Watchlists maintainer, sync all watchlists on setup #260144
Watchlists maintainer, sync all watchlists on setup #260144jaredburgettelastic merged 6 commits intomainfrom
Conversation
| logger.debug(`Initializing watchlist maintainer for namespace "${namespace}"`); | ||
|
|
||
| // TODO: add watchlist-specific setup logic here (e.g. saved objects, data client init) | ||
| // Add in call to pre-built watchlists install |
There was a problem hiding this comment.
Doing this in the entity analytics migration flow instead
💔 Build Failed
Failed CI Steps
Test Failures
Metrics [docs]
Historycc @CAWilson94 |
| // credentials of the user who installed the Entity Store) rather than | ||
| // buildScopedInternalSavedObjectsClientUnsafe, which builds its own fake | ||
| // request with empty headers and no auth credentials. | ||
| const soClient = coreStart.savedObjects.getScopedClient(fakeRequest, { |
There was a problem hiding this comment.
I think we now have a better way of doing this. Maybe even privmon or risk engine already use the new version, so we can check later
Just flagging it, wont block for this!
There was a problem hiding this comment.
Thanks, I think you are correct . Will add it to the list!
There was a problem hiding this comment.
Agreed, you can use this as an example of the new way to do so for entity maintainers. It comes with its own esClient, scoped to the user who originally enabled the entity store.
There was a problem hiding this comment.
(we now get this for free from task manager)
Thanks @jaredburgettelastic nice catch! The check_registered_task_types.ts test only sees task types that are registered with default config. Since both entityAnalyticsEntityStoreV2 and entityAnalyticsWatchlistEnabled default to false, the watchlist maintainer task type (entity_store:v2:entity_maintainer_task:watchlist) won't be registered when that test runs — so we don't need to add it there yet. Same for the risk scoring maintainer, so we will need to update both once the flags are gone. |
### Summary
This PR adds the watchlist maintainer and registers it on plugin setup.
Additionally, all watchlists are synced on a 10 minute schedule.
**Feature flags:**
```
xpack.securitySolution.enableExperimental:
- entityAnalyticsEntityStoreV2
- entityAnalyticsWatchlistEnabled
```
Debugging log config:
```
logging:
loggers:
- name: plugins.securitySolution
level: debug
- name: plugins.entityStore
level: debug
```
Document generator commands:
```
yarn start organization-quick
yarn start generate-entity-maintainers-data --quick
```
Example watchlist with entity source
```
// watchlist
POST kbn:/api/entity_analytics/watchlists
{
"name": "test-name-1",
"description": "Test watchlist for index sync-1",
"riskModifier": 1.5,
"managed": false
}
// get the id for the next call
GET kbn:/api/entity_analytics/watchlists/list
// entity source for this watchlist
POST kbn:/api/entity_analytics/watchlists/{watchlist-id}/entity_source
{
"type": "index",
"name": "some-watchlist-source-name",
"queryRule": "entity.risk.calculated_level : \"High\" or entity.risk.calculated_level : \"Moderate\"",
"identifierField": "user.name"
}
GET .entity-analytics.watchlists.test-name-1-default/_search
```
Testing Steps:
0. Update WATCHLIST_MAINTAINER_INTERVAL in register watchlist maintainer
to something smol like 1m
1. Start up kibana with the admin/platinum license.
2. Ensure entity analytics is enabled (v2)
3. With the data generated from document generator ...
4. Look in kibana logs for Entity Analytics Watchlist Maintainer
5. Head over to dev tools and create a watchlist with an entity source
6. Head back to the kibana logs, look out for:
'Watchlist maintainer run for namespace "default'
Then something like
'Found n watchlist(s) to sync in namespace "default"
Syncing watchlist "name" (<watchlist-id>)'
7. Go back to dev tools and have a look at the watchlist index to see
synced entities!
---------
Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com>
### Summary
This PR adds the watchlist maintainer and registers it on plugin setup.
Additionally, all watchlists are synced on a 10 minute schedule.
**Feature flags:**
```
xpack.securitySolution.enableExperimental:
- entityAnalyticsEntityStoreV2
- entityAnalyticsWatchlistEnabled
```
Debugging log config:
```
logging:
loggers:
- name: plugins.securitySolution
level: debug
- name: plugins.entityStore
level: debug
```
Document generator commands:
```
yarn start organization-quick
yarn start generate-entity-maintainers-data --quick
```
Example watchlist with entity source
```
// watchlist
POST kbn:/api/entity_analytics/watchlists
{
"name": "test-name-1",
"description": "Test watchlist for index sync-1",
"riskModifier": 1.5,
"managed": false
}
// get the id for the next call
GET kbn:/api/entity_analytics/watchlists/list
// entity source for this watchlist
POST kbn:/api/entity_analytics/watchlists/{watchlist-id}/entity_source
{
"type": "index",
"name": "some-watchlist-source-name",
"queryRule": "entity.risk.calculated_level : \"High\" or entity.risk.calculated_level : \"Moderate\"",
"identifierField": "user.name"
}
GET .entity-analytics.watchlists.test-name-1-default/_search
```
Testing Steps:
0. Update WATCHLIST_MAINTAINER_INTERVAL in register watchlist maintainer
to something smol like 1m
1. Start up kibana with the admin/platinum license.
2. Ensure entity analytics is enabled (v2)
3. With the data generated from document generator ...
4. Look in kibana logs for Entity Analytics Watchlist Maintainer
5. Head over to dev tools and create a watchlist with an entity source
6. Head back to the kibana logs, look out for:
'Watchlist maintainer run for namespace "default'
Then something like
'Found n watchlist(s) to sync in namespace "default"
Syncing watchlist "name" (<watchlist-id>)'
7. Go back to dev tools and have a look at the watchlist index to see
synced entities!
---------
Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com>
Summary
This PR adds the watchlist maintainer and registers it on plugin setup. Additionally, all watchlists are synced on a 10 minute schedule.
Feature flags:
Debugging log config:
Document generator commands:
Example watchlist with entity source
Testing Steps:
0. Update WATCHLIST_MAINTAINER_INTERVAL in register watchlist maintainer to something smol like 1m
'Watchlist maintainer run for namespace "default'
Then something like
'Found n watchlist(s) to sync in namespace "default"
Syncing watchlist "name" ()'