Skip to content

Added mapping for actor and target entity id, related.entity #224483

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 20 commits into
base: main
Choose a base branch
from
Draft

Added mapping for actor and target entity id, related.entity #224483

wants to merge 20 commits into from

Conversation

kfirpeled
Copy link
Contributor

@kfirpeled kfirpeled commented Jun 18, 2025
edited
Loading

Summary

resolve #221036

Adds new fields mapping: actor.entity.id, target.entity.id, related.entity of type keyword to the security's alert index.
These fields are necessary for querying the alerts index as part of the graph feature (#221037).

related.entity is currently waiting for ECS approval - elastic/ecs#2360
actor.entity.id, target.entity.id are added only to security's alerts

How this PR effects:

  • Allows the user filter by actor.entity.id, target.entity.id, related.entity
Video 🎥 **Before:**
Screen.Recording.2025-06-18.at.19.19.18.mov

After:

Screen.Recording.2025-06-18.at.19.21.51.mov

Besides the immediate effect of the ability to fetch data using these fields, this PR is a requirement to move forward with upcoming features like: #224783

Example video of upcoming use 🎥
Screen.Recording.2025-06-29.at.19.42.23.mov

How to test locally

  1. Start elasticsearch and kibana locally
  2. To add mock data run the following:
node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/logs_gcp_audit \
 --es-url http://elastic:changeme@localhost:9200 \
 --kibana-url http://elastic:changeme@localhost:5601

node scripts/es_archiver load x-pack/solutions/security/test/cloud_security_posture_functional/es_archives/security_alerts \
 --es-url http://elastic:changeme@localhost:9200 \
 --kibana-url http://elastic:changeme@localhost:5601
  1. Open Alerts page in kibana. Update the date-picker to include data from a year ago. Then check one of the alerts details opening the right-side flyout and find the "Graph preview" section in it.
  2. Filter by one of these fields

Checklist

Identify risks

  • In case the new mapping is not applied on existing documents, it means they won't be retrieved using the new fields

@kfirpeled kfirpeled added release_note:skip Skip the PR/issue when compiling release notes Team:Cloud Security Cloud Security team related backport:prev-major Backport to (8.19, 8.18, 8.17) the previous major branch and other branches in development labels Jun 18, 2025
@kfirpeled kfirpeled marked this pull request as ready for review June 18, 2025 18:05
@kfirpeled kfirpeled requested review from a team as code owners June 18, 2025 18:05
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)

@kfirpeled kfirpeled mentioned this pull request Jun 22, 2025
Draft
6 tasks
@kfirpeled kfirpeled marked this pull request as draft June 25, 2025 12:33
@kfirpeled kfirpeled marked this pull request as ready for review June 26, 2025 15:30
@kfirpeled kfirpeled requested a review from a team as a code owner June 26, 2025 15:30
@kfirpeled kfirpeled requested a review from denar50 June 26, 2025 15:30
kfirpeled
kfirpeled commented Jun 26, 2025
View reviewed changes
x-pack/solutions/security/plugins/security_solution/common/field_maps/9.2.0/alerts.ts
* 2.0.
*/

import { alertsFieldMap8190 } from '../8.19.0';
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that correct to import from 8.19? or should I've imported from earlier release?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is fine, given that the new mappings are always based on those of the previous release.

@kfirpeled kfirpeled added backport:skip This commit does not require backporting and removed backport:prev-major Backport to (8.19, 8.18, 8.17) the previous major branch and other branches in development labels Jun 26, 2025
@kfirpeled kfirpeled requested a review from a team as a code owner June 27, 2025 10:05
@kfirpeled kfirpeled force-pushed the cspm/alerts-mapping-update branch from f0269b4 to ffc9f2b Compare June 27, 2025 10:06
@kfirpeled kfirpeled requested review from ymao1 and removed request for a team June 27, 2025 10:07
ymao1
ymao1 approved these changes Jun 27, 2025
View reviewed changes
Copy link
Contributor

@ymao1 ymao1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

response ops changes lgtm

denar50
denar50 approved these changes Jun 30, 2025
View reviewed changes
Copy link
Contributor

@denar50 denar50 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! I have ran the PR locally and tested that indeed I am able to filter by the added fields following the instructions provided.

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

✅ unchanged

History

@kfirpeled kfirpeled marked this pull request as draft July 13, 2025 08:08
@elasticmachine
Copy link
Contributor

🤖 Jobs for this PR can be triggered through checkboxes. 🚧

ℹ️ To trigger the CI, please tick the checkbox below 👇

  • Click to trigger kibana-pull-request for this PR!
  • Click to trigger kibana-deploy-project-from-pr for this PR!
  • Click to trigger kibana-deploy-cloud-from-pr for this PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@denar50 denar50 denar50 approved these changes

@ymao1 ymao1 ymao1 approved these changes

Assignees
No one assigned
Labels
backport:skip This commit does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Cloud Security Cloud Security team related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Apply new mappings to alerts index
4 participants
@kfirpeled @elasticmachine @denar50 @ymao1