Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] update generateId function to use _seq_no and _primary_term #102395

Open
Tracked by #165878
ecezalp opened this issue Jun 16, 2021 · 3 comments
Open
Tracked by #165878

[Security Solution] update generateId function to use _seq_no and _primary_term #102395

ecezalp opened this issue Jun 16, 2021 · 3 comments
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture

Comments

@ecezalp
Copy link
Contributor

ecezalp commented Jun 16, 2021
edited
Loading

generateId in x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts uses _version value to create a hash. _version should be replaced with _seq_no and _primary_term for a more up-to-date implementation (details below)

One other thing is that I do not think the doc._version is the best usage of identifying unique document changes anymore within elastic.

In Saved Objects and other places if we are trying to identify if a document has changed and key off of that it's better to use _seq_no and _primary_term

Ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/optimistic-concurrency-control.html

The caveat being we have to ensure we are passing the correct flags to return these two fields with our search results which you would have to check. You could fall back on doc._version if you do not see them being set to double check things or write an e2e test to ensure we do return them as expected as well at some point.

However, overall I think we have older deprecated patterns of using doc._version instead of using those two other fields and should prefer using those.

Let me know if that doesn't sound right.

Originally posted by @FrankHassanabad in #102106 (comment)
@botelastic botelastic bot added the needs-team Issues missing a team label label Jun 16, 2021
@ecezalp ecezalp changed the title [Security Solution] update generateId method to use __seq_no and _primary_term [Security Solution] update generateId function to use __seq_no and _primary_term Jun 16, 2021
@ecezalp ecezalp self-assigned this Jun 16, 2021
@ecezalp ecezalp added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.14.0 and removed needs-team Issues missing a team label labels Jun 16, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@ecezalp ecezalp added auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes labels Jun 16, 2021
@ecezalp ecezalp mentioned this issue Jun 16, 2021
Merged
2 tasks
@ecezalp ecezalp changed the title [Security Solution] update generateId function to use __seq_no and _primary_term [Security Solution] update generateId function to use _seq_no and _primary_term Jun 16, 2021
@ecezalp ecezalp removed the v7.14.0 label Jul 30, 2021
@peluja1012 peluja1012 added Team:Detection Alerts Security Detection Alerts Area Team technical debt Improvement of the software architecture and operational architecture labels Oct 22, 2021
@ecezalp
Copy link
Contributor Author

ecezalp commented Nov 19, 2021

#119214

@MindyRS MindyRS added the Team:Detections and Resp Security Detection Response Team label Feb 23, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Detection Alerts Security Detection Alerts Area Team labels May 13, 2023
@yctercero yctercero mentioned this issue Sep 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-backport Deprecated - use backport:version if exact versions are needed release_note:skip Skip the PR/issue when compiling release notes Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. technical debt Improvement of the software architecture and operational architecture
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@peluja1012 @MindyRS @yctercero @elasticmachine @ecezalp