Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create documents based on pre-built rules in Kibana #125

Closed
charlie-pichette opened this issue Jan 18, 2023 · 4 comments · Fixed by #141
Closed

Create documents based on pre-built rules in Kibana #125

charlie-pichette opened this issue Jan 18, 2023 · 4 comments · Fixed by #141

Comments

@charlie-pichette
Copy link
Collaborator

There have been requests from a couple teams to have Geneve generate documents that will trigger alerts based on the pre-built rules in Kibana. This would enable developers to create documents that will result in a specific alert being created, or multiple alerts being created.

This enhancement would assist the development teams in designing, building and testing new features.

@spong
Copy link
Member

spong commented Feb 6, 2023

Note: in 8.7 we've removed the filesystem rules bundled with Kibana in favor of a bundled fleet package. The flow stays pretty much the same (first now we install the package which then loads the security_rule assets, and finally install prebuilt rules in the given space), but please see elastic/kibana#139926 for all the details.

If necessary, the version of the security_detection_rules package can be verified in the fleet_packages.json in kibana root (or via the Fleet API once installed). Then installed via the /api/detection_engine/rules/prepackaged route (API Docs), and fetched via the /api/detection_engine/rules route (API Docs).

If wanting to fetch via Rule Name instead of id or rule_id, you can use the /api/detection_engine/rules/_find route (API Docs) that the Rules Table in the Security app uses.

Sample route to return the Potential Shell via Web Server rule would be:

http://localhost:5601/kbn/api/detection_engine/rules/_find?filter=(alert.attributes.name%3A%20%22%5C%22Potential%20Shell%20via%20Web%20Server%22%20)

And of course, can always fetch the latest directly from the detection-rules repo as well.

Please reach out if you have any question, happy to help! 🙂

@cavokz
Copy link
Collaborator

cavokz commented Feb 7, 2023

Thanks for the heads up, my idea was to use the Kibana API to fetch the rules.

@cavokz
Copy link
Collaborator

cavokz commented Feb 27, 2023

@spong, @charlie-pichette I see that before the above API can find any rule the prebuilt ones need to be loaded from UI. Is it acceptable for Geneve to not be able to load any rule before they are loaded by the user?

@spong
Copy link
Member

spong commented Feb 27, 2023

@cavokz - there's no need to hit the UI to install the prebuilt rules, they can be installed via the API for any given space using the /api/detection_engine/rules/prepackaged route (docs).

Is it acceptable for Geneve to not be able to load any rule before they are loaded by the user?

That said, I think it is acceptable for Geneve to not have to load the prebuilt rules. A nice to have maybe, but seems fine to rely on the user to install them within Kibana.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants