-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SecuritySolution][SIEM Migrations] Rule migrations storage (#197032)
## Summary issue: elastic/security-team#10654 Implements the persistence layer for the rule migrations from other vendors, as part of the SIEM Rule migrations effort. ### Changes - Schemas created for `SiemRuleMigration` document entity, along with `ElasticRule` and `OriginalRule`. - New API `/internal/siem_migrations/rules` was created: - `POST` -> Receives an array of (original) rules and stores them with `status: pending` to be processed. Responds with the `migration_id` that will be used to start the migration background task (implementation details here: elastic/security-team#10850). - `GET` -> (to be implemented later) - New `SiemMigrationsService` added to the `securitySolution` route context, to encapsulate all operations related to SIEM migrations (We start with _rule_ migrations, but there are more "kinds" of SIEM migrations in the pipeline: _dashboards_, _saved queries_...). It contains: - `SiemRuleMigrationsService` to encapsulate all operations related to SIEM rule migrations. - `RuleMigrationsDataStream` class to manage the `.kibana.siem-rule-migrations-<spaceId>` data stream operations using `DataStreamSpacesAdapter`. - It exposes a client with abstracted operations that are exposed to the API routes: - `create`: indexes an array of _SiemRuleMigration_ documents to the data stream - `search`: searches _SiemRuleMigration_ documents by specific terms. > [!NOTE] > Without `siemMigrationsEnabled` experimental flag the new API route won't be registered, and the `SiemRuleMigrationsService` _setup_ won't be called, so no index/component template will be installed to ES. ### Testing locally Enable the flag ``` xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled'] ``` <details> <summary>Example curl request</summary> ``` curl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language":"spl", "mitre_attack_ids": [ "T1136" ] }, { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] } ]' ``` </details> The newly created documents can be retrieved using Kibana DevTools console: ``` GET .kibana.siem-rule-migrations-default/_search ``` ### Screenshots ![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65) --------- Co-authored-by: kibanamachine <[email protected]>
- Loading branch information
1 parent
3da02c5
commit d7109d6
Showing
35 changed files
with
1,293 additions
and
8 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
x-pack/plugins/security_solution/common/siem_migrations/constants.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
export const SIEM_MIGRATIONS_PATH = '/internal/siem_migrations' as const; | ||
export const SIEM_RULE_MIGRATIONS_PATH = `${SIEM_MIGRATIONS_PATH}/rules` as const; | ||
|
||
export enum SiemMigrationsStatus { | ||
PENDING = 'pending', | ||
PROCESSING = 'processing', | ||
FINISHED = 'finished', | ||
ERROR = 'error', | ||
} |
38 changes: 38 additions & 0 deletions
38
x-pack/plugins/security_solution/common/siem_migrations/model/api/common.gen.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
/* | ||
* NOTICE: Do not edit this file manually. | ||
* This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator. | ||
* | ||
* info: | ||
* title: Common SIEM Migrations Attributes | ||
* version: not applicable | ||
*/ | ||
|
||
import { z } from '@kbn/zod'; | ||
|
||
/** | ||
* The GenAI connector id to use. | ||
*/ | ||
export type ConnectorId = z.infer<typeof ConnectorId>; | ||
export const ConnectorId = z.string(); | ||
|
||
/** | ||
* The LangSmith options object. | ||
*/ | ||
export type LangSmithOptions = z.infer<typeof LangSmithOptions>; | ||
export const LangSmithOptions = z.object({ | ||
/** | ||
* The project name. | ||
*/ | ||
project_name: z.string(), | ||
/** | ||
* The API key to use for tracing. | ||
*/ | ||
api_key: z.string(), | ||
}); |
24 changes: 24 additions & 0 deletions
24
x-pack/plugins/security_solution/common/siem_migrations/model/api/common.schema.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
openapi: 3.0.3 | ||
info: | ||
title: Common SIEM Migrations Attributes | ||
version: 'not applicable' | ||
paths: {} | ||
components: | ||
x-codegen-enabled: true | ||
schemas: | ||
ConnectorId: | ||
type: string | ||
description: The GenAI connector id to use. | ||
LangSmithOptions: | ||
type: object | ||
description: The LangSmith options object. | ||
required: | ||
- project_name | ||
- api_key | ||
properties: | ||
project_name: | ||
type: string | ||
description: The project name. | ||
api_key: | ||
type: string | ||
description: The API key to use for tracing. |
34 changes: 34 additions & 0 deletions
34
...k/plugins/security_solution/common/siem_migrations/model/api/rules/rules_migration.gen.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
/* | ||
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
* or more contributor license agreements. Licensed under the Elastic License | ||
* 2.0; you may not use this file except in compliance with the Elastic License | ||
* 2.0. | ||
*/ | ||
|
||
/* | ||
* NOTICE: Do not edit this file manually. | ||
* This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator. | ||
* | ||
* info: | ||
* title: SIEM Rules Migration API endpoint | ||
* version: 1 | ||
*/ | ||
|
||
import { z } from '@kbn/zod'; | ||
|
||
import { OriginalRule, RuleMigration } from '../../rule_migration.gen'; | ||
|
||
export type CreateRuleMigrationRequestBody = z.infer<typeof CreateRuleMigrationRequestBody>; | ||
export const CreateRuleMigrationRequestBody = z.array(OriginalRule); | ||
export type CreateRuleMigrationRequestBodyInput = z.input<typeof CreateRuleMigrationRequestBody>; | ||
|
||
export type CreateRuleMigrationResponse = z.infer<typeof CreateRuleMigrationResponse>; | ||
export const CreateRuleMigrationResponse = z.object({ | ||
/** | ||
* The migration id created. | ||
*/ | ||
migration_id: z.string(), | ||
}); | ||
|
||
export type GetRuleMigrationResponse = z.infer<typeof GetRuleMigrationResponse>; | ||
export const GetRuleMigrationResponse = z.array(RuleMigration); |
52 changes: 52 additions & 0 deletions
52
...gins/security_solution/common/siem_migrations/model/api/rules/rules_migration.schema.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
openapi: 3.0.3 | ||
info: | ||
title: SIEM Rules Migration API endpoint | ||
version: '1' | ||
paths: | ||
/internal/siem_migrations/rules: | ||
post: | ||
summary: Creates a new rule migration | ||
operationId: CreateRuleMigration | ||
x-codegen-enabled: true | ||
description: Creates a new SIEM rules migration using the original vendor rules provided | ||
tags: | ||
- SIEM Migrations | ||
- Rule Migrations | ||
requestBody: | ||
required: true | ||
content: | ||
application/json: | ||
schema: | ||
type: array | ||
items: | ||
$ref: '../../rule_migration.schema.yaml#/components/schemas/OriginalRule' | ||
responses: | ||
200: | ||
description: Indicates migration have been created correctly. | ||
content: | ||
application/json: | ||
schema: | ||
type: object | ||
required: | ||
- migration_id | ||
properties: | ||
migration_id: | ||
type: string | ||
description: The migration id created. | ||
get: | ||
summary: Retrieves rule migrations | ||
operationId: GetRuleMigration | ||
x-codegen-enabled: true | ||
description: Retrieves the rule migrations stored in the system | ||
tags: | ||
- SIEM Migrations | ||
- Rule Migrations | ||
responses: | ||
200: | ||
description: Indicates rule migrations have been retrieved correctly. | ||
content: | ||
application/json: | ||
schema: | ||
type: array | ||
items: | ||
$ref: '../../rule_migration.schema.yaml#/components/schemas/RuleMigration' |
Oops, something went wrong.