Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp files for init and enable endpoints #208201

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp files for init and enable endpoints #208201

wants to merge 3 commits into from
+292 −28

Conversation

abhishekbhatia1710
Copy link
Contributor

Summary

This PR introduces support for configuring the timestamp field for entity store enablement.

By default, the timestamp field is set to @timestamp, but users can opt to use event.ingested or another preferred value based on their requirements.

Entity Store API changes

Entity Store enable

POST kbn:/api/entity_store/enable
{
  "timestampField": "event.ingested"
}

Result

{
  "engines": [
    {
      "status": "started",
      "type": "user",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "event.ingested"
    },
    {
      "status": "started",
      "type": "host",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "event.ingested"
    },
    {
      "status": "started",
      "type": "universal",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "event.ingested"
    }
  ],
  "status": "running"
}

POST kbn:/api/entity_store/enable
{
}

Result

{
  "engines": [
    {
      "status": "started",
      "type": "host",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "@timestamp"
    },
    {
      "status": "started",
      "type": "user",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "@timestamp"
    },
    {
      "status": "started",
      "type": "universal",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "@timestamp"
    }
  ],
  "status": "running"
}

Different entity types can have distinct timestampField values, as described below:

For instance, the host entity uses event.ingested as its timestampField, while other entities default to the @timestamp field.

POST kbn:/api/entity_store/engines/host/init
{
  "timestampField": "event.ingested"
}

POST kbn:/api/entity_store/engines/user/init
{
}

Result

{
  "engines": [
    {
      "status": "started",
      "type": "universal",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "@timestamp"
    },
    {
      "status": "started",
      "type": "host",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "event.ingested"
    },
    {
      "status": "started",
      "type": "user",
      "indexPattern": "",
      "filter": "",
      "fieldHistoryLength": 10,
      "timestampField": "@timestamp"
    }
  ],
  "status": "running"
}

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

  • This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
  • Flaky Test Runner was used on any tests changed
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines

Testing steps

  • Check out this PR branch.
  • Start Kibana.
  • Avoid enabling the Entity Store from the UI initially. Instead, enable it via the API by following the steps outlined below.
DELETE kbn:/api/entity_store/engines/user
DELETE kbn:/api/entity_store/engines/host

GET kbn:/api/entity_store/status

 All engines with the same timestamp Field
POST kbn:/api/entity_store/enable
{
  "timestampField": "event.ingested"
}

# All engines with the same timestamp Field
POST kbn:/api/entity_store/enable
{
}

# Different entity with different timestamp Field
POST kbn:/api/entity_store/engines/host/init
{
  "timestampField": "event.ingested"
}

POST kbn:/api/entity_store/engines/user/init
{
}
  1. Afterward, you can test the functionality through the UI. First, clear the entity data from the UI, then start the Entity Store. Note that the UI currently does not offer a way to configure this parameter.

@abhishekbhatia1710 abhishekbhatia1710 added release_note:enhancement v9.0.0 Team:Entity Analytics Security Entity Analytics Team backport:version Backport to applied version labels labels Jan 24, 2025
@abhishekbhatia1710 abhishekbhatia1710 self-assigned this Jan 24, 2025
@abhishekbhatia1710 abhishekbhatia1710 requested review from a team as code owners January 24, 2025 13:57
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

@abhishekbhatia1710 abhishekbhatia1710 changed the title Changes to support event.ingested as a configurable timestamp files for init and enable endpoints [Entity Analytics] [Entity Store] [API] Changes to support event.ingested as a configurable timestamp files for init and enable endpoints Jan 24, 2025
@abhishekbhatia1710 abhishekbhatia1710 mentioned this pull request Jan 24, 2025
Closed
3 tasks
@elasticmachine
Copy link
Contributor

elasticmachine commented Jan 24, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

cc @abhishekbhatia1710

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@machadoum machadoum Awaiting requested review from machadoum machadoum is a code owner automatically assigned from elastic/security-entity-analytics

At least 1 approving review is required to merge this pull request.

Assignees

@abhishekbhatia1710 abhishekbhatia1710

Labels
backport:version Backport to applied version labels release_note:enhancement Team:Entity Analytics Security Entity Analytics Team v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@abhishekbhatia1710 @elasticmachine @kibanamachine