diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index d1dd40f4b6eb8..7bbcbc30e0085 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -7567,6 +7567,8 @@ paths: schema: type: object properties: + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. @@ -46875,6 +46877,11 @@ components: required: - dsl - response + Security_Entity_Analytics_API_Interval: + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: type: object properties: diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 3f687bb2f9164..dafc87a30c215 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -13144,6 +13144,8 @@ paths: schema: type: object properties: + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. @@ -35275,6 +35277,11 @@ components: required: - dsl - response + Security_Entity_Analytics_API_Interval: + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: type: object properties: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/common.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/common.gen.ts index 8fd0b17161154..8fa1a680a2396 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/common.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/common.gen.ts @@ -80,3 +80,9 @@ export const InspectQuery = z.object({ response: z.array(z.string()), dsl: z.array(z.string()), }); + +/** + * Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. + */ +export type Interval = z.infer; +export const Interval = z.string().regex(/^[1-9]\d*[smh]$/); diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/common.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/common.schema.yaml index 68b6e6612735c..f4c174e1213bb 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/common.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/common.schema.yaml @@ -113,3 +113,8 @@ components: required: - dsl - response + Interval: + type: string + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. + pattern: '^[1-9]\d*[smh]$' # any number except zero followed by one of the suffixes 's', 'm', 'h' + example: '1h' diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/enable.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/enable.schema.yaml index 81eec22d9ade9..7074f938fb839 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/enable.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/enable.schema.yaml @@ -27,6 +27,12 @@ paths: $ref: './common.schema.yaml#/components/schemas/IndexPattern' filter: type: string + entityTypes: + type: array + items: + $ref: './common.schema.yaml#/components/schemas/EntityType' + enrichPolicyExecutionInterval: + $ref: './common.schema.yaml#/components/schemas/Interval' responses: '200': description: Successful response diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/engine/init.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/engine/init.gen.ts index e3dcd55e0acc1..c5d0f438be63d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/engine/init.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/engine/init.gen.ts @@ -16,7 +16,7 @@ import { z } from '@kbn/zod'; -import { EntityType, IndexPattern, EngineDescriptor } from '../common.gen'; +import { EntityType, IndexPattern, Interval, EngineDescriptor } from '../common.gen'; export type InitEntityEngineRequestParams = z.infer; export const InitEntityEngineRequestParams = z.object({ @@ -35,6 +35,7 @@ export const InitEntityEngineRequestBody = z.object({ fieldHistoryLength: z.number().int().optional().default(10), indexPattern: IndexPattern.optional(), filter: z.string().optional(), + enrichPolicyExecutionInterval: Interval.optional(), }); export type InitEntityEngineRequestBodyInput = z.input; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/engine/init.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/engine/init.schema.yaml index 94a0d84e8cad0..155b8bb1e2185 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/engine/init.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/entity_analytics/entity_store/engine/init.schema.yaml @@ -33,6 +33,8 @@ paths: $ref: '../common.schema.yaml#/components/schemas/IndexPattern' filter: type: string + enrichPolicyExecutionInterval: + $ref: '../common.schema.yaml#/components/schemas/Interval' responses: '200': description: Successful response diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml index 365ff741b790e..d2240e8dac112 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml @@ -418,6 +418,8 @@ paths: schema: type: object properties: + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Interval' fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. @@ -1134,6 +1136,13 @@ components: required: - dsl - response + Interval: + description: >- + Interval in which enrich policy runs. For example, `"1h"` means the rule + runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string RiskEngineScheduleNowErrorResponse: type: object properties: diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml index e0e6127795059..7b49d23d6024a 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml @@ -307,6 +307,15 @@ paths: schema: type: object properties: +<<<<<<< HEAD +======= + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Interval' + entityTypes: + items: + $ref: '#/components/schemas/EntityType' + type: array +>>>>>>> 1ca4d967d92 ([SecuritySolution] Add enrichPolicyExecutionInterval to entity enablement and init APIs (#207374)) fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. @@ -418,6 +427,8 @@ paths: schema: type: object properties: + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Interval' fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. @@ -1134,6 +1145,13 @@ components: required: - dsl - response + Interval: + description: >- + Interval in which enrich policy runs. For example, `"1h"` means the rule + runs every hour. + example: 1h + pattern: ^[1-9]\d*[smh]$ + type: string RiskEngineScheduleNowErrorResponse: type: object properties: diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts index a706e0a35335d..87bf1d78548c0 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/entity_store_data_client.ts @@ -88,6 +88,7 @@ import { import { CRITICALITY_VALUES } from '../asset_criticality/constants'; import { createEngineDescription } from './installation/engine_description'; import { convertToEntityManagerDefinition } from './entity_definitions/entity_manager_conversion'; +import { DEFAULT_INTERVAL } from './task/constants'; // Workaround. TransformState type is wrong. The health type should be: TransformHealth from '@kbn/transform-plugin/common/types/transform_stats' export interface TransformHealth extends estypes.TransformGetTransformStatsTransformStatsHealth { @@ -200,7 +201,13 @@ export class EntityStoreDataClient { } public async enable( - { indexPattern = '', filter = '', fieldHistoryLength = 10 }: InitEntityStoreRequestBody, + { + indexPattern = '', + filter = '', + fieldHistoryLength = 10, + entityTypes, + enrichPolicyExecutionInterval, + }: InitEntityStoreRequestBody, { pipelineDebugMode = false }: { pipelineDebugMode?: boolean } = {} ): Promise { if (!this.options.taskManager) { @@ -216,7 +223,11 @@ export class EntityStoreDataClient { const promises = enginesTypes.map((entity) => run(() => - this.init(entity, { indexPattern, filter, fieldHistoryLength }, { pipelineDebugMode }) + this.init( + entity, + { indexPattern, filter, fieldHistoryLength, enrichPolicyExecutionInterval }, + { pipelineDebugMode } + ) ) ); @@ -274,7 +285,12 @@ export class EntityStoreDataClient { public async init( entityType: EntityType, - { indexPattern = '', filter = '', fieldHistoryLength = 10 }: InitEntityEngineRequestBody, + { + indexPattern = '', + filter = '', + fieldHistoryLength = 10, + enrichPolicyExecutionInterval = DEFAULT_INTERVAL, + }: InitEntityEngineRequestBody, { pipelineDebugMode = false }: { pipelineDebugMode?: boolean } = {} ): Promise { const { experimentalFeatures } = this.options; @@ -330,6 +346,7 @@ export class EntityStoreDataClient { this.asyncSetup( entityType, fieldHistoryLength, + enrichPolicyExecutionInterval, this.options.taskManager, indexPattern, filter, @@ -345,6 +362,7 @@ export class EntityStoreDataClient { private async asyncSetup( entityType: EntityType, fieldHistoryLength: number, + enrichPolicyExecutionInterval: string, taskManager: TaskManagerStartContract, indexPattern: string, filter: string, @@ -425,6 +443,7 @@ export class EntityStoreDataClient { namespace, logger, taskManager, + interval: enrichPolicyExecutionInterval, }); this.log(`debug`, entityType, `Started entity store field retention enrich task`); this.log(`info`, entityType, `Entity store initialized`); diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/constants.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/constants.ts index 45d4bcb90fbb3..7eeb28e173048 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/constants.ts @@ -8,5 +8,5 @@ export const SCOPE = ['securitySolution']; export const TYPE = 'entity_store:field_retention:enrichment'; export const VERSION = '1.0.0'; -export const INTERVAL = '1h'; +export const DEFAULT_INTERVAL = '1h'; export const TIMEOUT = '10m'; diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts index c8725fe864213..3d12d16c3d7ae 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/entity_store/task/field_retention_enrichment_task.ts @@ -24,7 +24,7 @@ import { stateSchemaByVersion, type LatestTaskStateSchema as EntityStoreFieldRetentionTaskState, } from './state'; -import { INTERVAL, SCOPE, TIMEOUT, TYPE, VERSION } from './constants'; +import { SCOPE, TIMEOUT, TYPE, VERSION } from './constants'; import type { EntityAnalyticsRoutesDeps } from '../../types'; import { executeFieldRetentionEnrichPolicy } from '../elasticsearch_assets'; @@ -120,10 +120,12 @@ export const startEntityStoreFieldRetentionEnrichTask = async ({ logger, namespace, taskManager, + interval, }: { logger: Logger; namespace: string; taskManager: TaskManagerStartContract; + interval: string; }) => { const taskId = getTaskId(namespace); const log = logFactory(logger, taskId); @@ -136,7 +138,7 @@ export const startEntityStoreFieldRetentionEnrichTask = async ({ taskType: getTaskName(), scope: SCOPE, schedule: { - interval: INTERVAL, + interval, }, state: { ...defaultState, namespace }, params: { version: VERSION }, @@ -234,7 +236,7 @@ export const runTask = async ({ telemetry.reportEvent(FIELD_RETENTION_ENRICH_POLICY_EXECUTION_EVENT.eventType, { duration: taskDurationInSeconds, - interval: INTERVAL, + interval: taskInstance.schedule?.interval, }); // Track entity store usage