-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SecuritySolution][SIEM Migrations] Rule migrations storage #197032
[SecuritySolution][SIEM Migrations] Rule migrations storage #197032
Conversation
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
Pinging @elastic/security-solution (Team: SecuritySolution) |
…ns/migration_rule_storage
…ns/migration_rule_storage' into 10654/siem_migrations/migration_rule_storage
...ty_solution/server/lib/siem_migrations/rules/data_stream/rule_migrations_data_stream.test.ts
Outdated
Show resolved
Hide resolved
...ecurity_solution/server/lib/siem_migrations/rules/data_stream/rule_migrations_data_stream.ts
Outdated
Show resolved
Hide resolved
...k/plugins/security_solution/server/lib/siem_migrations/rules/siem_rule_migrations_service.ts
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/create.ts
Outdated
Show resolved
Hide resolved
x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/index.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
2 nits and LGTM :) Good job.
if (siemMigrationsEnabled) { | ||
registerSiemMigrationsRoutes(router, logger); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: can we register conditionally inside the registerSiemMigrationsRoutes
function itself? That way next time we need to remove the feature flag check, it won't trigger additional CODEOWNERS reviews.
@elasticmachine merge upstream |
Starting backport for target branches: 8.x https://github.com/elastic/kibana/actions/runs/11496951526 |
💚 Build Succeeded
Metrics [docs]Public APIs missing comments
Public APIs missing exports
Page load bundle
History
cc @semd |
💔 All backports failed
Manual backportTo create the backport manually run:
Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…197032) ## Summary issue: elastic/security-team#10654 Implements the persistence layer for the rule migrations from other vendors, as part of the SIEM Rule migrations effort. ### Changes - Schemas created for `SiemRuleMigration` document entity, along with `ElasticRule` and `OriginalRule`. - New API `/internal/siem_migrations/rules` was created: - `POST` -> Receives an array of (original) rules and stores them with `status: pending` to be processed. Responds with the `migration_id` that will be used to start the migration background task (implementation details here: elastic/security-team#10850). - `GET` -> (to be implemented later) - New `SiemMigrationsService` added to the `securitySolution` route context, to encapsulate all operations related to SIEM migrations (We start with _rule_ migrations, but there are more "kinds" of SIEM migrations in the pipeline: _dashboards_, _saved queries_...). It contains: - `SiemRuleMigrationsService` to encapsulate all operations related to SIEM rule migrations. - `RuleMigrationsDataStream` class to manage the `.kibana.siem-rule-migrations-<spaceId>` data stream operations using `DataStreamSpacesAdapter`. - It exposes a client with abstracted operations that are exposed to the API routes: - `create`: indexes an array of _SiemRuleMigration_ documents to the data stream - `search`: searches _SiemRuleMigration_ documents by specific terms. > [!NOTE] > Without `siemMigrationsEnabled` experimental flag the new API route won't be registered, and the `SiemRuleMigrationsService` _setup_ won't be called, so no index/component template will be installed to ES. ### Testing locally Enable the flag ``` xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled'] ``` <details> <summary>Example curl request</summary> ``` curl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language":"spl", "mitre_attack_ids": [ "T1136" ] }, { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] } ]' ``` </details> The newly created documents can be retrieved using Kibana DevTools console: ``` GET .kibana.siem-rule-migrations-default/_search ``` ### Screenshots ![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65) --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit d7109d6) # Conflicts: # x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts # x-pack/test/api_integration/services/security_solution_api.gen.ts
…97032) (#197603) # Backport This will backport the following commits from `main` to `8.x`: - [[SecuritySolution][SIEM Migrations] Rule migrations storage (#197032)](#197032) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Sergi Massaneda","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-24T09:56:08Z","message":"[SecuritySolution][SIEM Migrations] Rule migrations storage (#197032)\n\n## Summary\r\n\r\nissue: elastic/security-team#10654 the persistence layer for the rule migrations from other\r\nvendors, as part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n- Schemas created for `SiemRuleMigration` document entity, along with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API `/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives an array of (original) rules and stores them with\r\n`status: pending` to be processed. Responds with the `migration_id` that\r\nwill be used to start the migration background task (implementation\r\ndetails here: https://github.com/elastic/security-team/issues/10850).\r\n - `GET` -> (to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to the `securitySolution` route\r\ncontext, to encapsulate all operations related to SIEM migrations (We\r\nstart with _rule_ migrations, but there are more \"kinds\" of SIEM\r\nmigrations in the pipeline: _dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n- `SiemRuleMigrationsService` to encapsulate all operations related to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client with abstracted operations that are exposed to the\r\nAPI routes:\r\n- `create`: indexes an array of _SiemRuleMigration_ documents to the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents by specific terms.\r\n\r\n> [!NOTE] \r\n> Without `siemMigrationsEnabled` experimental flag the new API route\r\nwon't be registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe called, so no index/component template will be installed to ES.\r\n\r\n### Testing locally\r\n\r\nEnable the flag\r\n```\r\nxpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example curl request</summary>\r\n\r\n```\r\ncurl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin: security-solution' \\\r\n--header 'elastic-api-version: 1' \\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n {\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\": \"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\r\n \"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n \"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\": \"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To Root\",\r\n \"description\": \"The following analytic detects the use of the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\r\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\r\n \"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n \"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly created documents can be retrieved using Kibana DevTools\r\nconsole:\r\n```\r\nGET .kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n### Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat Hunting","Team: SecuritySolution","backport:prev-minor","8.18 candidate","v8.17.0"],"number":197032,"url":"https://github.com/elastic/kibana/pull/197032","mergeCommit":{"message":"[SecuritySolution][SIEM Migrations] Rule migrations storage (#197032)\n\n## Summary\r\n\r\nissue: elastic/security-team#10654 the persistence layer for the rule migrations from other\r\nvendors, as part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n- Schemas created for `SiemRuleMigration` document entity, along with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API `/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives an array of (original) rules and stores them with\r\n`status: pending` to be processed. Responds with the `migration_id` that\r\nwill be used to start the migration background task (implementation\r\ndetails here: https://github.com/elastic/security-team/issues/10850).\r\n - `GET` -> (to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to the `securitySolution` route\r\ncontext, to encapsulate all operations related to SIEM migrations (We\r\nstart with _rule_ migrations, but there are more \"kinds\" of SIEM\r\nmigrations in the pipeline: _dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n- `SiemRuleMigrationsService` to encapsulate all operations related to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client with abstracted operations that are exposed to the\r\nAPI routes:\r\n- `create`: indexes an array of _SiemRuleMigration_ documents to the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents by specific terms.\r\n\r\n> [!NOTE] \r\n> Without `siemMigrationsEnabled` experimental flag the new API route\r\nwon't be registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe called, so no index/component template will be installed to ES.\r\n\r\n### Testing locally\r\n\r\nEnable the flag\r\n```\r\nxpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example curl request</summary>\r\n\r\n```\r\ncurl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin: security-solution' \\\r\n--header 'elastic-api-version: 1' \\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n {\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\": \"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\r\n \"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n \"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\": \"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To Root\",\r\n \"description\": \"The following analytic detects the use of the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\r\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\r\n \"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n \"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly created documents can be retrieved using Kibana DevTools\r\nconsole:\r\n```\r\nGET .kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n### Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197032","number":197032,"mergeCommit":{"message":"[SecuritySolution][SIEM Migrations] Rule migrations storage (#197032)\n\n## Summary\r\n\r\nissue: elastic/security-team#10654 the persistence layer for the rule migrations from other\r\nvendors, as part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n- Schemas created for `SiemRuleMigration` document entity, along with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API `/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives an array of (original) rules and stores them with\r\n`status: pending` to be processed. Responds with the `migration_id` that\r\nwill be used to start the migration background task (implementation\r\ndetails here: https://github.com/elastic/security-team/issues/10850).\r\n - `GET` -> (to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to the `securitySolution` route\r\ncontext, to encapsulate all operations related to SIEM migrations (We\r\nstart with _rule_ migrations, but there are more \"kinds\" of SIEM\r\nmigrations in the pipeline: _dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n- `SiemRuleMigrationsService` to encapsulate all operations related to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client with abstracted operations that are exposed to the\r\nAPI routes:\r\n- `create`: indexes an array of _SiemRuleMigration_ documents to the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents by specific terms.\r\n\r\n> [!NOTE] \r\n> Without `siemMigrationsEnabled` experimental flag the new API route\r\nwon't be registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe called, so no index/component template will be installed to ES.\r\n\r\n### Testing locally\r\n\r\nEnable the flag\r\n```\r\nxpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example curl request</summary>\r\n\r\n```\r\ncurl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin: security-solution' \\\r\n--header 'elastic-api-version: 1' \\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n {\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\": \"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\r\n \"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n \"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\": \"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To Root\",\r\n \"description\": \"The following analytic detects the use of the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\r\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\r\n \"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n \"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly created documents can be retrieved using Kibana DevTools\r\nconsole:\r\n```\r\nGET .kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n### Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by: kibanamachine <[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b"}},{"branch":"8.x","label":"v8.17.0","labelRegex":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
Summary
issue: https://github.com/elastic/security-team/issues/10654?reload=1
Implements the persistence layer for the rule migrations from other vendors, as part of the SIEM Rule migrations effort.
Changes
Schemas created for
SiemRuleMigration
document entity, along withElasticRule
andOriginalRule
.New API
/internal/siem_migrations/rules
was created:POST
-> Receives an array of (original) rules and stores them withstatus: pending
to be processed. Responds with themigration_id
that will be used to start the migration background task (implementation details here: https://github.com/elastic/security-team/issues/10850).GET
-> (to be implemented later)New
SiemMigrationsService
added to thesecuritySolution
route context, to encapsulate all operations related to SIEM migrations (We start with rule migrations, but there are more "kinds" of SIEM migrations in the pipeline: dashboards, saved queries...). It contains:SiemRuleMigrationsService
to encapsulate all operations related to SIEM rule migrations.RuleMigrationsDataStream
class to manage the.kibana.siem-rule-migrations-<spaceId>
data stream operations usingDataStreamSpacesAdapter
.create
: indexes an array of SiemRuleMigration documents to the data streamsearch
: searches SiemRuleMigration documents by specific terms.Note
Without
siemMigrationsEnabled
experimental flag the new API route won't be registered, and theSiemRuleMigrationsService
setup won't be called, so no index/component template will be installed to ES.Testing locally
Enable the flag
Example curl request
The newly created documents can be retrieved using Kibana DevTools console:
Screenshots