \"keyword\"\n },\n \"service.node.roles\": {\n \"type\": \"keyword\"\n },\n \"service.state\": {\n \"type\": \"keyword\"\n },\n \"service.type\": {\n \"type\": \"keyword\"\n },\n \"service.version\": {\n \"type\": \"keyword\"\n },\n \"@timestamp\": {\n \"type\": \"date\"\n }\n }\n }\n}\n```` \n</details>\n\n\n<details>\n <summary>Create document</summary>\n \n```\nPUT /logs-test\nPOST logs-test/_doc\n{\n \"service\": {\n \"name\": \"test123 name\",\n \"address\": \"test123 address\",\n \"environment\": \"test123 environment\",\n \"ephemeral_id\": \"test123 ephemeral_id\",\n \"id\": \"test123 id\",\n \"node.roles\": \"test123 node roles\",\n \"node.name\": \"test123 node name\", \n \"state\": \"test123 state\",\n \"type\": \"test123 type\",\n \"version\": \"test123 version\"\n },\n \"@timestamp\": \"2024-12-02T10:43:13.856Z\"\n}\n\n```` \n</details>\n\n* Init the entity store\n* Wait...\n* Query the service index `GET\n.entities.v1.latest.security_service_default/_search`\n\n\n### Open Questions\n* Can we merge this PR without first updating all other features that\nwill use service entities?\n* If we merge it, the service engine will be installed together with\nother entities, but it won't provide any functionality\n* Do we need an experimental flag?\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"fdedae07b854280b37f142b652892f1b5ee44018"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Dec 12, 2024
## Summary ### Service Definition: https://github.com/elastic/kibana/pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1 ### Acceptance Criteria - [x] Upon installation of the entity store, the Service entity definition should be created by default - [x] The Service definition will be installed in the exact same way as the User and Host definitions - [x] The unique identifier for service entities will be `service.name` - [x] The fields captured for service entities should match the field mapping spreadsheet (see Implementation Notes below) ### Stored Entity ```json { "@timestamp": "2024-12-02T10:43:13.856Z", "event": { "ingested": "2024-12-02T10:51:28.987428Z" }, "entity": { "name": "test123 name", "id": "test123 name", "source": "logs-blito", "type": "service" }, "service": { "node": { "roles": [ "test123 node roles" ], "name": [ "test123 node name" ] }, "environment": [ "test123 environment" ], "address": [ "test123 address" ], "name": "test123 name", "id": [ "test123 id" ], "state": [ "test123 state" ], "ephemeral_id": [ "test123 ephemeral_id" ], "type": [ "test123 type" ], "version": [ "test123 version" ] } } ``` ### How to test it? * Start Kibana <details> <summary>Create mappings</summary> ``` PUT /logs-test { "mappings": { "properties": { "service.name": { "type": "keyword" }, "service.address": { "type": "keyword" }, "service.environment": { "type": "keyword" }, "service.ephemeral_id": { "type": "keyword" }, "service.id": { "type": "keyword" }, "service.node.name": { "type": "keyword" }, "service.node.roles": { "type": "keyword" }, "service.state": { "type": "keyword" }, "service.type": { "type": "keyword" }, "service.version": { "type": "keyword" }, "@timestamp": { "type": "date" } } } } ```` </details> <details> <summary>Create document</summary> ``` PUT /logs-test POST logs-test/_doc { "service": { "name": "test123 name", "address": "test123 address", "environment": "test123 environment", "ephemeral_id": "test123 ephemeral_id", "id": "test123 id", "node.roles": "test123 node roles", "node.name": "test123 node name", "state": "test123 state", "type": "test123 type", "version": "test123 version" }, "@timestamp": "2024-12-02T10:43:13.856Z" } ```` </details> * Init the entity store * Wait... * Query the service index `GET .entities.v1.latest.security_service_default/_search` ### Open Questions * Can we merge this PR without first updating all other features that will use service entities? * If we merge it, the service engine will be installed together with other entities, but it won't provide any functionality * Do we need an experimental flag? --------- Co-authored-by: kibanamachine <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Service Definition:
https://github.com/elastic/kibana/pull/202344/files#diff-42c7dd345e0500c97f85824904a70a11162827ea8f8df6982082a9047ca04ff1
Acceptance Criteria
service.nameStored Entity
{ "@timestamp": "2024-12-02T10:43:13.856Z", "event": { "ingested": "2024-12-02T10:51:28.987428Z" }, "entity": { "name": "test123 name", "id": "test123 name", "source": "logs-blito", "type": "service" }, "service": { "node": { "roles": [ "test123 node roles" ], "name": [ "test123 node name" ] }, "environment": [ "test123 environment" ], "address": [ "test123 address" ], "name": "test123 name", "id": [ "test123 id" ], "state": [ "test123 state" ], "ephemeral_id": [ "test123 ephemeral_id" ], "type": [ "test123 type" ], "version": [ "test123 version" ] } }How to test it?
Create mappings
Create document
GET .entities.v1.latest.security_service_default/_searchOpen Questions