Watchlists maintainer, sync all watchlists on setup #260144
Merged
jaredburgettelastic merged 6 commits intomainfrom Mar 30, 2026
Merged
Watchlists maintainer, sync all watchlists on setup #260144jaredburgettelastic merged 6 commits intomainfrom
jaredburgettelastic merged 6 commits intomainfrom
Conversation
CAWilson94
changed the title
CAWilson94
commented
Mar 30, 2026
| logger.debug(`Initializing watchlist maintainer for namespace "${namespace}"`); | ||
|
|
||
| // TODO: add watchlist-specific setup logic here (e.g. saved objects, data client init) | ||
| // Add in call to pre-built watchlists install |
Contributor
Author
There was a problem hiding this comment.
Doing this in the entity analytics migration flow instead
CAWilson94
changed the title
CAWilson94
added
release_note:skip
jaredburgettelastic
approved these changes
Mar 30, 2026
Contributor
💔 Build Failed
Failed CI Steps
Test Failures
Metrics [docs]
Historycc @CAWilson94 |
tiansivive
reviewed
Mar 30, 2026
| // credentials of the user who installed the Entity Store) rather than | ||
| // buildScopedInternalSavedObjectsClientUnsafe, which builds its own fake | ||
| // request with empty headers and no auth credentials. | ||
| const soClient = coreStart.savedObjects.getScopedClient(fakeRequest, { |
Contributor
There was a problem hiding this comment.
I think we now have a better way of doing this. Maybe even privmon or risk engine already use the new version, so we can check later
Just flagging it, wont block for this!
Contributor
Author
There was a problem hiding this comment.
Thanks, I think you are correct . Will add it to the list!
Contributor
There was a problem hiding this comment.
Agreed, you can use this as an example of the new way to do so for entity maintainers. It comes with its own esClient, scoped to the user who originally enabled the entity store.
Contributor
There was a problem hiding this comment.
(we now get this for free from task manager)
tiansivive
approved these changes
Mar 30, 2026
Contributor
Author
Thanks @jaredburgettelastic nice catch! The check_registered_task_types.ts test only sees task types that are registered with default config. Since both entityAnalyticsEntityStoreV2 and entityAnalyticsWatchlistEnabled default to false, the watchlist maintainer task type (entity_store:v2:entity_maintainer_task:watchlist) won't be registered when that test runs — so we don't need to add it there yet. Same for the risk scoring maintainer, so we will need to update both once the flags are gone. |
jeramysoucy
pushed a commit
to jeramysoucy/kibana
that referenced
this pull request
Apr 1, 2026
### Summary
This PR adds the watchlist maintainer and registers it on plugin setup.
Additionally, all watchlists are synced on a 10 minute schedule.
**Feature flags:**
```
xpack.securitySolution.enableExperimental:
- entityAnalyticsEntityStoreV2
- entityAnalyticsWatchlistEnabled
```
Debugging log config:
```
logging:
loggers:
- name: plugins.securitySolution
level: debug
- name: plugins.entityStore
level: debug
```
Document generator commands:
```
yarn start organization-quick
yarn start generate-entity-maintainers-data --quick
```
Example watchlist with entity source
```
// watchlist
POST kbn:/api/entity_analytics/watchlists
{
"name": "test-name-1",
"description": "Test watchlist for index sync-1",
"riskModifier": 1.5,
"managed": false
}
// get the id for the next call
GET kbn:/api/entity_analytics/watchlists/list
// entity source for this watchlist
POST kbn:/api/entity_analytics/watchlists/{watchlist-id}/entity_source
{
"type": "index",
"name": "some-watchlist-source-name",
"queryRule": "entity.risk.calculated_level : \"High\" or entity.risk.calculated_level : \"Moderate\"",
"identifierField": "user.name"
}
GET .entity-analytics.watchlists.test-name-1-default/_search
```
Testing Steps:
0. Update WATCHLIST_MAINTAINER_INTERVAL in register watchlist maintainer
to something smol like 1m
1. Start up kibana with the admin/platinum license.
2. Ensure entity analytics is enabled (v2)
3. With the data generated from document generator ...
4. Look in kibana logs for Entity Analytics Watchlist Maintainer
5. Head over to dev tools and create a watchlist with an entity source
6. Head back to the kibana logs, look out for:
'Watchlist maintainer run for namespace "default'
Then something like
'Found n watchlist(s) to sync in namespace "default"
Syncing watchlist "name" (<watchlist-id>)'
7. Go back to dev tools and have a look at the watchlist index to see
synced entities!
---------
Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com>
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Apr 2, 2026
### Summary
This PR adds the watchlist maintainer and registers it on plugin setup.
Additionally, all watchlists are synced on a 10 minute schedule.
**Feature flags:**
```
xpack.securitySolution.enableExperimental:
- entityAnalyticsEntityStoreV2
- entityAnalyticsWatchlistEnabled
```
Debugging log config:
```
logging:
loggers:
- name: plugins.securitySolution
level: debug
- name: plugins.entityStore
level: debug
```
Document generator commands:
```
yarn start organization-quick
yarn start generate-entity-maintainers-data --quick
```
Example watchlist with entity source
```
// watchlist
POST kbn:/api/entity_analytics/watchlists
{
"name": "test-name-1",
"description": "Test watchlist for index sync-1",
"riskModifier": 1.5,
"managed": false
}
// get the id for the next call
GET kbn:/api/entity_analytics/watchlists/list
// entity source for this watchlist
POST kbn:/api/entity_analytics/watchlists/{watchlist-id}/entity_source
{
"type": "index",
"name": "some-watchlist-source-name",
"queryRule": "entity.risk.calculated_level : \"High\" or entity.risk.calculated_level : \"Moderate\"",
"identifierField": "user.name"
}
GET .entity-analytics.watchlists.test-name-1-default/_search
```
Testing Steps:
0. Update WATCHLIST_MAINTAINER_INTERVAL in register watchlist maintainer
to something smol like 1m
1. Start up kibana with the admin/platinum license.
2. Ensure entity analytics is enabled (v2)
3. With the data generated from document generator ...
4. Look in kibana logs for Entity Analytics Watchlist Maintainer
5. Head over to dev tools and create a watchlist with an entity source
6. Head back to the kibana logs, look out for:
'Watchlist maintainer run for namespace "default'
Then something like
'Found n watchlist(s) to sync in namespace "default"
Syncing watchlist "name" (<watchlist-id>)'
7. Go back to dev tools and have a look at the watchlist index to see
synced entities!
---------
Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds the watchlist maintainer and registers it on plugin setup. Additionally, all watchlists are synced on a 10 minute schedule.
Feature flags:
Debugging log config:
Document generator commands:
Example watchlist with entity source
Testing Steps:
0. Update WATCHLIST_MAINTAINER_INTERVAL in register watchlist maintainer to something smol like 1m
'Watchlist maintainer run for namespace "default'
Then something like
'Found n watchlist(s) to sync in namespace "default"
Syncing watchlist "name" ()'