Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][Detection Engine] - Value based lists #59603

Closed
4 tasks
yctercero opened this issue Mar 6, 2020 · 3 comments
Closed
4 tasks

[SIEM][Detection Engine] - Value based lists #59603

yctercero opened this issue Mar 6, 2020 · 3 comments
Labels
Team:SIEM

Comments

@yctercero
Copy link
Contributor

yctercero commented Mar 6, 2020
edited by FrankHassanabad
Loading

Meta ticket tracking this
#59715

** Split/child ticket for just values**
#60022

⚠️ POC Ticket (Proof of Concept) ⚠️

As a user, add user generated list type values through UI or REST API.

  • REST endpoints for value based CRUD (Create Read Update Delete)
  • Create Saved Object mappings for list type values
    • Include some meta data on types
  • Use a feature flag for env var / kibana.yml to prevent this from being exposed in 7.7 🙅‍♂
  • Add tests to ensure feature flag is not set

Unknowns

  • Would it be one document or multiple documents (one document per list)?
  • Do we constrain list size to begin with?

This is looking unlikely at this phase but rather we keep lists separate from the query to make it possible if we need to do chunked querying it is simpler:

Research

  • Someone has to look at the existing integration with MISP, Zeek, Suricata from beats and how we can eventually "point" to existing lists?
  • De-dupes (for future). Duplicates can be between different lists or even in the same list.
  • ES storage of large values (max size appears to be 2GB)

Mock REST request for adding a set of lists to an existing rule

{
  "name": "Query with a value list",
  "description": "Query with value lists",
  "rule_id": "query-with-value-lists",
  "risk_score": 1,
  "severity": "high",
  "type": "query",
  "query": "user.name: root or user.name: admin",
  "lists": [
    {
      "field": "source.ip",
      "boolean_operator": "and",
      "values": [
        {
          "name": "127.0.0.1",
          "type": "value"
        }
      ]
    },
    {
      "field": "host.name",
      "boolean_operator": "and not",
      "values": [
        {
          "name": "server-name-01",
          "type": "value"
        },
        {
          "name": "known_hosts",
          "type": "list"
        }
      ]
    }
  ]
}

Example of some lists within ES from the REST interface.

Other things this will have would be the classic fields from saved objects.

{
	"id": "1",
	"type": "homogenous"
	"data_type": "ip"
	"name": "BAD IPS"
	"ip": ['127.0.0.1', '127.0.0.2', ...]
}
{
	"id": "2",
	"type": "homogenous"
	"data_type": "ip"
	"name": "BAD IPS"
	"ip": ['127.0.0.2', ...]
}
{
	"id": "3",
	"type": "homogenous"
	"data_type": "string"
	"name": "Executives"
	"string": ['frank', 'yara']
}
{
	"id": "4",
	"type": "homogenous"
	"data_type": "date"
	"name": "Some dates"
	"meta": { "format": "YYYY/MM/DD" }
	"string": ['2001/01/01']
}
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@willemdh
Copy link

willemdh commented Mar 9, 2020

+1, also maybe this feature has some overlap with ml filter lists?

This was referenced Mar 10, 2020
Closed
Closed
@FrankHassanabad
Copy link
Contributor

"Reviewed by Frank Hassanabad on 7/29/2020", This looks complete and will be shippable at this point. Going to close this and associated tickets. Any new bugs/features should be new tickets. Note this work is superseded by exception lists being a join data type.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:SIEM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@FrankHassanabad @willemdh @yctercero @elasticmachine