-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[RAC][Security Solution] Register Security Detection Rules with Rule …
…Registry (#96015) ## Summary This PR starts the migration of the Security Solution rules to use the rule-registry introduced in #95903. This is a pathfinding effort in porting over the existing Security Solution rules, and may include some temporary reference rules for testing out different paradigms as we move the rules over. See #95735 for details Enable via the following feature flags in your `kibana.dev.yml`: ``` # Security Solution Rules on Rule Registry xpack.ruleRegistry.index: '.kibana-[USERNAME]-alerts' # Only necessary to scope from other devs testing, if not specified defaults to `.alerts-security-solution` xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled'] ``` > Note: if setting a custom `xpack.ruleRegistry.index`, for the time being you must also update the [DEFAULT_ALERTS_INDEX](https://github.com/elastic/kibana/blob/9e213fb7a5a0337591a50a0567924ebe950b9791/x-pack/plugins/security_solution/common/constants.ts#L28) in order for the UI to display alerts within the alerts table. --- Three reference rule types have been added (`query`, `eql`, `threshold`), along with scripts for creating them located in: ``` x-pack/plugins/security_solution/server/lib/detection_engine/reference_rules/scripts/ ``` Main Detection page TGrid queries have been short-circuited to query `.alerts-security-solution*` for displaying alerts from the new alerts as data indices. To test, checkout, enable the above feature flag(s), and run one of the scripts from the above directory, e.g. `./create_reference_rule_query.sh` (ensure your ENV vars as set! :) Alerts as data within the main Detection Page 🎉 <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/119911768-39cfba00-bf17-11eb-8996-63c0b813fdcc.png" /> </p> cc @madirey @dgieselaar @pmuellr @yctercero @dhurley14 @marshallmain
- Loading branch information
Showing
46 changed files
with
1,606 additions
and
80 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
112 changes: 112 additions & 0 deletions
112
x-pack/plugins/rule_registry/server/utils/create_persistence_rule_type_factory.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,112 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
import { ESSearchRequest } from 'typings/elasticsearch'; | ||
import v4 from 'uuid/v4'; | ||
import { Logger } from '@kbn/logging'; | ||
|
||
import { AlertInstance } from '../../../alerting/server'; | ||
import { | ||
AlertInstanceContext, | ||
AlertInstanceState, | ||
AlertTypeParams, | ||
} from '../../../alerting/common'; | ||
import { RuleDataClient } from '../rule_data_client'; | ||
import { AlertTypeWithExecutor } from '../types'; | ||
|
||
type PersistenceAlertService<TAlertInstanceContext extends Record<string, unknown>> = ( | ||
alerts: Array<Record<string, unknown>> | ||
) => Array<AlertInstance<AlertInstanceState, TAlertInstanceContext, string>>; | ||
|
||
type PersistenceAlertQueryService = ( | ||
query: ESSearchRequest | ||
) => Promise<Array<Record<string, unknown>>>; | ||
|
||
type CreatePersistenceRuleTypeFactory = (options: { | ||
ruleDataClient: RuleDataClient; | ||
logger: Logger; | ||
}) => < | ||
TParams extends AlertTypeParams, | ||
TAlertInstanceContext extends AlertInstanceContext, | ||
TServices extends { | ||
alertWithPersistence: PersistenceAlertService<TAlertInstanceContext>; | ||
findAlerts: PersistenceAlertQueryService; | ||
} | ||
>( | ||
type: AlertTypeWithExecutor<TParams, TAlertInstanceContext, TServices> | ||
) => AlertTypeWithExecutor<TParams, TAlertInstanceContext, any>; | ||
|
||
export const createPersistenceRuleTypeFactory: CreatePersistenceRuleTypeFactory = ({ | ||
logger, | ||
ruleDataClient, | ||
}) => (type) => { | ||
return { | ||
...type, | ||
executor: async (options) => { | ||
const { | ||
services: { alertInstanceFactory, scopedClusterClient }, | ||
} = options; | ||
|
||
const currentAlerts: Array<Record<string, unknown>> = []; | ||
const timestamp = options.startedAt.toISOString(); | ||
|
||
const state = await type.executor({ | ||
...options, | ||
services: { | ||
...options.services, | ||
alertWithPersistence: (alerts) => { | ||
alerts.forEach((alert) => currentAlerts.push(alert)); | ||
return alerts.map((alert) => | ||
alertInstanceFactory(alert['kibana.rac.alert.uuid']! as string) | ||
); | ||
}, | ||
findAlerts: async (query) => { | ||
const { body } = await scopedClusterClient.asCurrentUser.search({ | ||
...query, | ||
body: { | ||
...query.body, | ||
}, | ||
ignore_unavailable: true, | ||
}); | ||
return body.hits.hits | ||
.map((event: { _source: any }) => event._source!) | ||
.map((event: { [x: string]: any }) => { | ||
const alertUuid = event['kibana.rac.alert.uuid']; | ||
const isAlert = alertUuid != null; | ||
return { | ||
...event, | ||
'event.kind': 'signal', | ||
'kibana.rac.alert.id': '???', | ||
'kibana.rac.alert.status': 'open', | ||
'kibana.rac.alert.uuid': v4(), | ||
'kibana.rac.alert.ancestors': isAlert | ||
? ((event['kibana.rac.alert.ancestors'] as string[]) ?? []).concat([ | ||
alertUuid!, | ||
] as string[]) | ||
: [], | ||
'kibana.rac.alert.depth': isAlert | ||
? ((event['kibana.rac.alert.depth'] as number) ?? 0) + 1 | ||
: 0, | ||
'@timestamp': timestamp, | ||
}; | ||
}); | ||
}, | ||
}, | ||
}); | ||
|
||
const numAlerts = currentAlerts.length; | ||
logger.debug(`Found ${numAlerts} alerts.`); | ||
|
||
if (ruleDataClient && numAlerts) { | ||
await ruleDataClient.getWriter().bulk({ | ||
body: currentAlerts.flatMap((event) => [{ index: {} }, event]), | ||
}); | ||
} | ||
|
||
return state; | ||
}, | ||
}; | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -8,6 +8,7 @@ | |
"actions", | ||
"alerting", | ||
"cases", | ||
"ruleRegistry", | ||
"data", | ||
"dataEnhanced", | ||
"embeddable", | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.