Using logsdb index mode with Elastic Security
editUsing logsdb index mode with Elastic Security
editTo use the synthetic _source
feature, you must have the appropriate subscription. Refer to the subscription page for Elastic Cloud and Elastic Stack/self-managed for the breakdown of available features and their associated subscription tiers.
This topic explains the impact of using logsdb index mode with Elastic Security.
With logsdb index mode, the original _source
field is not stored in the index but can be reconstructed using synthetic _source
.
When the _source
is reconstructed, modifications are possible. Therefore, there could be a mismatch between users' expectations and how fields are formatted.
Continue reading to find out how this affects specific Elastic Security components.
Logsdb is not recommended for Elastic Security at this time. Users must fully understand and accept the documented changes to detection alert documents (see below), and ensure their deployment has excess hot data tier CPU resource capacity before enabling logsdb mode, as logsdb mode requires additional CPU resources during the ingest/indexing process. Enabling logsdb without sufficient hot data tier CPU may result in data ingestion backups and/or security detection rule timeouts and errors.
Alerts
editWhen alerts are generated, the _source
event is copied into the alert to retain the original data. When the logsdb index mode is applied, the _source
event stored in the alert is reconstructed using synthetic _source
.
If you’re switching to use logsdb index mode, the _source
field stored in the alert might look different in certain situations:
- Arrays can be reconstructed differently or deduplicated
- Field names
-
geo_point
data fields (refer to Representation of ranges and Reduced precision ofgeo_point
values for more information)
Alerts generated by the following rule types could be affected:
- Custom query
- Event correlation (non-sequence only)
- Non-aggregate rule types (for example, ES|QL rules that use non-aggregating queries)
Alerts that are generated by threshold, machine learning, and event correlation sequence rules are not affected since they do not contain copies of the original source.
Rule actions
editWhile we do not recommend using _source
for actions, in cases where the action relies on the _source
, the same limitations and changes apply.
If you send alert notifications by enabling actions to the external systems that have workflows or automations based on fields formatted from the original source, they may be affected. In particular, this can happen when the fields used are arrays of objects.
We recommend checking and adjusting the rule actions using _source
before switching to logsdb index mode.
Runtime fields
editRuntime fields that reference _source
may be affected. Some runtime fields might not work and need to be adjusted. For example, if an event was indexed with the value of agent.name
in the dot-notation form, it will be returned in the nested form and might not work.
The following is an example of accessing _source
that works with the logsdb index mode enabled:
"source": """ emit(params._source.agent.name + "_____" + doc['agent.name'].value ); """ "source": """ emit(params._source['agent']['name'] + "_____" + doc['agent.name'].value ); """ "source": """ emit(field('agent.name').get(null) + "_____" + doc['agent.name'].value ); """ "source": """ emit($('agent.name', null) + "_____" + doc['agent.name'].value ); """
The following will not work with synthetic source (logsdb index mode enabled):
"source": """ emit(params._source['agent.name'] + "_____" + doc['agent.name'].value ); """