Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security][Detections] Update ML Jobs group from SIEM to Security #69319

Closed
spong opened this issue Jun 16, 2020 · 12 comments · Fixed by #73218
Closed

[Security][Detections] Update ML Jobs group from SIEM to Security #69319

spong opened this issue Jun 16, 2020 · 12 comments · Fixed by #73218
Assignees
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@spong
Copy link
Member

spong commented Jun 16, 2020

With the recent rename of the SIEM plugin to Security Solution (#67902), we'll also need to update all SIEM references around our integration with ML.

@MikePaquette will provide an update with the correct name (most likely just Security)

This includes:

Creation of ML-based Rules:

ML Job Settings popover which references Security in copy, but SIEM as the group name:

The actual ML Jobs and their underlying template (as shown in the ML APP). This will need to be performed by the @elastic/security-intelligence-analytics team.

@spong spong added Team:SIEM Feature:Detection Rules Security Solution rules and Detection Engine labels Jun 16, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@devonakerr
Copy link

@randomuserid this is just one metadata field?

@randomuserid
Copy link
Contributor

Those are the tags in the second pic. The third pic is the recognizer.

@randomuserid
Copy link
Contributor

@blaklaybul this is the issue for the "siem" text. It appears in the job tags and what looks like text in the recognizer UI?

@blaklaybul
Copy link
Contributor

@randomuserid thanks for letting me know - can you please provide us with the appropriate text when it is available?

@randomuserid
Copy link
Contributor

@spong is the replacement term "Security"

@spong
Copy link
Member Author

spong commented Jun 17, 2020

@randomuserid -- @MikePaquette is verifying the replacement term and will let us know.

@spong
Copy link
Member Author

spong commented Jun 23, 2020

@randomuserid & @blaklaybul -- Do you think we're good to remove the Beta labeling on these jobs as well?

@blaklaybul
Copy link
Contributor

I'm happy to remove the beta tags.

@spong
Copy link
Member Author

spong commented Jun 29, 2020

Sounds good @blaklaybul! Can we coordinate this with the other ML Job updates (from @randomuserid) for 7.9? Also, @MikePaquette verified the replacement term as Security, so we're good to make that change as well now too.

@blaklaybul
Copy link
Contributor

blaklaybul commented Jun 29, 2020

great! @peteharverson can we remove the beta tags from jobs and replace any references to SIEM with Security?

@spong I'm catching up with @randomuserid tomorrow to discuss his new jobs list and what we can feasibly add to 7.9.

@peteharverson
Copy link
Contributor

@blaklaybul as discussed, I'll remove the beta tags from descriptions, and will change any references to SIEM with Security in:

  • module titles
  • descriptions
  • job groups

I will not change siem to security in module IDs or the created_by field.

spong pushed a commit that referenced this issue Jul 15, 2020
…71696)

## Summary

Edits all references to 'SIEM' in the ML SIEM modules to 'Security'. The following parts of the configurations were edited:
- Module titles
- Module descriptions
- Job descriptions
- `siem` job group changed to `security`

The `siem#/` portion of the custom URLs was also edited to `security/`.

Also removes the 'beta' label from module and job descriptions.

![image](https://user-images.githubusercontent.com/7405507/87452224-dbe4fd00-c5f8-11ea-887b-89c47e3467d2.png)

![image (26)](https://user-images.githubusercontent.com/7405507/87452265-edc6a000-c5f8-11ea-94a8-e101126666fa.png)


Part of #69319
peteharverson added a commit that referenced this issue Jul 15, 2020
…71696) (#71797)

## Summary

Edits all references to 'SIEM' in the ML SIEM modules to 'Security'. The following parts of the configurations were edited:
- Module titles
- Module descriptions
- Job descriptions
- `siem` job group changed to `security`

The `siem#/` portion of the custom URLs was also edited to `security/`.

Also removes the 'beta' label from module and job descriptions.

![image](https://user-images.githubusercontent.com/7405507/87452224-dbe4fd00-c5f8-11ea-887b-89c47e3467d2.png)

![image (26)](https://user-images.githubusercontent.com/7405507/87452265-edc6a000-c5f8-11ea-94a8-e101126666fa.png)


Part of #69319

Co-authored-by: Pete Harverson <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>
spong added a commit that referenced this issue Jul 28, 2020
## Summary

Resolves #69319

Updates `siem` grouping to `security`, and enables cloudtrail module, fixing mis-match between the newly updated modules (#71696).


<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444121-b6b27480-cdd8-11ea-886a-9b4cadbaede8.png" />
</p>

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444181-16108480-cdd9-11ea-9fba-aff1e4c38da3.png" />
</p>


Also updates all module icons to be consistent:

Auditbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592057-9a9e1580-d01a-11ea-97bb-d1096a4ae85f.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592020-8b1ecc80-d01a-11ea-8f2d-aa5cba94924e.png" />
</p>

Packetbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592205-e18c0b00-d01a-11ea-9553-9c87527c600b.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592270-f8caf880-d01a-11ea-94a8-5428d2c6ddea.png" />
</p>

Winlogbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592286-fff20680-d01a-11ea-87dd-4150debc988c.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592351-2021c580-d01b-11ea-863f-efd26d0105ab.png" />
</p>



- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
- [X] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials
  - Working w/ @benskelker on updated ML Jobs & nomenclature
spong added a commit to spong/kibana that referenced this issue Jul 28, 2020
…73218)

## Summary

Resolves elastic#69319

Updates `siem` grouping to `security`, and enables cloudtrail module, fixing mis-match between the newly updated modules (elastic#71696).


<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444121-b6b27480-cdd8-11ea-886a-9b4cadbaede8.png" />
</p>

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444181-16108480-cdd9-11ea-9fba-aff1e4c38da3.png" />
</p>


Also updates all module icons to be consistent:

Auditbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592057-9a9e1580-d01a-11ea-97bb-d1096a4ae85f.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592020-8b1ecc80-d01a-11ea-8f2d-aa5cba94924e.png" />
</p>

Packetbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592205-e18c0b00-d01a-11ea-9553-9c87527c600b.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592270-f8caf880-d01a-11ea-94a8-5428d2c6ddea.png" />
</p>

Winlogbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592286-fff20680-d01a-11ea-87dd-4150debc988c.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592351-2021c580-d01b-11ea-863f-efd26d0105ab.png" />
</p>



- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
- [X] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials
  - Working w/ @benskelker on updated ML Jobs & nomenclature
spong added a commit to spong/kibana that referenced this issue Jul 28, 2020
…73218)

## Summary

Resolves elastic#69319

Updates `siem` grouping to `security`, and enables cloudtrail module, fixing mis-match between the newly updated modules (elastic#71696).


<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444121-b6b27480-cdd8-11ea-886a-9b4cadbaede8.png" />
</p>

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444181-16108480-cdd9-11ea-9fba-aff1e4c38da3.png" />
</p>


Also updates all module icons to be consistent:

Auditbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592057-9a9e1580-d01a-11ea-97bb-d1096a4ae85f.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592020-8b1ecc80-d01a-11ea-8f2d-aa5cba94924e.png" />
</p>

Packetbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592205-e18c0b00-d01a-11ea-9553-9c87527c600b.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592270-f8caf880-d01a-11ea-94a8-5428d2c6ddea.png" />
</p>

Winlogbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592286-fff20680-d01a-11ea-87dd-4150debc988c.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592351-2021c580-d01b-11ea-863f-efd26d0105ab.png" />
</p>



- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
- [X] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials
  - Working w/ @benskelker on updated ML Jobs & nomenclature
spong added a commit that referenced this issue Jul 28, 2020
…73391)

## Summary

Resolves #69319

Updates `siem` grouping to `security`, and enables cloudtrail module, fixing mis-match between the newly updated modules (#71696).


<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444121-b6b27480-cdd8-11ea-886a-9b4cadbaede8.png" />
</p>

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444181-16108480-cdd9-11ea-9fba-aff1e4c38da3.png" />
</p>


Also updates all module icons to be consistent:

Auditbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592057-9a9e1580-d01a-11ea-97bb-d1096a4ae85f.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592020-8b1ecc80-d01a-11ea-8f2d-aa5cba94924e.png" />
</p>

Packetbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592205-e18c0b00-d01a-11ea-9553-9c87527c600b.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592270-f8caf880-d01a-11ea-94a8-5428d2c6ddea.png" />
</p>

Winlogbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592286-fff20680-d01a-11ea-87dd-4150debc988c.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592351-2021c580-d01b-11ea-863f-efd26d0105ab.png" />
</p>



- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
- [X] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials
  - Working w/ @benskelker on updated ML Jobs & nomenclature
spong added a commit that referenced this issue Jul 28, 2020
…73390)

## Summary

Resolves #69319

Updates `siem` grouping to `security`, and enables cloudtrail module, fixing mis-match between the newly updated modules (#71696).


<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444121-b6b27480-cdd8-11ea-886a-9b4cadbaede8.png" />
</p>

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/88444181-16108480-cdd9-11ea-9fba-aff1e4c38da3.png" />
</p>


Also updates all module icons to be consistent:

Auditbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592057-9a9e1580-d01a-11ea-97bb-d1096a4ae85f.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592020-8b1ecc80-d01a-11ea-8f2d-aa5cba94924e.png" />
</p>

Packetbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592205-e18c0b00-d01a-11ea-9553-9c87527c600b.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592270-f8caf880-d01a-11ea-94a8-5428d2c6ddea.png" />
</p>

Winlogbeat (Before/After):
<p align="center">
    <img width="260" src="https://user-images.githubusercontent.com/2946766/88592286-fff20680-d01a-11ea-87dd-4150debc988c.png" /><img width="300" src="https://user-images.githubusercontent.com/2946766/88592351-2021c580-d01b-11ea-863f-efd26d0105ab.png" />
</p>



- [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
- [X] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials
  - Working w/ @benskelker on updated ML Jobs & nomenclature
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
ajosh0504 added a commit that referenced this issue Dec 15, 2022
## Summary
This PR makes the following updates to our pre-built Security ML jobs:
- Adds user-friendly names to our pre-built Anomaly Detection jobs.
These will be displayed in the Anomalies tab on the new Entity Analytics
page in the Security App instead of job IDs.
- Fixes formatting
- One job was missing the `security` job group which is required to
display jobs in the Security App. Added that as well.
- Changed the names of two modules: `siem_cloudtrail` ->
`security_cloudtrail` and `siem_packetbeat` -> `security_packetbeat`.
This should have happened a while ago per
[this](#69319) issue.

## Side effects
- Any QA tests that reference the `siem_cloudtrail` and
`siem_packetbeat` modules will need to be changed to reference the new
modules instead
- Any references to the siem modules in the Security App will need to be
updated

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: Robert Oskamp <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants