Skip to content

Commit

Permalink
[8.x] [SecuritySolution][SIEM Migrations] Rule migrations storage (#1…
Browse files Browse the repository at this point in the history
…97032) (#197603)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution][SIEM Migrations] Rule migrations storage
(#197032)](#197032)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Sergi
Massaneda","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-24T09:56:08Z","message":"[SecuritySolution][SIEM
Migrations] Rule migrations storage (#197032)\n\n##
Summary\r\n\r\nissue:
elastic/security-team#10654
the persistence layer for the rule migrations from other\r\nvendors, as
part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n-
Schemas created for `SiemRuleMigration` document entity, along
with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API
`/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives
an array of (original) rules and stores them with\r\n`status: pending`
to be processed. Responds with the `migration_id` that\r\nwill be used
to start the migration background task (implementation\r\ndetails here:
https://github.com/elastic/security-team/issues/10850).\r\n - `GET` ->
(to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to
the `securitySolution` route\r\ncontext, to encapsulate all operations
related to SIEM migrations (We\r\nstart with _rule_ migrations, but
there are more \"kinds\" of SIEM\r\nmigrations in the pipeline:
_dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n-
`SiemRuleMigrationsService` to encapsulate all operations related
to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to
manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream
operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client
with abstracted operations that are exposed to the\r\nAPI routes:\r\n-
`create`: indexes an array of _SiemRuleMigration_ documents to
the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents
by specific terms.\r\n\r\n> [!NOTE] \r\n> Without
`siemMigrationsEnabled` experimental flag the new API route\r\nwon't be
registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe
called, so no index/component template will be installed to
ES.\r\n\r\n### Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example
curl request</summary>\r\n\r\n```\r\ncurl --location
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly
created documents can be retrieved using Kibana
DevTools\r\nconsole:\r\n```\r\nGET
.kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n###
Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat
Hunting","Team: SecuritySolution","backport:prev-minor","8.18
candidate","v8.17.0"],"number":197032,"url":"https://github.com/elastic/kibana/pull/197032","mergeCommit":{"message":"[SecuritySolution][SIEM
Migrations] Rule migrations storage (#197032)\n\n##
Summary\r\n\r\nissue:
elastic/security-team#10654
the persistence layer for the rule migrations from other\r\nvendors, as
part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n-
Schemas created for `SiemRuleMigration` document entity, along
with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API
`/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives
an array of (original) rules and stores them with\r\n`status: pending`
to be processed. Responds with the `migration_id` that\r\nwill be used
to start the migration background task (implementation\r\ndetails here:
https://github.com/elastic/security-team/issues/10850).\r\n - `GET` ->
(to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to
the `securitySolution` route\r\ncontext, to encapsulate all operations
related to SIEM migrations (We\r\nstart with _rule_ migrations, but
there are more \"kinds\" of SIEM\r\nmigrations in the pipeline:
_dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n-
`SiemRuleMigrationsService` to encapsulate all operations related
to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to
manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream
operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client
with abstracted operations that are exposed to the\r\nAPI routes:\r\n-
`create`: indexes an array of _SiemRuleMigration_ documents to
the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents
by specific terms.\r\n\r\n> [!NOTE] \r\n> Without
`siemMigrationsEnabled` experimental flag the new API route\r\nwon't be
registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe
called, so no index/component template will be installed to
ES.\r\n\r\n### Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example
curl request</summary>\r\n\r\n```\r\ncurl --location
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly
created documents can be retrieved using Kibana
DevTools\r\nconsole:\r\n```\r\nGET
.kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n###
Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197032","number":197032,"mergeCommit":{"message":"[SecuritySolution][SIEM
Migrations] Rule migrations storage (#197032)\n\n##
Summary\r\n\r\nissue:
elastic/security-team#10654
the persistence layer for the rule migrations from other\r\nvendors, as
part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n-
Schemas created for `SiemRuleMigration` document entity, along
with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API
`/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives
an array of (original) rules and stores them with\r\n`status: pending`
to be processed. Responds with the `migration_id` that\r\nwill be used
to start the migration background task (implementation\r\ndetails here:
https://github.com/elastic/security-team/issues/10850).\r\n - `GET` ->
(to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to
the `securitySolution` route\r\ncontext, to encapsulate all operations
related to SIEM migrations (We\r\nstart with _rule_ migrations, but
there are more \"kinds\" of SIEM\r\nmigrations in the pipeline:
_dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n-
`SiemRuleMigrationsService` to encapsulate all operations related
to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to
manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream
operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client
with abstracted operations that are exposed to the\r\nAPI routes:\r\n-
`create`: indexes an array of _SiemRuleMigration_ documents to
the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents
by specific terms.\r\n\r\n> [!NOTE] \r\n> Without
`siemMigrationsEnabled` experimental flag the new API route\r\nwon't be
registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe
called, so no index/component template will be installed to
ES.\r\n\r\n### Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example
curl request</summary>\r\n\r\n```\r\ncurl --location
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly
created documents can be retrieved using Kibana
DevTools\r\nconsole:\r\n```\r\nGET
.kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n###
Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b"}},{"branch":"8.x","label":"v8.17.0","labelRegex":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
  • Loading branch information
semd authored Oct 24, 2024
1 parent 45b582b commit 177854d
Show file tree
Hide file tree
Showing 35 changed files with 1,293 additions and 8 deletions.
9 changes: 7 additions & 2 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -1594,7 +1594,12 @@ x-pack/test/security_solution_api_integration/test_suites/sources @elastic/secur
/x-pack/test/security_solution_playwright @elastic/security-engineering-productivity
/x-pack/plugins/security_solution/scripts/run_cypress @MadameSheema @patrykkopycinski @maximpn @banderror

## Security Solution sub teams - Threat Hunting Investigations
## Security Solution sub teams - Threat Hunting

/x-pack/plugins/security_solution/server/lib/siem_migrations @elastic/security-threat-hunting
/x-pack/plugins/security_solution/common/siem_migrations @elastic/security-threat-hunting

## Security Solution Threat Hunting areas - Threat Hunting Investigations

/x-pack/plugins/security_solution/common/api/timeline @elastic/security-threat-hunting-investigations
/x-pack/plugins/security_solution/common/search_strategy/timeline @elastic/security-threat-hunting-investigations
Expand Down Expand Up @@ -1624,7 +1629,7 @@ x-pack/test/security_solution_cypress/cypress/tasks/expandable_flyout @elastic/

/x-pack/plugins/security_solution/server/lib/timeline @elastic/security-threat-hunting-investigations

## Security Solution sub teams - Threat Hunting Explore
## Security Solution Threat Hunting areas - Threat Hunting Explore
/x-pack/plugins/security_solution/common/api/tags @elastic/security-threat-hunting-explore
/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts @elastic/security-threat-hunting-explore
/x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram @elastic/security-threat-hunting-explore
Expand Down
21 changes: 17 additions & 4 deletions packages/kbn-data-stream-adapter/src/field_maps/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,9 @@ export interface EcsMetadata {
properties?: Record<string, { type: string }>;
}

export interface FieldMap {
[key: string]: {
export type FieldMap<T extends string = string> = Record<
T,
{
type: string;
required: boolean;
array?: boolean;
Expand All @@ -53,5 +54,17 @@ export interface FieldMap {
scaling_factor?: number;
dynamic?: boolean | 'strict';
properties?: Record<string, { type: string }>;
};
}
}
>;

// This utility type flattens all the keys of a schema object and its nested objects as a union type.
// Its purpose is to ensure that the FieldMap keys are always in sync with the schema object.
// It assumes all optional fields of the schema are required in the field map, they can always be omitted from the resulting type.
export type SchemaFieldMapKeys<
T extends Record<string, unknown>,
Key = keyof T
> = Key extends string
? NonNullable<T[Key]> extends Record<string, unknown>
? `${Key}` | `${Key}.${SchemaFieldMapKeys<NonNullable<T[Key]>>}`
: `${Key}`
: never;
Original file line number Diff line number Diff line change
Expand Up @@ -361,6 +361,11 @@ import type {
ResolveTimelineRequestQueryInput,
ResolveTimelineResponse,
} from './timeline/resolve_timeline/resolve_timeline_route.gen';
import type {
CreateRuleMigrationRequestBodyInput,
CreateRuleMigrationResponse,
GetRuleMigrationResponse,
} from '../siem_migrations/model/api/rules/rules_migration.gen';

export interface ClientOptions {
kbnClient: KbnClient;
Expand Down Expand Up @@ -647,6 +652,22 @@ Migrations are initiated per index. While the process is neither destructive nor
})
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Creates a new SIEM rules migration using the original vendor rules provided
*/
async createRuleMigration(props: CreateRuleMigrationProps) {
this.log.info(`${new Date().toISOString()} Calling API CreateRuleMigration`);
return this.kbnClient
.request<CreateRuleMigrationResponse>({
path: '/internal/siem_migrations/rules',
headers: {
[ELASTIC_HTTP_VERSION_HEADER]: '1',
},
method: 'POST',
body: props.body,
})
.catch(catchAxiosErrorFormatAndThrow);
}
async createTimelines(props: CreateTimelinesProps) {
this.log.info(`${new Date().toISOString()} Calling API CreateTimelines`);
return this.kbnClient
Expand Down Expand Up @@ -1373,6 +1394,21 @@ finalize it.
})
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Retrieves the rule migrations stored in the system
*/
async getRuleMigration() {
this.log.info(`${new Date().toISOString()} Calling API GetRuleMigration`);
return this.kbnClient
.request<GetRuleMigrationResponse>({
path: '/internal/siem_migrations/rules',
headers: {
[ELASTIC_HTTP_VERSION_HEADER]: '1',
},
method: 'GET',
})
.catch(catchAxiosErrorFormatAndThrow);
}
async getTimeline(props: GetTimelineProps) {
this.log.info(`${new Date().toISOString()} Calling API GetTimeline`);
return this.kbnClient
Expand Down Expand Up @@ -1992,6 +2028,9 @@ export interface CreateAssetCriticalityRecordProps {
export interface CreateRuleProps {
body: CreateRuleRequestBodyInput;
}
export interface CreateRuleMigrationProps {
body: CreateRuleMigrationRequestBodyInput;
}
export interface CreateTimelinesProps {
body: CreateTimelinesRequestBodyInput;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,11 @@ export const allowedExperimentalValues = Object.freeze({
* can be disabled if necessary in a given environment.
*/
entityStoreDisabled: false,

/**
* Enables the siem migrations feature
*/
siemMigrationsEnabled: false,
});

type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

export const SIEM_MIGRATIONS_PATH = '/internal/siem_migrations' as const;
export const SIEM_RULE_MIGRATIONS_PATH = `${SIEM_MIGRATIONS_PATH}/rules` as const;

export enum SiemMigrationsStatus {
PENDING = 'pending',
PROCESSING = 'processing',
FINISHED = 'finished',
ERROR = 'error',
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

/*
* NOTICE: Do not edit this file manually.
* This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
*
* info:
* title: Common SIEM Migrations Attributes
* version: not applicable
*/

import { z } from '@kbn/zod';

/**
* The GenAI connector id to use.
*/
export type ConnectorId = z.infer<typeof ConnectorId>;
export const ConnectorId = z.string();

/**
* The LangSmith options object.
*/
export type LangSmithOptions = z.infer<typeof LangSmithOptions>;
export const LangSmithOptions = z.object({
/**
* The project name.
*/
project_name: z.string(),
/**
* The API key to use for tracing.
*/
api_key: z.string(),
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
openapi: 3.0.3
info:
title: Common SIEM Migrations Attributes
version: 'not applicable'
paths: {}
components:
x-codegen-enabled: true
schemas:
ConnectorId:
type: string
description: The GenAI connector id to use.
LangSmithOptions:
type: object
description: The LangSmith options object.
required:
- project_name
- api_key
properties:
project_name:
type: string
description: The project name.
api_key:
type: string
description: The API key to use for tracing.
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

/*
* NOTICE: Do not edit this file manually.
* This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
*
* info:
* title: SIEM Rules Migration API endpoint
* version: 1
*/

import { z } from '@kbn/zod';

import { OriginalRule, RuleMigration } from '../../rule_migration.gen';

export type CreateRuleMigrationRequestBody = z.infer<typeof CreateRuleMigrationRequestBody>;
export const CreateRuleMigrationRequestBody = z.array(OriginalRule);
export type CreateRuleMigrationRequestBodyInput = z.input<typeof CreateRuleMigrationRequestBody>;

export type CreateRuleMigrationResponse = z.infer<typeof CreateRuleMigrationResponse>;
export const CreateRuleMigrationResponse = z.object({
/**
* The migration id created.
*/
migration_id: z.string(),
});

export type GetRuleMigrationResponse = z.infer<typeof GetRuleMigrationResponse>;
export const GetRuleMigrationResponse = z.array(RuleMigration);
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
openapi: 3.0.3
info:
title: SIEM Rules Migration API endpoint
version: '1'
paths:
/internal/siem_migrations/rules:
post:
summary: Creates a new rule migration
operationId: CreateRuleMigration
x-codegen-enabled: true
description: Creates a new SIEM rules migration using the original vendor rules provided
tags:
- SIEM Migrations
- Rule Migrations
requestBody:
required: true
content:
application/json:
schema:
type: array
items:
$ref: '../../rule_migration.schema.yaml#/components/schemas/OriginalRule'
responses:
200:
description: Indicates migration have been created correctly.
content:
application/json:
schema:
type: object
required:
- migration_id
properties:
migration_id:
type: string
description: The migration id created.
get:
summary: Retrieves rule migrations
operationId: GetRuleMigration
x-codegen-enabled: true
description: Retrieves the rule migrations stored in the system
tags:
- SIEM Migrations
- Rule Migrations
responses:
200:
description: Indicates rule migrations have been retrieved correctly.
content:
application/json:
schema:
type: array
items:
$ref: '../../rule_migration.schema.yaml#/components/schemas/RuleMigration'
Loading

0 comments on commit 177854d

Please sign in to comment.