Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[8.x] [Entity Store] [Asset Inventory] Universal entity definition (e…
…lastic#202888) (elastic#205536) # Backport This will backport the following commits from `main` to `8.x`: - [[Entity Store] [Asset Inventory] Universal entity definition (elastic#202888)](elastic#202888) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Tiago Vila Verde","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-01-03T16:43:16Z","message":"[Entity Store] [Asset Inventory] Universal entity definition (elastic#202888)\n\n## Summary\r\n\r\nThis PR adds a universal entity definition.\r\nA universal entity uses `related.entity` as an identifier field and\r\nincludes an extra processor step that parses the field\r\n`entities.keyword` and extracts all the entities in said field (whose\r\noriginal data comes from `related.entities`).\r\n\r\nSee this\r\n[doc](https://docs.google.com/document/d/1D8xDtn3HHP65i1Y3eIButacD6ZizyjZZRJB7mxlXzQY/edit?tab=t.0#heading=h.9fz3qtlfzjg7)\r\nfor more details.\r\n\r\nTo accomplish this, we need to allow describing an entity along with\r\nextra entity store resources required for that entity's engine.\r\nThis PR reworks the current entity store by introducing an `Entity\r\nDescription`, which has all that required information. From it, we can\r\nbuild an `EntityEngineDescription` which adds all the needed data that\r\nmust be computed (as opposed to hardcoded) and is then used to generate\r\nall the resources needed for that Entity's engine (entity definition,\r\npipeline, enrich policy, index mappings, etc).\r\n\r\n<img width=\"3776\" alt=\"EntityDescriptions\"\r\nsrc=\"https://github.com/user-attachments/assets/bdf7915f-1981-47e6-a815-31163f24ad03\">\r\n\r\nThis required a refactoring of the current `UnitedEntityDefinition`,\r\nwhich has now been removed in favour of more contextual functions for\r\nall the different parts.\r\nThe intention is to decouple the Entity Description schema from the\r\nschemas required for field retention, entity manager and pipeline. We\r\ncan then freely expand on our Entity Description as required, and simply\r\nalter the conversion functions when needed.\r\n\r\n## How to test\r\n\r\n1. On a fresh ES cluster, add some entity data\r\n* For hosts and user, use the [security documents\r\ngenerator](https://github.com/elastic/security-documents-generator)\r\n * For universal, there are a few more steps:\r\n 1. Create the `entity.keyword` builder pipeline\r\n 2. Add it to a index template\r\n 3. Post some docs to the corresponding index \r\n2. Initialise the universal entity engine via: `POST\r\nkbn:/api/entity_store/engines/universal/init {}`\r\n* Note that using the UI does not work, as we've specifically removed\r\nthe Universal engine from the normal Entity Store workflow\r\n3. Check the status of the store is `running` via `GET\r\nkbn:/api/entity_store/status`\r\n4. Once the transform runs, you can query `GET entities*/_search` to see\r\nthe created entities\r\n\r\nNote that universal entities do not show up in the dashboard Entities\r\nList.\r\n\r\n\r\n### Code to ingest data\r\n<details>\r\n<summary>Pipeline</summary>\r\n\r\n```js\r\nPUT _ingest/pipeline/entities-keyword-builder\r\n{\r\n \"description\":\"Serialize entities.metadata into a keyword field\",\r\n \"processors\":[\r\n {\r\n \"script\":{\r\n \"lang\":\"painless\",\r\n \"source\":\"\"\"\r\nString jsonFromMap(Map map) {\r\n StringBuilder json = new StringBuilder(\"{\");\r\n boolean first = true;\r\n\r\n for (entry in map.entrySet()) {\r\n if (!first) {\r\n json.append(\",\");\r\n }\r\n first = false;\r\n\r\n String key = entry.getKey().replace(\"\\\"\", \"\\\\\\\"\");\r\n Object value = entry.getValue();\r\n\r\n json.append(\"\\\"\").append(key).append(\"\\\":\");\r\n\r\n if (value instanceof String) {\r\n String escapedValue = ((String) value).replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedValue).append(\"\\\"\");\r\n } else if (value instanceof Map) {\r\n json.append(jsonFromMap((Map) value));\r\n } else if (value instanceof List) {\r\n json.append(jsonFromList((List) value));\r\n } else if (value instanceof Boolean || value instanceof Number) {\r\n json.append(value.toString());\r\n } else {\r\n // For other types, treat as string\r\n String escapedValue = value.toString().replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedValue).append(\"\\\"\");\r\n }\r\n }\r\n\r\n json.append(\"}\");\r\n return json.toString();\r\n}\r\n\r\nString jsonFromList(List list) {\r\n\r\n StringBuilder json = new StringBuilder(\"[\");\r\n boolean first = true;\r\n\r\n for (item in list) {\r\n if (!first) {\r\n json.append(\",\");\r\n }\r\n first = false;\r\n\r\n if (item instanceof String) {\r\n String escapedItem = ((String) item).replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedItem).append(\"\\\"\");\r\n } else if (item instanceof Map) {\r\n json.append(jsonFromMap((Map) item));\r\n } else if (item instanceof List) {\r\n json.append(jsonFromList((List) item));\r\n } else if (item instanceof Boolean || item instanceof Number) {\r\n json.append(item.toString());\r\n } else {\r\n // For other types, treat as string\r\n String escapedItem = item.toString().replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedItem).append(\"\\\"\");\r\n }\r\n }\r\n\r\n json.append(\"]\");\r\n return json.toString();\r\n}\r\n\r\ndef metadata = jsonFromMap(ctx['entities']['metadata']);\r\nctx['entities']['keyword'] = metadata;\r\n\"\"\"\r\n\r\n }\r\n }\r\n ]\r\n}\r\n```\r\n</details>\r\n\r\n<details>\r\n<summary>Index template</summary>\r\n\r\n```js\r\nPUT /_index_template/entity_store_index_template\r\n{\r\n \"index_patterns\":[\r\n \"logs-store\"\r\n ],\r\n \"template\":{\r\n \"settings\":{\r\n \"index\":{\r\n \"default_pipeline\":\"entities-keyword-builder\"\r\n }\r\n },\r\n \"mappings\":{\r\n \"properties\":{\r\n \"@timestamp\":{\r\n \"type\":\"date\"\r\n },\r\n \"message\":{\r\n \"type\":\"text\"\r\n },\r\n \"event\":{\r\n \"properties\":{\r\n \"action\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"category\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"type\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"outcome\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"provider\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"ingested\":{\r\n \"type\": \"date\"\r\n }\r\n }\r\n },\r\n \"related\":{\r\n \"properties\":{\r\n \"entity\":{\r\n \"type\":\"keyword\"\r\n }\r\n }\r\n },\r\n \"entities\":{\r\n \"properties\":{\r\n \"metadata\":{\r\n \"type\":\"flattened\"\r\n },\r\n \"keyword\":{\r\n \"type\":\"keyword\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n```\r\n</details>\r\n\r\n<details>\r\n<summary>Example source doc</summary>\r\n\r\n```js\r\nPOST /logs-store/_doc/\r\n{\r\n \"@timestamp\":\"2024-11-29T10:01:00Z\",\r\n \"message\":\"Eddie\",\r\n \"event\": {\r\n \"type\":[\r\n \"creation\"\r\n ],\r\n \"ingested\": \"2024-12-03T10:01:00Z\"\r\n },\r\n \"related\":{\r\n \"entity\":[\r\n \"AKIAI44QH8DHBEXAMPLE\"\r\n ]\r\n },\r\n \"entities\":{\r\n \"metadata\":{\r\n \"AKIAI44QH8DHBEXAMPLE\":{\r\n \"entity\":{\r\n \"id\":\"AKIAI44QH8DHBEXAMPLE\",\r\n \"category\":\"Access Management\",\r\n \"type\":\"AWS IAM Access Key\"\r\n },\r\n \"cloud\":{\r\n \"account\":{\r\n \"id\":\"444455556666\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n```\r\n</details>\r\n\r\n### To do\r\n\r\n- [x] Add/Improve [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\n- [x] Feature flag\r\n\r\n\r\n----\r\n#### Update:\r\n\r\nAdded `assetInventoryStoreEnabled` Feature Flag. It is disabled by\r\ndefault and even when enabled, the `/api/entity_store/enable` route does\r\nnot initialize the Universal Entity Engine.\r\n`/api/entity_store/engines/universal/init` needs to be manually called\r\nto initialize it\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Rômulo Farias <[email protected]>\r\nCo-authored-by: jaredburgettelastic <[email protected]>\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"c6b0a31d8ec6d423a8071f50a22e55acedd0dee0","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Cloud Security","ci:cloud-deploy","Theme: entity_analytics","Team:Entity Analytics","backport:version","v8.18.0"],"number":202888,"url":"https://github.com/elastic/kibana/pull/202888","mergeCommit":{"message":"[Entity Store] [Asset Inventory] Universal entity definition (elastic#202888)\n\n## Summary\r\n\r\nThis PR adds a universal entity definition.\r\nA universal entity uses `related.entity` as an identifier field and\r\nincludes an extra processor step that parses the field\r\n`entities.keyword` and extracts all the entities in said field (whose\r\noriginal data comes from `related.entities`).\r\n\r\nSee this\r\n[doc](https://docs.google.com/document/d/1D8xDtn3HHP65i1Y3eIButacD6ZizyjZZRJB7mxlXzQY/edit?tab=t.0#heading=h.9fz3qtlfzjg7)\r\nfor more details.\r\n\r\nTo accomplish this, we need to allow describing an entity along with\r\nextra entity store resources required for that entity's engine.\r\nThis PR reworks the current entity store by introducing an `Entity\r\nDescription`, which has all that required information. From it, we can\r\nbuild an `EntityEngineDescription` which adds all the needed data that\r\nmust be computed (as opposed to hardcoded) and is then used to generate\r\nall the resources needed for that Entity's engine (entity definition,\r\npipeline, enrich policy, index mappings, etc).\r\n\r\n<img width=\"3776\" alt=\"EntityDescriptions\"\r\nsrc=\"https://github.com/user-attachments/assets/bdf7915f-1981-47e6-a815-31163f24ad03\">\r\n\r\nThis required a refactoring of the current `UnitedEntityDefinition`,\r\nwhich has now been removed in favour of more contextual functions for\r\nall the different parts.\r\nThe intention is to decouple the Entity Description schema from the\r\nschemas required for field retention, entity manager and pipeline. We\r\ncan then freely expand on our Entity Description as required, and simply\r\nalter the conversion functions when needed.\r\n\r\n## How to test\r\n\r\n1. On a fresh ES cluster, add some entity data\r\n* For hosts and user, use the [security documents\r\ngenerator](https://github.com/elastic/security-documents-generator)\r\n * For universal, there are a few more steps:\r\n 1. Create the `entity.keyword` builder pipeline\r\n 2. Add it to a index template\r\n 3. Post some docs to the corresponding index \r\n2. Initialise the universal entity engine via: `POST\r\nkbn:/api/entity_store/engines/universal/init {}`\r\n* Note that using the UI does not work, as we've specifically removed\r\nthe Universal engine from the normal Entity Store workflow\r\n3. Check the status of the store is `running` via `GET\r\nkbn:/api/entity_store/status`\r\n4. Once the transform runs, you can query `GET entities*/_search` to see\r\nthe created entities\r\n\r\nNote that universal entities do not show up in the dashboard Entities\r\nList.\r\n\r\n\r\n### Code to ingest data\r\n<details>\r\n<summary>Pipeline</summary>\r\n\r\n```js\r\nPUT _ingest/pipeline/entities-keyword-builder\r\n{\r\n \"description\":\"Serialize entities.metadata into a keyword field\",\r\n \"processors\":[\r\n {\r\n \"script\":{\r\n \"lang\":\"painless\",\r\n \"source\":\"\"\"\r\nString jsonFromMap(Map map) {\r\n StringBuilder json = new StringBuilder(\"{\");\r\n boolean first = true;\r\n\r\n for (entry in map.entrySet()) {\r\n if (!first) {\r\n json.append(\",\");\r\n }\r\n first = false;\r\n\r\n String key = entry.getKey().replace(\"\\\"\", \"\\\\\\\"\");\r\n Object value = entry.getValue();\r\n\r\n json.append(\"\\\"\").append(key).append(\"\\\":\");\r\n\r\n if (value instanceof String) {\r\n String escapedValue = ((String) value).replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedValue).append(\"\\\"\");\r\n } else if (value instanceof Map) {\r\n json.append(jsonFromMap((Map) value));\r\n } else if (value instanceof List) {\r\n json.append(jsonFromList((List) value));\r\n } else if (value instanceof Boolean || value instanceof Number) {\r\n json.append(value.toString());\r\n } else {\r\n // For other types, treat as string\r\n String escapedValue = value.toString().replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedValue).append(\"\\\"\");\r\n }\r\n }\r\n\r\n json.append(\"}\");\r\n return json.toString();\r\n}\r\n\r\nString jsonFromList(List list) {\r\n\r\n StringBuilder json = new StringBuilder(\"[\");\r\n boolean first = true;\r\n\r\n for (item in list) {\r\n if (!first) {\r\n json.append(\",\");\r\n }\r\n first = false;\r\n\r\n if (item instanceof String) {\r\n String escapedItem = ((String) item).replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedItem).append(\"\\\"\");\r\n } else if (item instanceof Map) {\r\n json.append(jsonFromMap((Map) item));\r\n } else if (item instanceof List) {\r\n json.append(jsonFromList((List) item));\r\n } else if (item instanceof Boolean || item instanceof Number) {\r\n json.append(item.toString());\r\n } else {\r\n // For other types, treat as string\r\n String escapedItem = item.toString().replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedItem).append(\"\\\"\");\r\n }\r\n }\r\n\r\n json.append(\"]\");\r\n return json.toString();\r\n}\r\n\r\ndef metadata = jsonFromMap(ctx['entities']['metadata']);\r\nctx['entities']['keyword'] = metadata;\r\n\"\"\"\r\n\r\n }\r\n }\r\n ]\r\n}\r\n```\r\n</details>\r\n\r\n<details>\r\n<summary>Index template</summary>\r\n\r\n```js\r\nPUT /_index_template/entity_store_index_template\r\n{\r\n \"index_patterns\":[\r\n \"logs-store\"\r\n ],\r\n \"template\":{\r\n \"settings\":{\r\n \"index\":{\r\n \"default_pipeline\":\"entities-keyword-builder\"\r\n }\r\n },\r\n \"mappings\":{\r\n \"properties\":{\r\n \"@timestamp\":{\r\n \"type\":\"date\"\r\n },\r\n \"message\":{\r\n \"type\":\"text\"\r\n },\r\n \"event\":{\r\n \"properties\":{\r\n \"action\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"category\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"type\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"outcome\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"provider\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"ingested\":{\r\n \"type\": \"date\"\r\n }\r\n }\r\n },\r\n \"related\":{\r\n \"properties\":{\r\n \"entity\":{\r\n \"type\":\"keyword\"\r\n }\r\n }\r\n },\r\n \"entities\":{\r\n \"properties\":{\r\n \"metadata\":{\r\n \"type\":\"flattened\"\r\n },\r\n \"keyword\":{\r\n \"type\":\"keyword\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n```\r\n</details>\r\n\r\n<details>\r\n<summary>Example source doc</summary>\r\n\r\n```js\r\nPOST /logs-store/_doc/\r\n{\r\n \"@timestamp\":\"2024-11-29T10:01:00Z\",\r\n \"message\":\"Eddie\",\r\n \"event\": {\r\n \"type\":[\r\n \"creation\"\r\n ],\r\n \"ingested\": \"2024-12-03T10:01:00Z\"\r\n },\r\n \"related\":{\r\n \"entity\":[\r\n \"AKIAI44QH8DHBEXAMPLE\"\r\n ]\r\n },\r\n \"entities\":{\r\n \"metadata\":{\r\n \"AKIAI44QH8DHBEXAMPLE\":{\r\n \"entity\":{\r\n \"id\":\"AKIAI44QH8DHBEXAMPLE\",\r\n \"category\":\"Access Management\",\r\n \"type\":\"AWS IAM Access Key\"\r\n },\r\n \"cloud\":{\r\n \"account\":{\r\n \"id\":\"444455556666\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n```\r\n</details>\r\n\r\n### To do\r\n\r\n- [x] Add/Improve [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\n- [x] Feature flag\r\n\r\n\r\n----\r\n#### Update:\r\n\r\nAdded `assetInventoryStoreEnabled` Feature Flag. It is disabled by\r\ndefault and even when enabled, the `/api/entity_store/enable` route does\r\nnot initialize the Universal Entity Engine.\r\n`/api/entity_store/engines/universal/init` needs to be manually called\r\nto initialize it\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Rômulo Farias <[email protected]>\r\nCo-authored-by: jaredburgettelastic <[email protected]>\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"c6b0a31d8ec6d423a8071f50a22e55acedd0dee0"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/202888","number":202888,"mergeCommit":{"message":"[Entity Store] [Asset Inventory] Universal entity definition (elastic#202888)\n\n## Summary\r\n\r\nThis PR adds a universal entity definition.\r\nA universal entity uses `related.entity` as an identifier field and\r\nincludes an extra processor step that parses the field\r\n`entities.keyword` and extracts all the entities in said field (whose\r\noriginal data comes from `related.entities`).\r\n\r\nSee this\r\n[doc](https://docs.google.com/document/d/1D8xDtn3HHP65i1Y3eIButacD6ZizyjZZRJB7mxlXzQY/edit?tab=t.0#heading=h.9fz3qtlfzjg7)\r\nfor more details.\r\n\r\nTo accomplish this, we need to allow describing an entity along with\r\nextra entity store resources required for that entity's engine.\r\nThis PR reworks the current entity store by introducing an `Entity\r\nDescription`, which has all that required information. From it, we can\r\nbuild an `EntityEngineDescription` which adds all the needed data that\r\nmust be computed (as opposed to hardcoded) and is then used to generate\r\nall the resources needed for that Entity's engine (entity definition,\r\npipeline, enrich policy, index mappings, etc).\r\n\r\n<img width=\"3776\" alt=\"EntityDescriptions\"\r\nsrc=\"https://github.com/user-attachments/assets/bdf7915f-1981-47e6-a815-31163f24ad03\">\r\n\r\nThis required a refactoring of the current `UnitedEntityDefinition`,\r\nwhich has now been removed in favour of more contextual functions for\r\nall the different parts.\r\nThe intention is to decouple the Entity Description schema from the\r\nschemas required for field retention, entity manager and pipeline. We\r\ncan then freely expand on our Entity Description as required, and simply\r\nalter the conversion functions when needed.\r\n\r\n## How to test\r\n\r\n1. On a fresh ES cluster, add some entity data\r\n* For hosts and user, use the [security documents\r\ngenerator](https://github.com/elastic/security-documents-generator)\r\n * For universal, there are a few more steps:\r\n 1. Create the `entity.keyword` builder pipeline\r\n 2. Add it to a index template\r\n 3. Post some docs to the corresponding index \r\n2. Initialise the universal entity engine via: `POST\r\nkbn:/api/entity_store/engines/universal/init {}`\r\n* Note that using the UI does not work, as we've specifically removed\r\nthe Universal engine from the normal Entity Store workflow\r\n3. Check the status of the store is `running` via `GET\r\nkbn:/api/entity_store/status`\r\n4. Once the transform runs, you can query `GET entities*/_search` to see\r\nthe created entities\r\n\r\nNote that universal entities do not show up in the dashboard Entities\r\nList.\r\n\r\n\r\n### Code to ingest data\r\n<details>\r\n<summary>Pipeline</summary>\r\n\r\n```js\r\nPUT _ingest/pipeline/entities-keyword-builder\r\n{\r\n \"description\":\"Serialize entities.metadata into a keyword field\",\r\n \"processors\":[\r\n {\r\n \"script\":{\r\n \"lang\":\"painless\",\r\n \"source\":\"\"\"\r\nString jsonFromMap(Map map) {\r\n StringBuilder json = new StringBuilder(\"{\");\r\n boolean first = true;\r\n\r\n for (entry in map.entrySet()) {\r\n if (!first) {\r\n json.append(\",\");\r\n }\r\n first = false;\r\n\r\n String key = entry.getKey().replace(\"\\\"\", \"\\\\\\\"\");\r\n Object value = entry.getValue();\r\n\r\n json.append(\"\\\"\").append(key).append(\"\\\":\");\r\n\r\n if (value instanceof String) {\r\n String escapedValue = ((String) value).replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedValue).append(\"\\\"\");\r\n } else if (value instanceof Map) {\r\n json.append(jsonFromMap((Map) value));\r\n } else if (value instanceof List) {\r\n json.append(jsonFromList((List) value));\r\n } else if (value instanceof Boolean || value instanceof Number) {\r\n json.append(value.toString());\r\n } else {\r\n // For other types, treat as string\r\n String escapedValue = value.toString().replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedValue).append(\"\\\"\");\r\n }\r\n }\r\n\r\n json.append(\"}\");\r\n return json.toString();\r\n}\r\n\r\nString jsonFromList(List list) {\r\n\r\n StringBuilder json = new StringBuilder(\"[\");\r\n boolean first = true;\r\n\r\n for (item in list) {\r\n if (!first) {\r\n json.append(\",\");\r\n }\r\n first = false;\r\n\r\n if (item instanceof String) {\r\n String escapedItem = ((String) item).replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedItem).append(\"\\\"\");\r\n } else if (item instanceof Map) {\r\n json.append(jsonFromMap((Map) item));\r\n } else if (item instanceof List) {\r\n json.append(jsonFromList((List) item));\r\n } else if (item instanceof Boolean || item instanceof Number) {\r\n json.append(item.toString());\r\n } else {\r\n // For other types, treat as string\r\n String escapedItem = item.toString().replace(\"\\\"\", \"\\\\\\\"\").replace(\"=\", \":\");\r\n json.append(\"\\\"\").append(escapedItem).append(\"\\\"\");\r\n }\r\n }\r\n\r\n json.append(\"]\");\r\n return json.toString();\r\n}\r\n\r\ndef metadata = jsonFromMap(ctx['entities']['metadata']);\r\nctx['entities']['keyword'] = metadata;\r\n\"\"\"\r\n\r\n }\r\n }\r\n ]\r\n}\r\n```\r\n</details>\r\n\r\n<details>\r\n<summary>Index template</summary>\r\n\r\n```js\r\nPUT /_index_template/entity_store_index_template\r\n{\r\n \"index_patterns\":[\r\n \"logs-store\"\r\n ],\r\n \"template\":{\r\n \"settings\":{\r\n \"index\":{\r\n \"default_pipeline\":\"entities-keyword-builder\"\r\n }\r\n },\r\n \"mappings\":{\r\n \"properties\":{\r\n \"@timestamp\":{\r\n \"type\":\"date\"\r\n },\r\n \"message\":{\r\n \"type\":\"text\"\r\n },\r\n \"event\":{\r\n \"properties\":{\r\n \"action\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"category\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"type\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"outcome\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"provider\":{\r\n \"type\":\"keyword\"\r\n },\r\n \"ingested\":{\r\n \"type\": \"date\"\r\n }\r\n }\r\n },\r\n \"related\":{\r\n \"properties\":{\r\n \"entity\":{\r\n \"type\":\"keyword\"\r\n }\r\n }\r\n },\r\n \"entities\":{\r\n \"properties\":{\r\n \"metadata\":{\r\n \"type\":\"flattened\"\r\n },\r\n \"keyword\":{\r\n \"type\":\"keyword\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n```\r\n</details>\r\n\r\n<details>\r\n<summary>Example source doc</summary>\r\n\r\n```js\r\nPOST /logs-store/_doc/\r\n{\r\n \"@timestamp\":\"2024-11-29T10:01:00Z\",\r\n \"message\":\"Eddie\",\r\n \"event\": {\r\n \"type\":[\r\n \"creation\"\r\n ],\r\n \"ingested\": \"2024-12-03T10:01:00Z\"\r\n },\r\n \"related\":{\r\n \"entity\":[\r\n \"AKIAI44QH8DHBEXAMPLE\"\r\n ]\r\n },\r\n \"entities\":{\r\n \"metadata\":{\r\n \"AKIAI44QH8DHBEXAMPLE\":{\r\n \"entity\":{\r\n \"id\":\"AKIAI44QH8DHBEXAMPLE\",\r\n \"category\":\"Access Management\",\r\n \"type\":\"AWS IAM Access Key\"\r\n },\r\n \"cloud\":{\r\n \"account\":{\r\n \"id\":\"444455556666\"\r\n }\r\n }\r\n }\r\n }\r\n }\r\n}\r\n```\r\n</details>\r\n\r\n### To do\r\n\r\n- [x] Add/Improve [Unit or functional\r\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\r\n- [x] Feature flag\r\n\r\n\r\n----\r\n#### Update:\r\n\r\nAdded `assetInventoryStoreEnabled` Feature Flag. It is disabled by\r\ndefault and even when enabled, the `/api/entity_store/enable` route does\r\nnot initialize the Universal Entity Engine.\r\n`/api/entity_store/engines/universal/init` needs to be manually called\r\nto initialize it\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>\r\nCo-authored-by: Rômulo Farias <[email protected]>\r\nCo-authored-by: jaredburgettelastic <[email protected]>\r\nCo-authored-by: Elastic Machine <[email protected]>","sha":"c6b0a31d8ec6d423a8071f50a22e55acedd0dee0"}},{"branch":"8.x","label":"v8.18.0","labelRegex":"^v8.18.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Tiago Vila Verde <[email protected]>
- Loading branch information
1 parent
25ede9b
commit 4994699