[Entity Analytics] Move scripted metric painless scripts to static file & remove category based weighting #182038
+140
−542
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…based weighting the category based weighting, like all weighting, isn't used and we probably won't re-implement it in the next version of risk scoring this commit probably doesn't work. i can't get integration tests running locally I put the painless scripts in a directory and I load them from the file system at runtime. We should figure out how to bundle the scripts possibly. I'm not sure that it matters a lot, but I would like any static analysis processes to be able to work with this code as usual. e.g. i'd like to get a static-time error if a file is missing vs needing to run the risk engine task to find out a file is missing
hop-dev
changed the title
hop-dev
added
release_note:skip
|
Pinging @elastic/security-entity-analytics (Team:Entity Analytics) |
|
@elasticmachine merge upstream |
…stic/kibana into risk-score-painless-refactor
…stic/kibana into risk-score-painless-refactor
hop-dev
reviewed
May 13, 2024
...curity_solution/server/lib/entity_analytics/risk_score/painless/risk_scoring_reduce.painless
Outdated
Show resolved
Hide resolved
machadoum
reviewed
May 16, 2024
...curity_solution/server/lib/entity_analytics/risk_score/painless/risk_scoring_reduce.painless
Outdated
Show resolved
Hide resolved
machadoum
reviewed
May 16, 2024
...curity_solution/server/lib/entity_analytics/risk_score/painless/risk_scoring_reduce.painless
Outdated
Show resolved
Hide resolved
💚 Build Succeeded
Metrics [docs]Async chunks
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
To update your PR or re-run it, just comment with: cc @hop-dev |
kibanamachine
added
v8.15.0
backport:skip
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The scripted metric aggregation is being deprecated but an exception is being made for our team, moving the painless to static files allows for this exception to be made. We have had to remove category weighting to make the script less dynamic, weights weren't used anyway so not a breaking change.
The scripts are loaded once when they are first used and then cached. A unit test verifies the content of the script hasnt changed.
Tested locally with hosts and users with 100 alerts, risk score docs the same before and after.
Here is a diff of the scripted metric before and after https://www.diffchecker.com/gefuBoYK/