[Security Solution] New Data Quality dashboard Same family category
#167480
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
andrew-goldstein
added
backport:skip
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
@elasticmachine merge upstream |
angorayc
approved these changes
Oct 1, 2023
There was a problem hiding this comment.
Tested locally, all looks good, LGTM 🚀 Thank you @andrew-goldstein
michaelolo24
reviewed
Oct 2, 2023
| eventCategoryWithUnallowedValues, // isEcsCompliant: false, indexInvalidValues.length: 2, isInSameFamily: true, `keyword` and `keyword` are in the same family | ||
| hostNameWithTextMapping, // isEcsCompliant: false, indexInvalidValues.length: 0, isInSameFamily: false, `keyword` and `text` are not in the family | ||
| sourceIpWithTextMapping, // isEcsCompliant: false, indexInvalidValues.length: 0, isInSameFamily: false, `ip` is not a member of any families | ||
| eventCategoryWithWIldcard, // `wildcard` and `keyword` |
There was a problem hiding this comment.
super super nit: the I is accidentally capitalized I think WIldcard => Wildcard
michaelolo24
approved these changes
Oct 2, 2023
This PR introduces a new `Same family` category to the [Data Quality dashboard](https://www.elastic.co/guide/en/security/current/data-quality-dash.html). Fields with the `same family` tag that were previously counted in the `Incompatible fields` category are now counted in the new `Same family` category, per the annotated screenshot below:  _Above - Left: previously, fields with the `same family` tag were counted as `Incompatible fields`, Right: in this PR, those fields are counted in the new `Same family` category_ The annotations on the _Right_ side of the screenshot above highlight (in this example): - The total `Incompatible fields` count was reduced - Some patterns, like `auditbeat-*` have significant reductions - The `Incompatible fields` count was reduced by one field - The new `Same family` category has one field - The `agent.type` field moved from the `Incompatible fields` category to the `Same family` category ## Details ### The new `Same family` category Fields with mappings in the same [family](https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html) have exactly the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics. The color of the `Same family` category is the same as the `Custom fields` category in badges and charts, per the screenshot below:  _Above: The `Same family` tab's badge and chart legend color is the same as the `Custom fields` category_ ### The new `Same family` tab This PR introduces a new `Same family` tab, as shown in the screenshot below:  _Above: The new `Same family` tab is selected_ In the screenshot above: - The callout includes a description of fields in the same family (moved from the `Incompatible fields` tab) - The `constant_keyword` text, yellow in previous versions (when it appered in the `Incompatible fields` tab), is blue - Only one action, `Copy to clipboard` is available in the `Same family` tab. The remaining text in this _Details_ section is the markdown copied to the clipboard for the example above: ### auditbeat-custom-index-1 | Result | Index | Docs | Incompatible fields | ILM Phase | Size | |--------|-------|------|---------------------|-----------|------| | ❌ | auditbeat-custom-index-1 | 2 (0.0%) | 3 | `unmanaged` | 13.1KB | ### **Incompatible fields** `3` **Same family** `1` **Custom fields** `4` **ECS compliant fields** `2` **All fields** `10` #### 1 Same family field mapping This field is defined by the Elastic Common Schema (ECS), version 8.6.1, but its mapping type doesn't exactly match. Fields with mappings in the same family have exactly the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics. #### Same family field mappings - auditbeat-custom-index-1 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | agent.type | `keyword` | `constant_keyword` `same family` | ## Desk testing 1) Navigate to `Dev Tools` > `Console` 2) Execute the queries below: <details> <summary>Queries to create the `auditbeat-custom-index-1` example in this PR description</summary> ``` DELETE auditbeat-custom-index-1 PUT auditbeat-custom-index-1 PUT auditbeat-custom-index-1/_mapping { "properties": { "@timestamp": { "type": "date" }, "agent.type": { "type": "constant_keyword" }, "event.category": { "type": "constant_keyword" } } } POST auditbeat-custom-index-1/_doc { "@timestamp": "2023-02-06T09:41:49.668Z", "host": { "name": "foo" }, "event": { "category": "an_invalid_category" }, "some.field": "this", "source": { "port": 90210, "ip": "10.1.2.3" } } POST auditbeat-custom-index-1/_doc { "@timestamp": "2023-02-06T09:42:22.123Z", "host": { "name": "bar" }, "event": { "category": "an_invalid_category" }, "some.field": "space", "source": { "port": 867, "ip": "10.9.8.7" } } POST auditbeat-custom-index-1/_doc { "@timestamp": "2023-02-06T09:43:35.456Z", "host": { "name": "baz" }, "event": { "category": "theory" }, "some.field": "for", "source": { "port": 5, "ip": "10.4.6.6" } } POST auditbeat-custom-index-1/_doc { "@timestamp": "2023-02-06T09:44:36.700Z", "host": { "name": "@baz" }, "event": { "category": "malware" }, "some.field": "rent", "source": { "port": 309, "ip": "10.1.1.1" } } ``` </details> 3) Navigate to `Security` > `Dashboards` > `Data Quality` 4) Expand the `auditbeat-custom-index-1` index **Expected results** - The sum of the category badge counts, `3 + 1 + 4 + 2`, equals the total number of fields in the `All fields` [`10`] category: - `Incompatible fields` [`3`] - `Same family` [`1`] - `Custom fields` [`4`] - `ECS compliant fields` [`2`] - The `Incompatible fields` callout title is `3 incompatible fields` - The `Incompatible fields` callout does NOT include a description of same family fields - The `Incompatible fields` tab displays two fields with incompatible mappings - `host.name` (`keyword` vs `text`) - `source.ip` (`ip` vs `text`) - The `Incompatible fields` tab displays one field with incompatible field values - `event.category` (`an_invalid_category`) 5) Click the `Summary` tab **Expected results** - The `Summary` tab is focused - The chart legend includes a `Same family` entry, with a count of `1` - The `Same family` tab's badge color is the same as the `Custom fields` category - The `Same family` chart legend color is the same as the `Custom fields` category 6) Click the `Same family` legend item **Expected results** - The `Same family` tab is focused - One field, `agent.type`, is displayed - The `constant_keyword` Index mapping type is blue - The `same family` badge is yellow 7) Click `Copy to clipboard` **Expected result** - The expected markdown is copied to the clipboard: ``` ### auditbeat-custom-index-1 | Result | Index | Docs | Incompatible fields | ILM Phase | Size | |--------|-------|------|---------------------|-----------|------| | ❌ | auditbeat-custom-index-1 | 2 (0.0%) | 3 | `unmanaged` | 12.9KB | ### **Incompatible fields** `3` **Same family** `1` **Custom fields** `4` **ECS compliant fields** `2` **All fields** `10` #### 1 Same family field mapping This field is defined by the Elastic Common Schema (ECS), version 8.6.1, but its mapping type doesn't exactly match. Fields with mappings in the same family have exactly the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics. #### Same family field mappings - auditbeat-custom-index-1 | Field | ECS mapping type (expected) | Index mapping type (actual) | |-------|-----------------------------|-----------------------------| | agent.type | `keyword` | `constant_keyword` `same family` | ```
andrew-goldstein
force-pushed
the
data-quality-same-family
branch
from
60d5f45 to
e60631a
Compare
💚 Build Succeeded
Metrics [docs]Module Count
Async chunks
History
To update your PR or re-run it, just comment with: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Security Solution] New Data Quality dashboard
Same familycategoryThis PR introduces a new
Same familycategory to the Data Quality dashboard.Fields with the
same familytag that were previously counted in theIncompatible fieldscategory are now counted in the newSame familycategory, per the annotated screenshot below:Above - Left: previously, fields with the
same familytag were counted asIncompatible fields, Right: in this PR, those fields are counted in the newSame familycategoryThe annotations on the Right side of the screenshot above highlight (in this example):
Incompatible fieldscount was reducedauditbeat-*have significant reductionsIncompatible fieldscount was reduced by one fieldSame familycategory has one fieldagent.typefield moved from theIncompatible fieldscategory to theSame familycategoryDetails
The new
Same familycategoryFields with mappings in the same family have exactly the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics.
The color of the
Same familycategory is the same as theCustom fieldscategory in badges and charts, per the screenshot below:Above: The
Same familytab's badge and chart legend color is the same as theCustom fieldscategoryThe new
Same familytabThis PR introduces a new
Same familytab, as shown in the screenshot below:Above: The new
Same familytab is selectedIn the screenshot above:
Incompatible fieldstab)constant_keywordtext, yellow in previous versions (when it appered in theIncompatible fieldstab), is blueCopy to clipboardis available in theSame familytab. The remaining text in this Details section is the markdown copied to the clipboard for the example above:auditbeat-custom-index-1
unmanagedIncompatible fields
3Same family1Custom fields4ECS compliant fields2All fields101 Same family field mapping
This field is defined by the Elastic Common Schema (ECS), version 8.6.1, but its mapping type doesn't exactly match.
Fields with mappings in the same family have exactly the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics.
Same family field mappings - auditbeat-custom-index-1
keywordconstant_keywordsame familyDesk testing
Navigate to
Dev Tools>ConsoleExecute the queries below:
Queries to create the `auditbeat-custom-index-1` example in this PR description
Navigate to
Security>Dashboards>Data QualityExpand the
auditbeat-custom-index-1indexExpected results
3 + 1 + 4 + 2, equals the total number of fields in theAll fields[10] category:Incompatible fields[3]Same family[1]Custom fields[4]ECS compliant fields[2]Incompatible fieldscallout title is3 incompatible fieldsIncompatible fieldscallout does NOT include a description of same family fieldsIncompatible fieldstab displays two fields with incompatible mappingshost.name(keywordvstext)source.ip(ipvstext)Incompatible fieldstab displays one field with incompatible field valuesevent.category(an_invalid_category)SummarytabExpected results
Summarytab is focusedSame familyentry, with a count of1Same familytab's badge color is the same as theCustom fieldscategorySame familychart legend color is the same as theCustom fieldscategorySame familylegend itemExpected results
Same familytab is focusedagent.type, is displayedconstant_keywordIndex mapping type is bluesame familybadge is yellowCopy to clipboardExpected result