Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][Detections] Rule Actions SavedObject mapping uses dynamic: true #64097

Closed
rylnd opened this issue Apr 21, 2020 · 3 comments
Closed

[SIEM][Detections] Rule Actions SavedObject mapping uses dynamic: true #64097

rylnd opened this issue Apr 21, 2020 · 3 comments
Assignees
@rylnd
Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.7.1

Comments

@rylnd
Copy link
Contributor

rylnd commented Apr 21, 2020

As uncovered during our migration to the new SavedObject API #64029 (particularly this comment), SIEM currently uses dynamic: true for the mapping of a rule action's params property. This is discouraged in the new API for good reason, as it continues to create mappings as new fields are ingested.

As long as we're not using params for search/aggregation (needs verification), we should instead follow what e.g. alerting does for its params mapping:

{ "type" : "object", "enabled" : false }
@rylnd rylnd added bug Fixes for quality problems that affect the customer experience Team:SIEM v7.7.0 labels Apr 21, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@patrykkopycinski
Copy link
Contributor

@rylnd Thank you for taking care of that. I didn't know that dynamic: true is not supported by NP and missed the approach taken by the Alerting team. Params are not used for search/aggregation, so feel free to change that to
{ "type" : "object", "enabled" : false }

@rylnd rylnd self-assigned this Apr 23, 2020
This was referenced Apr 23, 2020
Merged
Merged
@spalger spalger added v7.7.1 and removed v7.7.0 labels May 14, 2020
@rylnd
Copy link
Contributor Author

rylnd commented May 19, 2020

master/7.x: #64350
7.7.1: #64358

@rylnd rylnd closed this as completed May 19, 2020
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rylnd rylnd

Labels
bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.7.1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rylnd @spalger @MindyRS @patrykkopycinski @elasticmachine