Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add related.entity to cloudtrail integration #11115

Merged
merged 17 commits into from
Sep 27, 2024

Conversation

romulets
Copy link
Member

@romulets romulets commented Sep 12, 2024

tldr; Adding related.entity to cloudtrail is part of the initial steps of CDR (epic overview). That enables our customers to better correlate events based on entities and enhances the investigation workflows for the Cloud Security use case.

ECS related.entity PR

Background

Elastic Cloud Security Team has been focusing, this past year, on Cloud Detection and Response (CDR). One of the first steps towards the CDR vision is to enhance investigation workflows for the Cloud Security use-case in SIEM.

As part of enhancing investigation workflows it's necessary to be able to correlate events and entities. Meaning, if an alert is triggered on the ec2 instance i-000000000, it is of great value to easily be able to search all the events related to that entity, across multiple indices, with one query. Therefore we are working on extracting entities and enabling them to be correlated.

Why related.entity

With this background, we've researched a few options on what would be the best approach to enable such feature (discussions https://github.com/elastic/security-team/issues/10026 and https://github.com/elastic/security-team/issues/9798, and outcomes https://github.com/elastic/security-team/issues/10152), and arrived at the ecs field related.

Based on the related description:

This field set is meant to facilitate pivoting around a piece of data.

Some pieces of information can be seen in many places in an ECS event.
To facilitate searching for them, store an array of all seen values to their
corresponding field in related..

To add a broad related.entity field that can hold any needed identifier to pivot data on seems to be well fitted. This would enable customers to simply run related.entity: "i-000000000" and get all the hits to that specific cloud resource.

What is an entity?

An "entity" in our context refers to any discrete component within an IT environment that can be uniquely identified and monitored. This broad term encompasses both managed and unmanaged elements.

The term "entity" is broader than the current set of available fields under related. Although ipuser and hosts can be identities, there is a lack of space to represent messaging queues, load balancers, storage systems, databases and others. Therefore the proposal to add a new field.

Related issues

@romulets romulets added the enhancement New feature or request label Sep 12, 2024
@romulets romulets self-assigned this Sep 12, 2024
@romulets romulets requested review from a team as code owners September 12, 2024 12:04
@andrewkroh andrewkroh added Integration:aws AWS Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations] labels Sep 12, 2024
@elasticmachine
Copy link

elasticmachine commented Sep 12, 2024

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@romulets
Copy link
Member Author

Leaked access key has been revoked!

@romulets romulets requested a review from andrewkroh September 13, 2024 07:26
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add a link to the ECS related.entity PR in the description.

Can you post before/after results of the benchmark for this pipeline (see elastic-package benchmark pipeline -d cloudtrail -v, although I'm not sure how stable / repeatable these are at such low event counts).

@andrewkroh
Copy link
Member

andrewkroh commented Sep 18, 2024

I'm surprised in the amount of variance the benchmark command gives. Running it many times yields less deviation. It seems like this will cause about a 20% decrease in throughput for the pipeline. I think it would be worth running another comparison where we use script instead of foreach + append + mustache and see if that is any more performant.

Metric
Description Main PR PR + Defer Deduplication Inline processors in default.yml
Commit 6045da1 f27ceca d9bb940 d9cb32e
Average EPS 13379.47877 8633.592375 8681.124581 11405.02769
Stddev 766.3662518 446.2111618 436.8650981 701.414431
Min 10893.24619 7251.631617 7692.307692 8340.28357
Max 14705.88235 9225.092251 9398.496241 12091.89843
EPS Change to baseline -21.56% -21.30% -7.97%

Methodology

Add config file to use more events in each simulation.

# aws/data_stream/cloudtrail/_dev/test/pipeline/config.yml
---
num_docs: 10000

Run the benchmark a few times.

for i in {1..30}; do elastic-package benchmark pipeline -v -d cloudtrail --report-format json --report-output file; done

Copy the EPS rate from the results.

jq '.test[0].result[1].value' /Users/akroh/code/elastic/integrations/build/benchmark-results/* | pbcopy

Cleanup.

rm -f /Users/akroh/code/elastic/integrations/build/benchmark-results/*

Paste data into spreadsheet.


(edit 1: added another column to the table where processors were inlined)

@romulets romulets force-pushed the cloudtrail-entity-extraction branch 2 times, most recently from 510a09b to 8d85643 Compare September 19, 2024 11:22
@romulets
Copy link
Member Author

Thanks a lot for the contributions and tips @andrewkroh!

I ran the benchmarks with 100 cycles, because 15 was still not giving consistent results, with 100 I could get it (and it's fast enough to reproduce).

On this spreadsheet you can find the raw data and stats.

The results:

Code main PR Three brackets Painless Script
Commit 076cfec 3f5ac7f 36baf08 8d85643
Average EPS 16209.72785 10723.17927 10930.95625 13152.65734
Stddev 953.7813683 565.3165502 524.9144185 879.7901167
Min 11111.11111 9090.90909 9345.79439 9708.73786
Max 17543.85965 11494.25287 11494.25287 14285.71429
EPS AVG Change to baseline -33.85% -32.57% -18.86%
EPS Max Change to baseline -34.48% -34.48% -18.57%

With that, we can see that the painless script has less impact on performance.

I committed the fastest solution to this PR.

Obs: Right now, I'm sorting the entities list only for tests purposes, there is no need to do so on production data. That consumes a some processing and it's unfortunate to have it for testing purposes only. What I usually do is to sort data on the test layer, but on this case that's not possible. Let me know if you have other ideas about it @andrewkroh .

@romulets romulets requested a review from andrewkroh September 19, 2024 11:40
@andrewkroh
Copy link
Member

@romulets Can you please perform one more test where you inline the processors into default.yml. See my updated comment in #11115 (comment). Possibly that combined with your usage of script could yield even better results.


Obs: Right now, I'm sorting the entities list only for tests purposes, there is no need to do so on production data. That consumes a some processing and it's unfortunate to have it for testing purposes only.

We could propose a change to elastic-package to handle this. How much does the sorting cost?

@romulets romulets force-pushed the cloudtrail-entity-extraction branch from 8d85643 to 367974d Compare September 19, 2024 13:27
@romulets
Copy link
Member Author

@andrewkroh Indeed, the gains are relevant. I committed the changes.

Updated benchmarks:

Code main PR Three brackets Painless Script Inline in default.yml
Commit 076cfec0 3f5ac7f0 36baf08b 8d85643d 3f819532
Average EPS 16209.72785 10723.17927 10930.95625 13152.65734 15102.77816
Stddev 953.7813683 565.3165502 524.9144185 879.7901167 772.4165627
Min 11111.11111 9090.90909 9345.79439 9708.73786 12195.12195
Max 17543.85965 11494.25287 11494.25287 14285.71429 16129.03226
EPS AVG Change to baseline   -33.85% -32.57% -18.86% -6.83%
EPS Max Change to baseline   -34.48% -34.48% -18.57% -8.06%

@romulets romulets requested a review from andrewkroh September 19, 2024 14:32
Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for going to the performance testing to get to an optimized version.

@romulets romulets force-pushed the cloudtrail-entity-extraction branch 2 times, most recently from 0947aa6 to fe9ef09 Compare September 20, 2024 08:23
@romulets romulets force-pushed the cloudtrail-entity-extraction branch from fe9ef09 to 325ab7c Compare September 20, 2024 08:24
@romulets romulets enabled auto-merge (squash) September 20, 2024 09:22
@romulets romulets disabled auto-merge September 20, 2024 10:20
@romulets romulets requested a review from devamanv September 26, 2024 07:35
Copy link
Contributor

@devamanv devamanv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a couple of comments. Rest looks good to me.

@romulets romulets enabled auto-merge (squash) September 27, 2024 10:46
@elasticmachine
Copy link

💚 Build Succeeded

History

cc @romulets

@romulets romulets merged commit 83a5af6 into elastic:main Sep 27, 2024
3 checks passed
Copy link

Quality Gate failed Quality Gate failed

Failed conditions
8.1% Coverage on New Code (required ≥ 80%)

See analysis details on SonarQube

@elastic-vault-github-plugin-prod

Package aws - 2.25.0-preview01 containing this change is available at https://epr.elastic.co/search?package=aws

@efd6
Copy link
Contributor

efd6 commented Oct 3, 2024

I think this should have been 2.26.0-preview01.

@elastic-vault-github-plugin-prod

Package aws - 2.26.0-preview01 containing this change is available at https://epr.elastic.co/search?package=aws

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request Integration:aws AWS Team:Obs-InfraObs Label for the Observability Infrastructure Monitoring team [elastic/obs-infraobs-integrations]
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants