Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SecuritySolution][Detections] Enables Index Action and Connector for Detection Actions #111813

Merged
merged 4 commits into from
Oct 19, 2021
Merged

[SecuritySolution][Detections] Enables Index Action and Connector for Detection Actions #111813

merged 4 commits into from
Oct 19, 2021

Conversation

spong
Copy link
Member

@spong spong commented Sep 9, 2021

Summary

This PR enables the Index Connector and Action for the detection engine, addressing #110550.

Action type available in list:

No Connector UI:

Create Connector UI:

Connector Template: 

{
    "rule_id": "{{context.rule.id}}",
    "rule_name": "{{context.rule.name}}",
    "alert_id": "{{alert.id}}",
    "context_message": "Threshold Results: {{#context.alerts}}{{#signal.threshold_result.terms}}{{value}}, {{/signal.threshold_result.terms}}{{/context.alerts}}"
}

Documents successfully written:

If wanting to store the alert index timestamp, create index first with timestamp field and use Define timefield for each document option:

PUT .homemade-alerts-index
{
  "mappings" : {
    "dynamic": "true",
    "properties" : {
      "@timestamp": {
        "type": "date"
      }
    }
  }
}

Checklist

Delete any items that are not applicable to this PR.

  • Documentation was added for features that require explanation or tutorials (will need to update documentation if we proceed with this PR)

@spong spong added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Actions Security Solution Detection Rule Actions area labels Sep 9, 2021
@spong spong self-assigned this Sep 9, 2021
@spong
Copy link
Member Author

spong commented Oct 11, 2021
edited
Loading

Closing till dependency #89430 is resolved and allowing for multi-document indexing per action context.

@spong spong closed this Oct 11, 2021
@spong spong mentioned this pull request Oct 11, 2021
Closed
@spong spong reopened this Oct 18, 2021
@spong
Copy link
Member Author

spong commented Oct 18, 2021

Re-opening -- product determined limited functionality is still worthwhile to users while we work to add multi-document support. We'll want to add a note to documentation detailing this behavior.

spong
spong commented Oct 18, 2021
View reviewed changes
x-pack/plugins/security_solution/common/constants.ts
@@ -296,15 +296,16 @@ export const ML_GROUP_IDS = [ML_GROUP_ID, LEGACY_ML_GROUP_ID];
*/
export const NOTIFICATION_SUPPORTED_ACTION_TYPES_IDS = [
'.email',
'.slack',
'.index',
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Alphabetized these to better grok -- .index is only new addition.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You should be careful as this is an array you're alphabetizing. I don't think it will cause problems but I'm just pointing out that typically you don't want to alphabetize arrays if order maters. We have had bugs in the past around people alphabetizing arrays.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fair point -- thanks for raising! Looks like they're sorted downstream so shouldn't have any side-effects. 👍

This is the order in the UI on master right now:

Order in the UI on this branch:

@spong spong marked this pull request as ready for review October 18, 2021 15:08
@spong spong requested a review from a team as a code owner October 18, 2021 15:08
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@spong spong added enhancement New value added to drive a business result release_note:enhancement v7.16.0 v8.0.0 auto-backport Deprecated - use backport:version if exact versions are needed labels Oct 18, 2021
FrankHassanabad
FrankHassanabad approved these changes Oct 18, 2021
View reviewed changes
Copy link
Contributor

@FrankHassanabad FrankHassanabad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, looks like you are adding nice things to this array

@spong
Copy link
Member Author

spong commented Oct 18, 2021

@elasticmachine merge upstream

@FrankHassanabad
Copy link
Contributor

@elasticmachine merge upstream

@kibanamachine
Copy link
Contributor

💛 Build succeeded, but was flaky

Test Failures

Kibana Pipeline / general / X-Pack API Integration Tests.x-pack/test/api_integration/apis/ml/jobs/categorization_field_examples·ts.apis Machine Learning jobs Categorization example endpoint - partially valid, more than 75% are null

Link to Jenkins

Standard Out

Failed Tests Reporter:
  - Test has not failed recently on tracked branches

[00:00:00]     │
[00:00:00]       └-: apis
[00:00:00]         └-> "before all" hook in "apis"
[00:10:37]         └-: Machine Learning
[00:10:37]           └-> "before all" hook in "Machine Learning"
[00:10:37]           └-> "before all" hook in "Machine Learning"
[00:10:37]             │ debg creating role ft_ml_source
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source]
[00:10:37]             │ debg creating role ft_ml_source_readonly
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_source_readonly]
[00:10:37]             │ debg creating role ft_ml_dest
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest]
[00:10:37]             │ debg creating role ft_ml_dest_readonly
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_dest_readonly]
[00:10:37]             │ debg creating role ft_ml_ui_extras
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_ml_ui_extras]
[00:10:37]             │ debg creating role ft_default_space_ml_all
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_all]
[00:10:37]             │ debg creating role ft_default_space1_ml_all
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_all]
[00:10:37]             │ debg creating role ft_all_spaces_ml_all
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_all]
[00:10:37]             │ debg creating role ft_default_space_ml_read
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_read]
[00:10:37]             │ debg creating role ft_default_space1_ml_read
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space1_ml_read]
[00:10:37]             │ debg creating role ft_all_spaces_ml_read
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_all_spaces_ml_read]
[00:10:37]             │ debg creating role ft_default_space_ml_none
[00:10:37]             │ info [o.e.x.s.a.r.TransportPutRoleAction] [node-01] added role [ft_default_space_ml_none]
[00:10:37]             │ debg creating user ft_ml_poweruser
[00:10:38]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser]
[00:10:38]             │ debg created user ft_ml_poweruser
[00:10:38]             │ debg creating user ft_ml_poweruser_spaces
[00:10:38]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_spaces]
[00:10:38]             │ debg created user ft_ml_poweruser_spaces
[00:10:38]             │ debg creating user ft_ml_poweruser_space1
[00:10:38]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_space1]
[00:10:38]             │ debg created user ft_ml_poweruser_space1
[00:10:38]             │ debg creating user ft_ml_poweruser_all_spaces
[00:10:38]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_poweruser_all_spaces]
[00:10:38]             │ debg created user ft_ml_poweruser_all_spaces
[00:10:38]             │ debg creating user ft_ml_viewer
[00:10:38]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer]
[00:10:38]             │ debg created user ft_ml_viewer
[00:10:38]             │ debg creating user ft_ml_viewer_spaces
[00:10:38]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_spaces]
[00:10:38]             │ debg created user ft_ml_viewer_spaces
[00:10:38]             │ debg creating user ft_ml_viewer_space1
[00:10:38]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_space1]
[00:10:38]             │ debg created user ft_ml_viewer_space1
[00:10:38]             │ debg creating user ft_ml_viewer_all_spaces
[00:10:38]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_viewer_all_spaces]
[00:10:38]             │ debg created user ft_ml_viewer_all_spaces
[00:10:38]             │ debg creating user ft_ml_unauthorized
[00:10:39]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_unauthorized]
[00:10:39]             │ debg created user ft_ml_unauthorized
[00:10:39]             │ debg creating user ft_ml_unauthorized_spaces
[00:10:39]             │ info [o.e.x.s.a.u.TransportPutUserAction] [node-01] added user [ft_ml_unauthorized_spaces]
[00:10:39]             │ debg created user ft_ml_unauthorized_spaces
[00:14:52]           └-: jobs
[00:14:52]             └-> "before all" hook in "jobs"
[00:14:52]             └-: Categorization example endpoint - 
[00:14:52]               └-> "before all" hook for "valid with good number of tokens"
[00:14:52]               └-> "before all" hook for "valid with good number of tokens"
[00:14:52]                 │ info [x-pack/test/functional/es_archives/ml/categorization] Loading "mappings.json"
[00:14:52]                 │ info [x-pack/test/functional/es_archives/ml/categorization] Loading "data.json.gz"
[00:14:52]                 │ info [o.e.c.m.MetadataCreateIndexService] [node-01] [ft_categorization] creating index, cause [api], templates [], shards [1]/[0]
[00:14:52]                 │ info [x-pack/test/functional/es_archives/ml/categorization] Created index "ft_categorization"
[00:14:52]                 │ debg [x-pack/test/functional/es_archives/ml/categorization] "ft_categorization" settings {"index":{"number_of_replicas":"0","number_of_shards":"1"}}
[00:14:54]                 │ info [x-pack/test/functional/es_archives/ml/categorization] Indexed 1501 docs into "ft_categorization"
[00:14:54]                 │ debg applying update to kibana config: {"dateFormat:tz":"UTC"}
[00:14:55]               └-> valid with good number of tokens
[00:14:55]                 └-> "before each" hook: global before each for "valid with good number of tokens"
[00:14:55]                 └- ✓ pass  (218ms)
[00:14:55]               └-> invalid, too many tokens.
[00:14:55]                 └-> "before each" hook: global before each for "invalid, too many tokens."
[00:14:55]                 │ info [r.suppressed] [node-01] path: /_analyze, params: {}
[00:14:55]                 │      org.elasticsearch.transport.RemoteTransportException: [node-01][127.0.0.1:6341][indices:admin/analyze[s]]
[00:14:55]                 │      Caused by: java.lang.IllegalStateException: The number of tokens produced by calling _analyze has exceeded the allowed maximum of [10000]. This limit can be set by changing the [index.analyze.max_token_count] index level setting.
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction$TokenCounter.increment(TransportAnalyzeAction.java:397) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.simpleAnalyze(TransportAnalyzeAction.java:229) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.analyze(TransportAnalyzeAction.java:204) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.analyze(TransportAnalyzeAction.java:122) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.shardOperation(TransportAnalyzeAction.java:110) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.shardOperation(TransportAnalyzeAction.java:62) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.support.single.shard.TransportSingleShardAction.lambda$asyncShardOperation$0(TransportSingleShardAction.java:99) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.ActionRunnable.lambda$supply$0(ActionRunnable.java:47) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.ActionRunnable$2.doRun(ActionRunnable.java:62) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:737) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
[00:14:55]                 │      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
[00:14:55]                 │      	at java.lang.Thread.run(Thread.java:833) [?:?]
[00:14:55]                 │ info [r.suppressed] [node-01] path: /_analyze, params: {}
[00:14:55]                 │      org.elasticsearch.transport.RemoteTransportException: [node-01][127.0.0.1:6341][indices:admin/analyze[s]]
[00:14:55]                 │      Caused by: java.lang.IllegalStateException: The number of tokens produced by calling _analyze has exceeded the allowed maximum of [10000]. This limit can be set by changing the [index.analyze.max_token_count] index level setting.
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction$TokenCounter.increment(TransportAnalyzeAction.java:397) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.simpleAnalyze(TransportAnalyzeAction.java:229) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.analyze(TransportAnalyzeAction.java:204) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.analyze(TransportAnalyzeAction.java:122) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.shardOperation(TransportAnalyzeAction.java:110) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.admin.indices.analyze.TransportAnalyzeAction.shardOperation(TransportAnalyzeAction.java:62) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.support.single.shard.TransportSingleShardAction.lambda$asyncShardOperation$0(TransportSingleShardAction.java:99) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.ActionRunnable.lambda$supply$0(ActionRunnable.java:47) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.action.ActionRunnable$2.doRun(ActionRunnable.java:62) ~[elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:737) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:26) [elasticsearch-8.0.0-SNAPSHOT.jar:8.0.0-SNAPSHOT]
[00:14:55]                 │      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136) [?:?]
[00:14:55]                 │      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635) [?:?]
[00:14:55]                 │      	at java.lang.Thread.run(Thread.java:833) [?:?]
[00:14:55]                 └- ✓ pass  (141ms)
[00:14:55]               └-> partially valid, more than 75% are null
[00:14:55]                 └-> "before each" hook: global before each for "partially valid, more than 75% are null"
[00:14:55]                 └- ✖ fail: apis Machine Learning jobs Categorization example endpoint -  partially valid, more than 75% are null
[00:14:55]                 │       Error: expected 249 to sort of equal 250
[00:14:55]                 │       + expected - actual
[00:14:55]                 │ 
[00:14:55]                 │       -249
[00:14:55]                 │       +250
[00:14:55]                 │       
[00:14:55]                 │       at Assertion.assert (/dev/shm/workspace/parallel/4/kibana/node_modules/@kbn/expect/expect.js:100:11)
[00:14:55]                 │       at Assertion.eql (/dev/shm/workspace/parallel/4/kibana/node_modules/@kbn/expect/expect.js:244:8)
[00:14:55]                 │       at Context.<anonymous> (test/api_integration/apis/ml/jobs/categorization_field_examples.ts:303:36)
[00:14:55]                 │       at runMicrotasks (<anonymous>)
[00:14:55]                 │       at processTicksAndRejections (node:internal/process/task_queues:96:5)
[00:14:55]                 │       at Object.apply (/dev/shm/workspace/parallel/4/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16)
[00:14:55]                 │ 
[00:14:55]                 │

Stack Trace

Error: expected 249 to sort of equal 250
    at Assertion.assert (/dev/shm/workspace/parallel/4/kibana/node_modules/@kbn/expect/expect.js:100:11)
    at Assertion.eql (/dev/shm/workspace/parallel/4/kibana/node_modules/@kbn/expect/expect.js:244:8)
    at Context.<anonymous> (test/api_integration/apis/ml/jobs/categorization_field_examples.ts:303:36)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at Object.apply (/dev/shm/workspace/parallel/4/kibana/node_modules/@kbn/test/target_node/functional_test_runner/lib/mocha/wrap_function.js:87:16) {
  actual: '249',
  expected: '250',
  showDiff: true
}

Metrics [docs]

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 104.1KB 104.2KB +9.0B

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @spong

@spong spong merged commit e5a918d into elastic:master Oct 19, 2021
@spong spong deleted the add-index-action branch October 19, 2021 13:44
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Oct 19, 2021
@spong @kibanamachine
[SecuritySolution][Detections] Enables Index Action and Connector for…
2d31e80 
… Detection Actions (elastic#111813)

## Summary

This PR enables the [Index Connector and Action](https://www.elastic.co/guide/en/kibana/master/index-action-type.html) for the detection engine, addressing elastic#110550. 

<details><summary>Action type available in list:</summary>
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132774871-285ff387-eebe-44ee-9172-3143d0283b09.png" />
</p>
</details>

<details><summary>No Connector UI:</summary>
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132774935-e7e71061-e3b6-40ae-bc77-4adb76132de0.png" />
</p>
</details>


<details><summary>Create Connector UI:</summary>
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132774985-50980dcf-b022-4101-809a-a2d5a617a892.png" />
</p>
</details>

<details><summary>Connector Template:</summary>
<p>

``` json
{
    "rule_id": "{{context.rule.id}}",
    "rule_name": "{{context.rule.name}}",
    "alert_id": "{{alert.id}}",
    "context_message": "Threshold Results: {{#context.alerts}}{{#signal.threshold_result.terms}}{{value}}, {{/signal.threshold_result.terms}}{{/context.alerts}}"
}
```

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132775311-3091ed5d-d7df-4dc1-89d6-c02a93c04779.png" />
</p>
</p>
</details>



<details><summary>Documents successfully written:</summary>
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132775457-128f0e62-0978-46a6-ae6e-bd951a1d6c96.png" />
</p>
</details>


---

If wanting to store the alert index timestamp, create index first with `timestamp` field and use `Define timefield for each document` option:


```
PUT .homemade-alerts-index
{
  "mappings" : {
    "dynamic": "true",
    "properties" : {
      "@timestamp": {
        "type": "date"
      }
    }
  }
}
```
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132775842-ac6534a7-289d-426f-851b-f5f2c2bb5716.png" />
</p>

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132776120-2def172f-3bfa-4a7e-b041-155e817173ab.png" />
</p>




### Checklist

Delete any items that are not applicable to this PR.

- [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials (will need to update documentation if we proceed with this PR)
@kibanamachine kibanamachine mentioned this pull request Oct 19, 2021
Merged
@kibanamachine
Copy link
Contributor

💚 Backport successful

Status Branch Result
7.x

This backport PR will be merged automatically after passing CI.

kibanamachine added a commit that referenced this pull request Oct 19, 2021
@kibanamachine @spong
[SecuritySolution][Detections] Enables Index Action and Connector for…
492823c 
… Detection Actions (#111813) (#115563)

## Summary

This PR enables the [Index Connector and Action](https://www.elastic.co/guide/en/kibana/master/index-action-type.html) for the detection engine, addressing #110550. 

<details><summary>Action type available in list:</summary>
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132774871-285ff387-eebe-44ee-9172-3143d0283b09.png" />
</p>
</details>

<details><summary>No Connector UI:</summary>
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132774935-e7e71061-e3b6-40ae-bc77-4adb76132de0.png" />
</p>
</details>


<details><summary>Create Connector UI:</summary>
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132774985-50980dcf-b022-4101-809a-a2d5a617a892.png" />
</p>
</details>

<details><summary>Connector Template:</summary>
<p>

``` json
{
    "rule_id": "{{context.rule.id}}",
    "rule_name": "{{context.rule.name}}",
    "alert_id": "{{alert.id}}",
    "context_message": "Threshold Results: {{#context.alerts}}{{#signal.threshold_result.terms}}{{value}}, {{/signal.threshold_result.terms}}{{/context.alerts}}"
}
```

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132775311-3091ed5d-d7df-4dc1-89d6-c02a93c04779.png" />
</p>
</p>
</details>



<details><summary>Documents successfully written:</summary>
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132775457-128f0e62-0978-46a6-ae6e-bd951a1d6c96.png" />
</p>
</details>


---

If wanting to store the alert index timestamp, create index first with `timestamp` field and use `Define timefield for each document` option:


```
PUT .homemade-alerts-index
{
  "mappings" : {
    "dynamic": "true",
    "properties" : {
      "@timestamp": {
        "type": "date"
      }
    }
  }
}
```
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132775842-ac6534a7-289d-426f-851b-f5f2c2bb5716.png" />
</p>

<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/132776120-2def172f-3bfa-4a7e-b041-155e817173ab.png" />
</p>




### Checklist

Delete any items that are not applicable to this PR.

- [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials (will need to update documentation if we proceed with this PR)

Co-authored-by: Garrett Spong <[email protected]>
@joepeeples joepeeples mentioned this pull request Oct 29, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FrankHassanabad FrankHassanabad FrankHassanabad approved these changes

@xcrzx xcrzx Awaiting requested review from xcrzx

@banderror banderror Awaiting requested review from banderror

@vitaliidm vitaliidm Awaiting requested review from vitaliidm

Assignees

@spong spong

Labels
auto-backport Deprecated - use backport:version if exact versions are needed enhancement New value added to drive a business result Feature:Rule Actions Security Solution Detection Rule Actions area needs_docs release_note:enhancement Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.16.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@spong @elasticmachine @FrankHassanabad @kibanamachine