Skip to content

[Entity Analytics][Hypotheses] Prebuilt hypotheses initialisation and reconciliation #241340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 24 commits into from
Closed

[Entity Analytics][Hypotheses] Prebuilt hypotheses initialisation and reconciliation #241340

wants to merge 24 commits into from
+1,099 −10

Conversation

@CAWilson94
Copy link
Contributor

@CAWilson94 CAWilson94 commented Oct 30, 2025
edited
Loading

Playground for Threat Hunting Hypothesis Definitions Initialisation and Reconciliation — testing Saved Object creation, schema setup, client wiring along with init and reconciliation of hypothesis definitions list to surface questions early.

What it does currently:

  • On kibana startup, if feature flag enabled - call hypothesis definitions init
  • pull in hard coded list of definitions, for each of these, store down into saved objects.
  • on each startup - runs upsert and does deletion when version is bumped. ✅
  • Logs single message with created, deleted, updated.
  • Runs recon - renamed to updateThreatHuntingHypothesisDefinitions, moved to scheduleEntityAnalyticsMigration 👍
  • FTR test - validates init saves hypotheses to saved objects.

🚧 In progress:

  1. Fresh round of smoke testing - updated to use scheduleEntityAnalyticsMigration but have NOT tested here.
  2. FTR Tests - recon, validate deletion and upgrade version numbers.

Notes:

  • Space awareness: using agnostic / global namespace for hard coded hypotheses.
  • AuditLogger/AuditService - previous from pluginSetup/Start deprecated so using Core AuditService usage ml plugin as reference.
    • EntityAnalyticsMigrationsParams uses old auditLogger type 🎏

How To Test Locally

These steps worked before move to call from scheduleEntityAnalyticsMigration, hopefully 🤞they still do:

  1. Start kibana with entityThreatHuntingEnabled feature flag enabled.
  2. On first run, expect 2 saved objects of type 'threat-hunting-hypothesis' to be created:
GET .kibana_security_solution*/_search
{
  "size": 50,
  "query": {
    "term": { "type": "threat-hunting-hypothesis" }
  }
}
  1. Bump the HYPOTHESES_VERSION to 2, check dev tools again, version on all saved objects should bump to 2 and log message should specify 2 updated.
  2. Delete any of the hypothesis definitions from getHypothesisDefinitions in x-pack/solutions/security/plugins/security_solution/server/lib/entity_analytics/hypothesis_threat_hunting/lib/hypothesis_definitions.ts then bump the version again - expect 1 updated, 1 deleted, 0 created in log. Expect only one saved object of threat-hunting-hypothesis type should now exist.

Preview, dev tools from Saved Object:
image

@CAWilson94 CAWilson94 added the Team:Entity Analytics Security Entity Analytics Team label Nov 5, 2025
CAWilson94
CAWilson94 commented Nov 7, 2025
View reviewed changes
...solution/server/lib/entity_analytics/hypothesis_threat_hunting/utils/audit_logger_service.ts
: AUDIT_TYPE.CHANGE;

const category = AUDIT_CATEGORY.DATABASE;

Copy link
Contributor Author

@CAWilson94 CAWilson94 Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tiansivive @machadoum I 100% copy pasta'd this logger from both your efforts (thank you 🙏) - QQ on the categories --> for saved_object_create (specified in docs here) is this good enough or is there something else I need to add?

@CAWilson94 CAWilson94 marked this pull request as ready for review November 10, 2025 07:29
@CAWilson94 CAWilson94 requested review from a team as code owners November 10, 2025 07:29
@CAWilson94 CAWilson94 requested a review from hop-dev November 10, 2025 07:29
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 10, 2025

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

@CAWilson94 CAWilson94 added the backport:skip This PR does not require backporting label Nov 10, 2025
@CAWilson94 CAWilson94 added the release_note:skip Skip the PR/issue when compiling release notes label Nov 10, 2025
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot requested a review from a team as a code owner November 10, 2025 07:44
@CAWilson94 CAWilson94 changed the title Threat Hunting Hypotheses Boilerplate && Playground Prebuilt hypotheses initialisation and reconciliation Nov 10, 2025
@CAWilson94 CAWilson94 changed the title Prebuilt hypotheses initialisation and reconciliation [Entity Analytics][Hypotheses] Prebuilt hypotheses initialisation and reconciliation Nov 10, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 10, 2025
edited
Loading

💔 Build Failed

Failed CI Steps

History

jbudz
jbudz approved these changes Nov 10, 2025
View reviewed changes
Copy link
Member

@jbudz jbudz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.buildkite/ftr_security_stateful_configs.yml LGTM

@CAWilson94 CAWilson94 self-assigned this Nov 17, 2025
@CAWilson94 CAWilson94 closed this Nov 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbudz jbudz jbudz approved these changes

@hop-dev hop-dev Awaiting requested review from hop-dev hop-dev is a code owner automatically assigned from elastic/security-entity-analytics

Assignees

@CAWilson94 CAWilson94

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Entity Analytics Security Entity Analytics Team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@CAWilson94 @elasticmachine @jbudz @kibanamachine