-
Notifications
You must be signed in to change notification settings - Fork 8.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Security Solutions] Sync EA transform with risk engine (#167371)
## Summary @elastic/security-entity-analytics When the risk engine is enabled, users must wait at least one hour to see risk score data. This PR fixes the issue by scheduling the latest transform after the risk score task finishes. The first time the risk score runs, it will call `start transform`. That is necessary to ensure the transform doesn't run on an empty index. On the subsequent runs, it will call `schedule transform now`. How to test it? * Open kibana with an empty ES * Make sure you have the appropriate license * Ingest some events and generate alerts * Enable the risk engine * Open the Entity Analytics Dashboard * You should see risk score data (if it isn't there yet, refresh the page) ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/packages/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios --------- Co-authored-by: Ryland Herrick <[email protected]>
- Loading branch information
Showing
11 changed files
with
171 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
58 changes: 58 additions & 0 deletions
58
x-pack/plugins/security_solution/server/lib/risk_engine/utils/transforms.test.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
import type { TransformGetTransformStatsResponse } from '@elastic/elasticsearch/lib/api/types'; | ||
import { elasticsearchServiceMock } from '@kbn/core/server/mocks'; | ||
import { scheduleTransformNow } from './transforms'; | ||
|
||
const transformId = 'test_transform_id'; | ||
|
||
const startedTransformsMock = { | ||
count: 1, | ||
transforms: [ | ||
{ | ||
id: 'test_transform_id_1', | ||
state: 'started', | ||
}, | ||
], | ||
} as TransformGetTransformStatsResponse; | ||
|
||
const stoppedTransformsMock = { | ||
count: 1, | ||
transforms: [ | ||
{ | ||
id: 'test_transform_id_2', | ||
state: 'stopped', | ||
}, | ||
], | ||
} as TransformGetTransformStatsResponse; | ||
|
||
describe('transforms utils', () => { | ||
beforeEach(() => { | ||
jest.resetAllMocks(); | ||
}); | ||
|
||
describe('scheduleTransformNow', () => { | ||
it('calls startTransform when the transform state is stopped ', async () => { | ||
const esClient = elasticsearchServiceMock.createScopedClusterClient().asCurrentUser; | ||
esClient.transform.getTransformStats.mockResolvedValueOnce(stoppedTransformsMock); | ||
|
||
await scheduleTransformNow({ esClient, transformId }); | ||
|
||
expect(esClient.transform.startTransform).toHaveBeenCalled(); | ||
}); | ||
|
||
it('calls scheduleNowTransform when the transform state is started ', async () => { | ||
const esClient = elasticsearchServiceMock.createScopedClusterClient().asCurrentUser; | ||
esClient.transform.getTransformStats.mockResolvedValueOnce(startedTransformsMock); | ||
|
||
await scheduleTransformNow({ esClient, transformId }); | ||
|
||
expect(esClient.transform.scheduleNowTransform).toHaveBeenCalled(); | ||
}); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters