Skip to content

[FR] Add support for 5 group_by fields in threshold rules (>=9.2) #5040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Sep 4, 2025
Merged

[FR] Add support for 5 group_by fields in threshold rules (>=9.2) #5040

merged 9 commits into from
Sep 4, 2025
+32 −2

Conversation

Mikaayenson
Copy link
Contributor

@Mikaayenson Mikaayenson commented Aug 29, 2025
edited
Loading

Pull Request

Issue link(s):

Summary - What I changed

  • Adds support for 5 group_by threshold rule fields.
  • Minor bump per guide

How To Test

  • I was going to add an addition to our custom-consolidated-rules.ndjson test file but this change is predicated on the max_stack_schema metadata field.
  • Test with the sample file provided:
    • No min stack provided with repo package set to 9.1
    • Min stack set to 9.2 with different field counts (3, 5, >5)
    • Min stack set < 9.2 to ensure it still validates properly with different field counts (2, 3, 4)
Sample Toml File 

[metadata]
creation_date = "2025/08/29"
maturity = "production"
updated_date = "2025/08/29"
min_stack_version = "9.2.0"
min_stack_comments = "Breaking change at 9.2.0 for the group_by expanded to max 5 for threshold rules."

[rule]
actions = []
author = ["Elastic"]
description = "Test group by threshold rules for up to 5 fields."
filters = []
from = "now-6m"
index = [
    "apm-*-transaction*",
    "auditbeat-*",
    "endgame-*",
    "filebeat-*",
    "logs-*",
    "packetbeat-*",
    "traces-apm*",
    "winlogbeat-*",
    "-*elastic-cloud-logs-*",
]
interval = "5m"
language = "kuery"
max_signals = 100
name = "Threshold Group By 5"
note = "None"
risk_score = 21
rule_id = "d4bcc33c-46bc-4a14-bade-7fc6892feec4"
setup = "None"
severity = "low"
to = "now"
type = "threshold"

query = '''
agent.id : *
'''



[rule.meta]
kibana_siem_app_url = "https://stryker.kb.europe-west1.gcp.cloud.es.io/app/security"

[rule.threshold]
cardinality = []
field = ["process.name", "process.args", "Effective_process.pid", "user.name", "host.name", "file.path"]
value = 200

[rule.alert_suppression.duration]
unit = "m"
value = 5

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

@Mikaayenson Mikaayenson self-assigned this Aug 29, 2025
@Mikaayenson Mikaayenson added enhancement New feature or request schema labels Aug 29, 2025
@Mikaayenson Mikaayenson requested a review from traut as a code owner August 29, 2025 16:39
@botelastic botelastic bot added the python Internal python for the repository label Aug 29, 2025
@github-actions GitHub Actions
Copy link
Contributor

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

1 similar comment
@github-actions GitHub Actions
Copy link
Contributor

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

eric-forte-elastic
eric-forte-elastic reviewed Aug 29, 2025
View reviewed changes
Mikaayenson
Mikaayenson commented Aug 29, 2025
View reviewed changes
@Mikaayenson Mikaayenson added minor and removed patch labels Aug 29, 2025
eric-forte-elastic
eric-forte-elastic approved these changes Aug 29, 2025
View reviewed changes
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Manual review, looks good to me! 👍

Testing

threshold_test_siz

denar50
denar50 reviewed Sep 2, 2025
View reviewed changes
denar50
denar50 approved these changes Sep 2, 2025
View reviewed changes
Copy link

@denar50 denar50 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code review only. LGTM!

Mikaayenson
Mikaayenson commented Sep 3, 2025
View reviewed changes
@Mikaayenson Mikaayenson added patch and removed minor labels Sep 3, 2025
@Mikaayenson Mikaayenson merged commit 3c1de72 into main Sep 4, 2025
15 checks passed
@Mikaayenson Mikaayenson deleted the increase-group-by-field-limit-for-threshold-rules branch September 4, 2025 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@denar50 denar50 denar50 approved these changes

@eric-forte-elastic eric-forte-elastic eric-forte-elastic approved these changes

@traut traut Awaiting requested review from traut traut is a code owner

@shashank-elastic shashank-elastic Awaiting requested review from shashank-elastic

Assignees

@Mikaayenson Mikaayenson

Labels
backport: auto detections-as-code enhancement New feature or request patch python Internal python for the repository schema
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Mikaayenson @denar50 @eric-forte-elastic