Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SecuritySolution][SIEM Migrations] Rule migrations storage #197032

Merged
merged 17 commits into from
Oct 24, 2024

Conversation

semd
Copy link
Contributor

@semd semd commented Oct 21, 2024

Summary

issue: https://github.com/elastic/security-team/issues/10654?reload=1

Implements the persistence layer for the rule migrations from other vendors, as part of the SIEM Rule migrations effort.

Changes

  • Schemas created for SiemRuleMigration document entity, along with ElasticRule and OriginalRule.

  • New API /internal/siem_migrations/rules was created:

    • POST -> Receives an array of (original) rules and stores them with status: pending to be processed. Responds with the migration_id that will be used to start the migration background task (implementation details here: https://github.com/elastic/security-team/issues/10850).
    • GET -> (to be implemented later)
  • New SiemMigrationsService added to the securitySolution route context, to encapsulate all operations related to SIEM migrations (We start with rule migrations, but there are more "kinds" of SIEM migrations in the pipeline: dashboards, saved queries...). It contains:

    • SiemRuleMigrationsService to encapsulate all operations related to SIEM rule migrations.
      • RuleMigrationsDataStream class to manage the .kibana.siem-rule-migrations-<spaceId> data stream operations using DataStreamSpacesAdapter.
      • It exposes a client with abstracted operations that are exposed to the API routes:
        • create: indexes an array of SiemRuleMigration documents to the data stream
        • search: searches SiemRuleMigration documents by specific terms.

Note

Without siemMigrationsEnabled experimental flag the new API route won't be registered, and the SiemRuleMigrationsService setup won't be called, so no index/component template will be installed to ES.

Testing locally

Enable the flag

xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
Example curl request
curl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'

The newly created documents can be retrieved using Kibana DevTools console:

GET .kibana.siem-rule-migrations-default/_search

Screenshots

postman_screenshot

@semd semd added release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. 8.18 candidate labels Oct 21, 2024
@semd semd self-assigned this Oct 21, 2024
@semd semd added backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) v8.17.0 and removed backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) labels Oct 21, 2024
@semd semd changed the title [SecuritySolution][SIEM Migrations] Implement rule migration storage [SecuritySolution][SIEM Migrations] Rule migrations storage Oct 21, 2024
@semd semd added the Team:Threat Hunting Security Solution Threat Hunting Team label Oct 21, 2024
@semd semd marked this pull request as ready for review October 21, 2024 15:34
@semd semd requested review from a team as code owners October 21, 2024 15:34
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@semd semd added the backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) label Oct 21, 2024
Copy link
Contributor

@kapral18 kapral18 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 nits and LGTM :) Good job.

@semd semd enabled auto-merge (squash) October 23, 2024 16:00
Comment on lines 152 to 154
if (siemMigrationsEnabled) {
registerSiemMigrationsRoutes(router, logger);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: can we register conditionally inside the registerSiemMigrationsRoutes function itself? That way next time we need to remove the feature flag check, it won't trigger additional CODEOWNERS reviews.

@semd
Copy link
Contributor Author

semd commented Oct 24, 2024

@elasticmachine merge upstream

@semd semd requested a review from banderror October 24, 2024 08:17
@semd semd merged commit d7109d6 into elastic:main Oct 24, 2024
44 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/11496951526

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
securitySolution 117 118 +1

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id before after diff
securitySolution 32 33 +1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 87.6KB 87.6KB +25.0B
Unknown metric groups

API count

id before after diff
securitySolution 185 186 +1

History

cc @semd

@kibanamachine
Copy link
Contributor

💔 All backports failed

Status Branch Result
8.x Backport failed because of merge conflicts

Manual backport

To create the backport manually run:

node scripts/backport --pr 197032

Questions ?

Please refer to the Backport tool documentation

@semd
Copy link
Contributor Author

semd commented Oct 24, 2024

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

semd added a commit to semd/kibana that referenced this pull request Oct 24, 2024
…197032)

## Summary

issue: elastic/security-team#10654

Implements the persistence layer for the rule migrations from other
vendors, as part of the SIEM Rule migrations effort.

### Changes

- Schemas created for `SiemRuleMigration` document entity, along with
`ElasticRule` and `OriginalRule`.

- New API `/internal/siem_migrations/rules` was created:
- `POST` -> Receives an array of (original) rules and stores them with
`status: pending` to be processed. Responds with the `migration_id` that
will be used to start the migration background task (implementation
details here: elastic/security-team#10850).
  - `GET` -> (to be implemented later)

- New `SiemMigrationsService` added to the `securitySolution` route
context, to encapsulate all operations related to SIEM migrations (We
start with _rule_ migrations, but there are more "kinds" of SIEM
migrations in the pipeline: _dashboards_, _saved queries_...). It
contains:

- `SiemRuleMigrationsService` to encapsulate all operations related to
SIEM rule migrations.
- `RuleMigrationsDataStream` class to manage the
`.kibana.siem-rule-migrations-<spaceId>` data stream operations using
`DataStreamSpacesAdapter`.
- It exposes a client with abstracted operations that are exposed to the
API routes:
- `create`: indexes an array of _SiemRuleMigration_ documents to the
data stream
- `search`: searches _SiemRuleMigration_ documents by specific terms.

> [!NOTE]
> Without `siemMigrationsEnabled` experimental flag the new API route
won't be registered, and the `SiemRuleMigrationsService` _setup_ won't
be called, so no index/component template will be installed to ES.

### Testing locally

Enable the flag
```
xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
```

<details>
  <summary>Example curl request</summary>

```
curl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'
```
</details>

The newly created documents can be retrieved using Kibana DevTools
console:
```
GET .kibana.siem-rule-migrations-default/_search
```

### Screenshots

![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)

---------

Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit d7109d6)

# Conflicts:
#	x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts
#	x-pack/test/api_integration/services/security_solution_api.gen.ts
semd added a commit that referenced this pull request Oct 24, 2024
…97032) (#197603)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[SecuritySolution][SIEM Migrations] Rule migrations storage
(#197032)](#197032)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Sergi
Massaneda","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-10-24T09:56:08Z","message":"[SecuritySolution][SIEM
Migrations] Rule migrations storage (#197032)\n\n##
Summary\r\n\r\nissue:
elastic/security-team#10654
the persistence layer for the rule migrations from other\r\nvendors, as
part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n-
Schemas created for `SiemRuleMigration` document entity, along
with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API
`/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives
an array of (original) rules and stores them with\r\n`status: pending`
to be processed. Responds with the `migration_id` that\r\nwill be used
to start the migration background task (implementation\r\ndetails here:
https://github.com/elastic/security-team/issues/10850).\r\n - `GET` ->
(to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to
the `securitySolution` route\r\ncontext, to encapsulate all operations
related to SIEM migrations (We\r\nstart with _rule_ migrations, but
there are more \"kinds\" of SIEM\r\nmigrations in the pipeline:
_dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n-
`SiemRuleMigrationsService` to encapsulate all operations related
to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to
manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream
operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client
with abstracted operations that are exposed to the\r\nAPI routes:\r\n-
`create`: indexes an array of _SiemRuleMigration_ documents to
the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents
by specific terms.\r\n\r\n> [!NOTE] \r\n> Without
`siemMigrationsEnabled` experimental flag the new API route\r\nwon't be
registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe
called, so no index/component template will be installed to
ES.\r\n\r\n### Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example
curl request</summary>\r\n\r\n```\r\ncurl --location
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly
created documents can be retrieved using Kibana
DevTools\r\nconsole:\r\n```\r\nGET
.kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n###
Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat
Hunting","Team: SecuritySolution","backport:prev-minor","8.18
candidate","v8.17.0"],"number":197032,"url":"https://github.com/elastic/kibana/pull/197032","mergeCommit":{"message":"[SecuritySolution][SIEM
Migrations] Rule migrations storage (#197032)\n\n##
Summary\r\n\r\nissue:
elastic/security-team#10654
the persistence layer for the rule migrations from other\r\nvendors, as
part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n-
Schemas created for `SiemRuleMigration` document entity, along
with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API
`/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives
an array of (original) rules and stores them with\r\n`status: pending`
to be processed. Responds with the `migration_id` that\r\nwill be used
to start the migration background task (implementation\r\ndetails here:
https://github.com/elastic/security-team/issues/10850).\r\n - `GET` ->
(to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to
the `securitySolution` route\r\ncontext, to encapsulate all operations
related to SIEM migrations (We\r\nstart with _rule_ migrations, but
there are more \"kinds\" of SIEM\r\nmigrations in the pipeline:
_dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n-
`SiemRuleMigrationsService` to encapsulate all operations related
to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to
manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream
operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client
with abstracted operations that are exposed to the\r\nAPI routes:\r\n-
`create`: indexes an array of _SiemRuleMigration_ documents to
the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents
by specific terms.\r\n\r\n> [!NOTE] \r\n> Without
`siemMigrationsEnabled` experimental flag the new API route\r\nwon't be
registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe
called, so no index/component template will be installed to
ES.\r\n\r\n### Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example
curl request</summary>\r\n\r\n```\r\ncurl --location
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly
created documents can be retrieved using Kibana
DevTools\r\nconsole:\r\n```\r\nGET
.kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n###
Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/197032","number":197032,"mergeCommit":{"message":"[SecuritySolution][SIEM
Migrations] Rule migrations storage (#197032)\n\n##
Summary\r\n\r\nissue:
elastic/security-team#10654
the persistence layer for the rule migrations from other\r\nvendors, as
part of the SIEM Rule migrations effort.\r\n\r\n### Changes\r\n\r\n-
Schemas created for `SiemRuleMigration` document entity, along
with\r\n`ElasticRule` and `OriginalRule`.\r\n\r\n- New API
`/internal/siem_migrations/rules` was created:\r\n- `POST` -> Receives
an array of (original) rules and stores them with\r\n`status: pending`
to be processed. Responds with the `migration_id` that\r\nwill be used
to start the migration background task (implementation\r\ndetails here:
https://github.com/elastic/security-team/issues/10850).\r\n - `GET` ->
(to be implemented later)\r\n\r\n- New `SiemMigrationsService` added to
the `securitySolution` route\r\ncontext, to encapsulate all operations
related to SIEM migrations (We\r\nstart with _rule_ migrations, but
there are more \"kinds\" of SIEM\r\nmigrations in the pipeline:
_dashboards_, _saved queries_...). It\r\ncontains:\r\n\r\n-
`SiemRuleMigrationsService` to encapsulate all operations related
to\r\nSIEM rule migrations.\r\n- `RuleMigrationsDataStream` class to
manage the\r\n`.kibana.siem-rule-migrations-<spaceId>` data stream
operations using\r\n`DataStreamSpacesAdapter`.\r\n- It exposes a client
with abstracted operations that are exposed to the\r\nAPI routes:\r\n-
`create`: indexes an array of _SiemRuleMigration_ documents to
the\r\ndata stream\r\n- `search`: searches _SiemRuleMigration_ documents
by specific terms.\r\n\r\n> [!NOTE] \r\n> Without
`siemMigrationsEnabled` experimental flag the new API route\r\nwon't be
registered, and the `SiemRuleMigrationsService` _setup_ won't\r\nbe
called, so no index/component template will be installed to
ES.\r\n\r\n### Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\n<details>\r\n <summary>Example
curl request</summary>\r\n\r\n```\r\ncurl --location
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\nThe newly
created documents can be retrieved using Kibana
DevTools\r\nconsole:\r\n```\r\nGET
.kibana.siem-rule-migrations-default/_search\r\n```\r\n\r\n###
Screenshots\r\n\r\n\r\n![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"d7109d67810cedfce1ad2bf9e8fd826b20aee06b"}},{"branch":"8.x","label":"v8.17.0","labelRegex":"^v8.17.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
8.18 candidate backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Threat Hunting Security Solution Threat Hunting Team v8.17.0 v9.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants