Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM][Detection Engine] REST API Additions #50514

Merged
merged 6 commits into from
Nov 14, 2019
Merged

[SIEM][Detection Engine] REST API Additions #50514

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
cf35573
* Added jq install instructions to README.md
FrankHassanabad Nov 13, 2019
b4c43a2
Added types and tests for the schema and the new types
FrankHassanabad Nov 13, 2019
b16e661
Removed TODO blocks to prevent linter issues
FrankHassanabad Nov 13, 2019
936e50b
Merge branch 'master' into api-updates
FrankHassanabad Nov 13, 2019
15e0336
PR comment fixes
FrankHassanabad Nov 13, 2019
d3b92f3
Fixed update handler that was incorrect now that types are correct
FrankHassanabad Nov 13, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_signals.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ const SEVERITY = 'low';
const TYPE = 'query';
const FROM = 'now-6m';
const TO = 'now';
const IMMUTABLE = true;
const INDEX = ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*'];

const walk = dir => {
Expand Down Expand Up @@ -119,6 +120,7 @@ async function main() {
const outputMessage = {
id: fileToWrite,
description: description || title,
immutable: IMMUTABLE,
index: INDEX,
interval: INTERVAL,
name: title,
Expand Down
23 changes: 23 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ Since there is no UI yet and a lot of backend areas that are not created, you
should install the kbn-action and kbn-alert project from here:
https://github.com/pmuellr/kbn-action

The scripts rely on CURL and jq, ensure both of these are installed:

```sh
brew update
brew install curl
brew install jq
```

Open up your .zshrc/.bashrc and add these lines with the variables filled in:
```
export ELASTICSEARCH_USERNAME=${user}
Expand Down Expand Up @@ -127,3 +135,18 @@ created which should update once every 5 minutes at this point.

Also add the `.siem-signals-${your user id}` as a kibana index for Maps to be able to see the
signals

Optionally you can add these debug statements to your `kibana.dev.yml` to see more information when running the detection
engine

```sh
logging.verbose: true
logging.events:
{
log: ['siem', 'info', 'warning', 'error', 'fatal'],
request: ['info', 'warning', 'error', 'fatal'],
error: '*',
ops: __no-ops__,
}
Comment on lines +143 to +150
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for adding this -- has been very helpful in development! 🙂

```

15 changes: 15 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_signals.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,10 @@ export const updateIfIdExists = async ({
actionsClient,
description,
enabled,
falsePositives,
filter,
from,
immutable,
query,
language,
savedId,
Expand All @@ -28,6 +30,7 @@ export const updateIfIdExists = async ({
name,
severity,
size,
tags,
to,
type,
references,
Expand All @@ -38,8 +41,10 @@ export const updateIfIdExists = async ({
actionsClient,
description,
enabled,
falsePositives,
filter,
from,
immutable,
query,
language,
savedId,
Expand All @@ -51,6 +56,7 @@ export const updateIfIdExists = async ({
name,
severity,
size,
tags,
to,
type,
references,
Expand All @@ -70,19 +76,22 @@ export const createSignals = async ({
actionsClient,
description,
enabled,
falsePositives,
filter,
from,
query,
language,
savedId,
filters,
id,
immutable,
index,
interval,
maxSignals,
name,
severity,
size,
tags,
to,
type,
references,
Expand All @@ -93,19 +102,22 @@ export const createSignals = async ({
actionsClient,
description,
enabled,
falsePositives,
filter,
from,
query,
language,
savedId,
filters,
id,
immutable,
index,
interval,
maxSignals,
name,
severity,
size,
tags,
to,
type,
references,
Expand All @@ -132,14 +144,17 @@ export const createSignals = async ({
description,
id,
index,
falsePositives,
from,
filter,
immutable,
query,
language,
savedId,
filters,
maxSignals,
severity,
tags,
to,
type,
references,
Expand Down
10 changes: 3 additions & 7 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/signals_alert_type.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,16 +24,19 @@ export const signalsAlertType = ({ logger }: { logger: Logger }): SignalAlertTyp
validate: {
params: schema.object({
description: schema.string(),
falsePositives: schema.arrayOf(schema.string(), { defaultValue: [] }),
from: schema.string(),
filter: schema.nullable(schema.object({}, { allowUnknowns: true })),
id: schema.string(),
immutable: schema.boolean({ defaultValue: false }),
index: schema.arrayOf(schema.string()),
language: schema.nullable(schema.string()),
savedId: schema.nullable(schema.string()),
query: schema.nullable(schema.string()),
filters: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))),
maxSignals: schema.number({ defaultValue: 100 }),
severity: schema.string(),
tags: schema.arrayOf(schema.string(), { defaultValue: [] }),
to: schema.string(),
type: schema.string(),
references: schema.arrayOf(schema.string(), { defaultValue: [] }),
Expand Down Expand Up @@ -135,13 +138,6 @@ export const signalsAlertType = ({ logger }: { logger: Logger }): SignalAlertTyp
// handling/conditions
logger.error(`Error from signal rule "${id}", ${err.message}`);
}

// TODO: Schedule and fire any and all actions configured for the signals rule
// such as email/slack/etc... Note you will not be able to save in-memory state
// without calling this at least once but we are not using in-memory state at the moment.
// Schedule the default action which is nothing if it's a plain signal.
// const instance = services.alertInstanceFactory('siem-signals');
// instance.scheduleActions('default');
},
};
};
9 changes: 8 additions & 1 deletion x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,11 @@ export type PartialFilter = Partial<esFilters.Filter>;
export interface SignalAlertParams {
description: string;
enabled: boolean;
falsePositives: string[];
filter: Record<string, {}> | undefined;
filters: PartialFilter[] | undefined;
from: string;
immutable: boolean;
index: string[];
interval: string;
id: string;
Expand All @@ -38,11 +40,16 @@ export interface SignalAlertParams {
savedId: string | undefined;
severity: string;
size: number | undefined;
tags: string[];
to: string;
type: 'filter' | 'query' | 'saved_query';
}

export type SignalAlertParamsRest = Omit<SignalAlertParams, 'maxSignals' | 'saved_id'> & {
export type SignalAlertParamsRest = Omit<
SignalAlertParams,
'falsePositives' | 'maxSignals' | 'saved_id'
> & {
false_positives: SignalAlertParams['falsePositives'];
saved_id: SignalAlertParams['savedId'];
max_signals: SignalAlertParams['maxSignals'];
};
Expand Down
6 changes: 6 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/update_signals.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,19 +45,22 @@ export const updateSignal = async ({
alertsClient,
actionsClient, // TODO: Use this whenever we add feature support for different action types
description,
falsePositives,
enabled,
query,
language,
savedId,
filters,
filter,
from,
immutable,
id,
index,
interval,
maxSignals,
name,
severity,
tags,
to,
type,
references,
Expand All @@ -78,15 +81,18 @@ export const updateSignal = async ({
},
{
description,
falsePositives,
filter,
from,
immutable,
query,
language,
savedId,
filters,
index,
maxSignals,
severity,
tags,
to,
type,
references,
Expand Down
7 changes: 7 additions & 0 deletions x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/create_signals_route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,11 @@ export const createCreateSignalsRoute: Hapi.ServerRoute = {
const {
description,
enabled,
// eslint-disable-next-line @typescript-eslint/camelcase
false_positives: falsePositives,
filter,
from,
immutable,
query,
language,
// eslint-disable-next-line @typescript-eslint/camelcase
Expand All @@ -41,6 +44,7 @@ export const createCreateSignalsRoute: Hapi.ServerRoute = {
name,
severity,
size,
tags,
to,
type,
references,
Expand All @@ -58,8 +62,10 @@ export const createCreateSignalsRoute: Hapi.ServerRoute = {
actionsClient,
description,
enabled,
falsePositives,
filter,
from,
immutable,
query,
language,
savedId,
Expand All @@ -71,6 +77,7 @@ export const createCreateSignalsRoute: Hapi.ServerRoute = {
name,
severity,
size,
tags,
to,
type,
references,
Expand Down
Loading