Skip to content

[Entity Analytics][Watchlists] Add entity source management API#253987

Open
tiansivive wants to merge 7 commits intoelastic:mainfrom
tiansivive:siem/ea/watchlists/entity-source-api
Open

[Entity Analytics][Watchlists] Add entity source management API#253987
tiansivive wants to merge 7 commits intoelastic:mainfrom
tiansivive:siem/ea/watchlists/entity-source-api

Conversation

@tiansivive
Copy link
Contributor

@tiansivive tiansivive commented Feb 19, 2026
edited
Loading

Summary

CRUD API for entity source management per watchlist, ported over from privmon.

Note that the saved object client and related details have not been ported. We're still directly importing code from privmon

This API makes use of the Kibana Saved Object references feature to link entity sources to watchlists.

How to test

  1. Create a watchlist
POST kbn:/api/entity_analytics/watchlists
{
    "name": "my-fst-wl",
    "description": "A",
    "riskModifier": 1.25,
    "managed": true
}
  1. Note the id field in the response
  2. Add a source via
POST kbn:/api/entity_analytics/watchlists/<watchlist_id>/entity_source
{
    "type": "index",
    "name": "test-source",
    "indexPattern": "my-test-index", // you dont need to create an index to test this API
    "enabled": true
}
  1. Confirm the watchlist and source are linked with:
GET kbn:/api/entity_analytics/watchlists/list

The response should list watchlists and their related entity sources

@tiansivive tiansivive force-pushed the siem/ea/watchlists/entity-source-api branch from 77a5e6e to 5d6f6f3 Compare February 23, 2026 14:01
@tiansivive tiansivive force-pushed the siem/ea/watchlists/entity-source-api branch from 5d6f6f3 to 3e0cbd1 Compare February 23, 2026 14:31
@tiansivive tiansivive changed the title Siem/ea/watchlists/entity source api [Entity Analytics][Watchlists] Add entity source management API Feb 25, 2026
@tiansivive tiansivive marked this pull request as ready for review February 25, 2026 14:12
@tiansivive tiansivive requested a review from a team as a code owner February 25, 2026 14:12
@tiansivive tiansivive added Theme: entity_analytics Feature:Entity Analytics Security Solution Entity Analytics features Team:Entity Analytics Security Entity Analytics Team labels Feb 27, 2026
@elasticmachine
Copy link
Contributor

elasticmachine commented Feb 27, 2026

Pinging @elastic/security-entity-analytics (Team:Entity Analytics)

@tiansivive tiansivive requested a review from a team as a code owner March 3, 2026 12:41
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod bot requested a review from a team as a code owner March 3, 2026 13:43
florent-leborgne
florent-leborgne approved these changes Mar 3, 2026
View reviewed changes
Copy link
Contributor

@florent-leborgne florent-leborgne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for docs

CAWilson94
CAWilson94 approved these changes Mar 4, 2026
View reviewed changes
Copy link
Contributor

@CAWilson94 CAWilson94 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Desk tested, working as described! 🚀

@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 4, 2026

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Jest Tests #4 / discover responsive sidebar should have loading indicators during fields existence loading

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
securitySolution 9107 9114 +7

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 11.2MB 11.2MB +1.5KB

History

@hop-dev hop-dev added backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes labels Mar 6, 2026
hop-dev
hop-dev requested changes Mar 6, 2026
View reviewed changes
Copy link
Contributor

@hop-dev hop-dev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to gate these behind a feature flag or the entity store v2 UI setting, and we will need to mention that in the API docs too

...ity_solution/server/lib/entity_analytics/watchlists/management/routes/entity_sources/list.ts
const allSources = await client.list(request.query);
const body = {
...allSources,
sources: allSources.sources.filter((source) => linkedSourceIds.includes(source.id)),
Copy link
Contributor

@hop-dev hop-dev Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we do this filtering in typescript? I think we need to add this to the SO filter otherwise it breaks pagination

...y_solution/server/lib/entity_analytics/watchlists/management/routes/entity_sources/delete.ts
const client = secSol.getMonitoringEntitySourceDataClient();

// Get the source first to check if it's managed
const source = await client.get(request.params.id);
Copy link
Contributor

@hop-dev hop-dev Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we take the watchlist_id in the URL but then proceed to only use the source ID, should we be validating that the source belongs to the specified watchlsit? or changing the URL scheme?

...gins/security_solution/server/lib/entity_analytics/watchlists/management/watchlist_config.ts
const extractEntitySourceIds = (references: SavedObjectReference[]): string[] =>
references.filter(isEntitySourceRef).map((ref) => ref.id);

// TODO: Update WatchlistObject OpenAPI schema to include entitySourceIds
Copy link
Contributor

@hop-dev hop-dev Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO When?

Copy link
Contributor Author

@tiansivive tiansivive Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually think this is outdated, i already updated it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hop-dev hop-dev hop-dev requested changes

@florent-leborgne florent-leborgne florent-leborgne approved these changes

@CAWilson94 CAWilson94 CAWilson94 approved these changes

@abhishekbhatia1710 abhishekbhatia1710 Awaiting requested review from abhishekbhatia1710 abhishekbhatia1710 is a code owner automatically assigned from elastic/security-entity-analytics

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

backport:skip This PR does not require backporting Feature:Entity Analytics Security Solution Entity Analytics features release_note:skip Skip the PR/issue when compiling release notes Team:Entity Analytics Security Entity Analytics Team Theme: entity_analytics v9.4.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@tiansivive @elasticmachine @hop-dev @florent-leborgne @CAWilson94 @kibanamachine