Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Entity Analytics] [8.18 Only] Add deprecation warning for the legacy risk score modules #202775

Merged
merged 17 commits into from
Dec 17, 2024
Merged
Show file tree
Hide file tree
Changes from 14 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions docs/upgrade-notes.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -1505,6 +1505,44 @@ Enable X-Pack Security.

NOTE: For the complete Elastic Security solution release information, refer to {security-guide}/release-notes.html[_Elastic Security Solution Release Notes_].

[discrete]
[[breaking-201810]]
.Remove original user and host risk scoring and all associated UIs (9.0.0)
[%collapsible]
====
*Details* +
--
The original host and risk score modules have been superseded since v8.10.0 by the Risk Engine.

In 9.0.0 these modules will no longer be supported, the scores will no longer display in the UI
and all UI controls associated with managing or upgrading the legacy modules will be removed.
Additionally,
hop-dev marked this conversation as resolved.
Show resolved Hide resolved
--

*Impact* +
As well as the legacy risk scores not being shown in the UI, alerts will no longer have the legacy risk score added to them in the `<host|user>.risk.calculated_level`
and `<host|user>.risk.calculated_score_norm` fields.

The legacy risk scores are stored in the `ml_host_risk_score_<space_id>` and `ml_user_risk_score_<space_id>`
indices, these indices will not be deleted if the user chooses not to upgrade.

Legacy risk scores are generated by the following transforms:

- `ml_hostriskscore_pivot_transform_<space_id>`
- `ml_hostriskscore_latest_transform_<space_id>`
- `ml_userriskscore_pivot_transform_<space_id>`
- `ml_userriskscore_latest_transform_<space_id>`

If a user does not upgrade to use the Risk Engine, these transforms will continue to run in 9.0.0, but it will be up to the user to manage them.

*Action* +

Upgrade to use the Risk Engine in all spaces which use the legacy risk scoring modules:

- In the main menu, go to Security > Manage > Entity Risk Score.
hop-dev marked this conversation as resolved.
Show resolved Hide resolved
- If the original user and host risk score modules are enabled, you'll see a button to "Start update". Click the button, and follow the instructions.
====

[discrete]
[[breaking-161806]]
.[Elastic Defend] Converted filterQuery to KQL.(8.11)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -504,6 +504,7 @@ export const getDocLinks = ({ kibanaBranch, buildFlavor }: GetDocLinkOptions): D
riskScorePrerequisites: `${SECURITY_SOLUTION_DOCS}ers-requirements.html`,
entityRiskScoring: `${SECURITY_SOLUTION_DOCS}entity-risk-scoring.html`,
assetCriticality: `${SECURITY_SOLUTION_DOCS}asset-criticality.html`,
legacyRiskScoreModuleDeprecation: `${KIBANA_DOCS}breaking-changes-summary.html#breaking-201810`,
},
detectionEngineOverview: `${SECURITY_SOLUTION_DOCS}detection-engine-overview.html`,
aiAssistant: `${SECURITY_SOLUTION_DOCS}security-assistant.html`,
Expand Down
1 change: 1 addition & 0 deletions src/platform/packages/shared/kbn-doc-links/src/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -372,6 +372,7 @@ export interface DocLinks {
readonly riskScorePrerequisites: string;
readonly entityRiskScoring: string;
readonly assetCriticality: string;
readonly legacyRiskScoreModuleDeprecation: string;
};
readonly detectionEngineOverview: string;
readonly signalsMigrationApi: string;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

import { i18n } from '@kbn/i18n';
import type {
DeprecationsServiceSetup,
DocLinksServiceSetup,
IScopedClusterClient,
} from '@kbn/core/server';

interface Dependencies {
deprecationsService: DeprecationsServiceSetup;
docLinks: DocLinksServiceSetup;
}

/*
* Deprecations are not space aware, so we look for the presence of the legacy risk engine in at least one space.
* This is done by checking if at least one legacy transform is present.
* Legacy transforms are deleted as part of the upgrade process, so if they are present, the user has not yet upgraded.
*/
const isModuleInAtLeastOneSpace = async ({
esClient,
}: {
esClient: IScopedClusterClient;
}): Promise<boolean> => {
// space is the last part of the transform id
const transformPrefixes = [
'ml_hostriskscore_pivot_transform_*',
'ml_hostriskscore_latest_transform_*',
'ml_userriskscore_pivot_transform_*',
'ml_userriskscore_latest_transform_*',
];

const { transforms } = await esClient.asInternalUser.transform.getTransform({
transform_id: transformPrefixes,
size: 1,
});

return transforms.length > 0;
};

export const registerRiskScoreModulesDeprecation = ({
deprecationsService,
docLinks,
}: Dependencies) => {
deprecationsService.registerDeprecations({
getDeprecations: async ({ esClient }) => {
if (!(await isModuleInAtLeastOneSpace({ esClient }))) {
return [];
}

return [
{
documentationUrl:
docLinks.links.securitySolution.entityAnalytics.legacyRiskScoreModuleDeprecation,
title: i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.title', {
defaultMessage: 'The original user and host risk score modules are deprecated.',
}),
message: i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.message', {
defaultMessage: `We have detected that you have the original user and host risk score modules installed in at least one space. These modules are deprecated, and your risk score data will not be displayed after you upgrade (your data will not be deleted). Please migrate to the latest risk engine in each space before upgrading.`,
}),
level: 'warning',
deprecationType: 'feature',
correctiveActions: {
manualSteps: [
i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.manualStep1', {
defaultMessage: 'In the main menu, go to Security > Manage > Entity Risk Score.',
}),
i18n.translate('xpack.securitySolution.deprecations.riskScoreModules.manualStep3', {
defaultMessage:
'If the original user and host risk score modules are enabled, you\'ll see a button to "Start update". Click the button, and follow the instructions.',
}),
],
},
},
];
},
});
};
6 changes: 6 additions & 0 deletions x-pack/plugins/security_solution/server/plugin.ts
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,7 @@ import { turnOffAgentPolicyFeatures } from './endpoint/migrations/turn_off_agent
import { getCriblPackagePolicyPostCreateOrUpdateCallback } from './security_integrations';
import { scheduleEntityAnalyticsMigration } from './lib/entity_analytics/migrations';
import { SiemMigrationsService } from './lib/siem_migrations/siem_migrations_service';
import { registerRiskScoreModulesDeprecation } from './deprecations/register_risk_score_modules_deprecation';

export type { SetupPlugins, StartPlugins, PluginSetup, PluginStart } from './plugin_contract';

Expand Down Expand Up @@ -442,6 +443,11 @@ export class Plugin implements ISecuritySolutionPlugin {
this.completeExternalResponseActionsTask.setup({ taskManager: plugins.taskManager });
}

registerRiskScoreModulesDeprecation({
deprecationsService: core.deprecations,
docLinks: core.docLinks,
});

core
.getStartServices()
.then(async ([coreStart, depsStart]) => {
Expand Down