Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RAC][Security Solution] Register Security Detection Rules with Rule Registry #96015

Merged
merged 63 commits into from
May 28, 2021

Conversation

spong
Copy link
Member

@spong spong commented Apr 1, 2021

Summary

This PR starts the migration of the Security Solution rules to use the rule-registry introduced in #95903. This is a pathfinding effort in porting over the existing Security Solution rules, and may include some temporary reference rules for testing out different paradigms as we move the rules over. See #95735 for details

Enable via the following feature flags in your kibana.dev.yml:

# Security Solution Rules on Rule Registry
xpack.ruleRegistry.index: '.kibana-[USERNAME]-alerts' # Only necessary to scope from other devs testing, if not specified defaults to `.alerts-security-solution`
xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled']

Note: if setting a custom xpack.ruleRegistry.index, for the time being you must also update the DEFAULT_ALERTS_INDEX in order for the UI to display alerts within the alerts table.


Three reference rule types have been added (query, eql, threshold), along with scripts for creating them located in:

x-pack/plugins/security_solution/server/lib/detection_engine/reference_rules/scripts/

Main Detection page TGrid queries have been short-circuited to query .alerts-security-solution* for displaying alerts from the new alerts as data indices.

To test, checkout, enable the above feature flag(s), and run one of the scripts from the above directory, e.g. ./create_reference_rule_query.sh (ensure your ENV vars as set! :)

Alerts as data within the main Detection Page 🎉

cc @madirey @dgieselaar @pmuellr @yctercero @dhurley14 @marshallmain

@spong spong added the Theme: rac label obsolete label Apr 1, 2021
@madirey
Copy link
Contributor

madirey commented Apr 1, 2021

After playing around in here, I'd suggest a couple of new rule type factories: EventLogRuleType (or PersistenceRuleType? ... which allows for writing multiple signals) and ThresholdRuleType (which encapsulates rule state to persist signals written on overlapping rule intervals so that dupes can be mitigated across buckets... this could mirror how dupe mitigation is performed for the DE threshold rules, except we'd store the state on the rule itself, rather than on the generated signals).

@spong spong mentioned this pull request Apr 1, 2021
19 tasks
@spong spong force-pushed the reference-rule-playground branch 6 times, most recently from d47bc97 to 1ab31aa Compare April 9, 2021 16:10
@spong spong changed the title [RAC] Reference Rule Playground [RAC][Security Solution] Register Security Detection Rules with Rule Registry Apr 29, 2021
@spong spong added Feature:Event Correlation (EQL) Rule Security Solution Event Correlation (EQL) rule type Feature:Indicator Match Rule Security Solution Indicator Match rule type Feature:ML Rule Security Solution Machine Learning rule type Feature:Rule Value Lists Security Solution Detection Rule Value Lists area Feature:Threshold Rule Security Solution Threshold rule type release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detections and Resp Security Detection Response Team v7.14.0 v8.0.0 labels Apr 29, 2021
@spong spong marked this pull request as ready for review April 29, 2021 04:35
@spong spong requested a review from a team as a code owner April 29, 2021 04:35
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

spong added 3 commits May 11, 2021 12:33

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
… reference rule type via rule-registry

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.

Unverified

This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
@spong spong requested a review from a team May 14, 2021 14:31
Copy link
Contributor

@justinkambic justinkambic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unsure why @elastic/uptime was pinged, but I have built this locally and all appears well with our products, and none of the files in the diff are owned by my team.

LGTM

@spong spong removed the request for review from a team May 14, 2021 16:04
Copy link
Contributor

@smith smith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻 from me once the APM change is reverted.

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…e-playground
spong added 10 commits May 14, 2021 17:16

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…DEFAULT_ALERT_INDEX on plugin start

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…e-playground

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…e-playground

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…e-playground

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…e-playground

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…e-playground

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…uery alerts as data index if configured

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…e-playground
@kibanamachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
ruleRegistry 41 43 +2

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
securitySolution 6.9MB 6.9MB +3.5KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id before after diff
securitySolution 60.8KB 61.1KB +264.0B
Unknown metric groups

API count

id before after diff
ruleRegistry 41 43 +2

References to deprecated APIs

id before after diff
canvas 29 25 -4
crossClusterReplication 8 6 -2
fleet 22 20 -2
globalSearch 4 2 -2
lens 67 45 -22
lists 239 236 -3
ml 121 115 -6
monitoring 109 56 -53
securitySolution 342 346 +4
total -90

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @madirey @spong

@spong spong added the auto-backport Deprecated - use backport:version if exact versions are needed label May 28, 2021
@spong spong merged commit 4c48993 into elastic:master May 28, 2021
@kibanamachine
Copy link
Contributor

💔 Backport failed

Status Branch Result
7.x Commit could not be cherrypicked due to conflicts

To backport manually run:
node scripts/backport --pr 96015

spong added a commit to spong/kibana that referenced this pull request May 28, 2021

Verified

This commit was signed with the committer’s verified signature. The key has expired.
spong Garrett Spong
…Registry (elastic#96015)

## Summary

This PR starts the migration of the Security Solution rules to use the rule-registry introduced in elastic#95903. This is a pathfinding effort in porting over the existing Security Solution rules, and may include some temporary reference rules for testing out different paradigms as we move the rules over. See elastic#95735 for details

Enable via the following feature flags in your `kibana.dev.yml`:

```
# Security Solution Rules on Rule Registry
xpack.ruleRegistry.index: '.kibana-[USERNAME]-alerts' # Only necessary to scope from other devs testing, if not specified defaults to `.alerts-security-solution`
xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled']
```

> Note: if setting a custom `xpack.ruleRegistry.index`, for the time being you must also update the [DEFAULT_ALERTS_INDEX](https://github.com/elastic/kibana/blob/9e213fb7a5a0337591a50a0567924ebe950b9791/x-pack/plugins/security_solution/common/constants.ts#L28) in order for the UI to display alerts within the alerts table.

---

Three reference rule types have been added (`query`, `eql`, `threshold`), along with scripts for creating them located in:

```
x-pack/plugins/security_solution/server/lib/detection_engine/reference_rules/scripts/
```

Main Detection page TGrid queries have been short-circuited to query `.alerts-security-solution*` for displaying alerts from the new alerts as data indices.

To test, checkout, enable the above feature flag(s), and run one of the scripts from the above directory, e.g.  `./create_reference_rule_query.sh` (ensure your ENV vars as set! :)

Alerts as data within the main Detection Page 🎉
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/119911768-39cfba00-bf17-11eb-8996-63c0b813fdcc.png" />
</p>

cc @madirey @dgieselaar @pmuellr @yctercero @dhurley14 @marshallmain

# Conflicts:
#	x-pack/plugins/security_solution/server/plugin.ts
gmmorris added a commit to gmmorris/kibana that referenced this pull request May 28, 2021
* master: (77 commits)
  [RAC][Security Solution] Register Security Detection Rules with Rule Registry (elastic#96015)
  [Enterprise Search] Log warning for Kibana/EntSearch version mismatches (elastic#100809)
  updating the saved objects test to include more saved object types (elastic#100828)
  [ML] Fix categorization job view examples link when datafeed uses multiple indices (elastic#100789)
  Fixing ES archive mapping failure (elastic#100835)
  Fix bug with Observability > APM header navigation (elastic#100845)
  [Security Solution][Endpoint] Add event filters summary card to the fleet endpoint tab (elastic#100668)
  [Actions] Taking space id into account when creating email footer link (elastic#100734)
  Ensure comments on parameters in arrow functions are captured in the docs and ci metrics. (elastic#100823)
  [Security Solution] Improve find rule and find rule status route performance (elastic#99678)
  [DOCS] Adds video to introduction (elastic#100906)
  [Fleet] Improve combo box for fleet settings (elastic#100603)
  [Security Solution][Endpoint] Endpoint generator and data loader support for Host Isolation (elastic#100813)
  [DOCS] Adds Lens video (elastic#100898)
  [TSVB] [Table tab] Fix "Math" aggregation (elastic#100765)
  chore(NA): moving @kbn/io-ts-utils into bazel (elastic#100810)
  [Alerting] Adding feature flag for enabling/disabling rule import and export (elastic#100718)
  [TSVB] Fix Upgrading from 7.12.1 to 7.13.0 breaks TSVB (elastic#100864)
  [Lens] Adds dynamic table cell coloring (elastic#95217)
  [Security Solution][Endpoint] Do not display searchbar in security-trusted apps if there are no items (elastic#100853)
  ...
spong added a commit that referenced this pull request May 28, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
…Registry (#96015) (#100940)

## Summary

This PR starts the migration of the Security Solution rules to use the rule-registry introduced in #95903. This is a pathfinding effort in porting over the existing Security Solution rules, and may include some temporary reference rules for testing out different paradigms as we move the rules over. See #95735 for details

Enable via the following feature flags in your `kibana.dev.yml`:

```
# Security Solution Rules on Rule Registry
xpack.ruleRegistry.index: '.kibana-[USERNAME]-alerts' # Only necessary to scope from other devs testing, if not specified defaults to `.alerts-security-solution`
xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled']
```

> Note: if setting a custom `xpack.ruleRegistry.index`, for the time being you must also update the [DEFAULT_ALERTS_INDEX](https://github.com/elastic/kibana/blob/9e213fb7a5a0337591a50a0567924ebe950b9791/x-pack/plugins/security_solution/common/constants.ts#L28) in order for the UI to display alerts within the alerts table.

---

Three reference rule types have been added (`query`, `eql`, `threshold`), along with scripts for creating them located in:

```
x-pack/plugins/security_solution/server/lib/detection_engine/reference_rules/scripts/
```

Main Detection page TGrid queries have been short-circuited to query `.alerts-security-solution*` for displaying alerts from the new alerts as data indices.

To test, checkout, enable the above feature flag(s), and run one of the scripts from the above directory, e.g.  `./create_reference_rule_query.sh` (ensure your ENV vars as set! :)

Alerts as data within the main Detection Page 🎉
<p align="center">
  <img width="500" src="https://user-images.githubusercontent.com/2946766/119911768-39cfba00-bf17-11eb-8996-63c0b813fdcc.png" />
</p>

cc @madirey @dgieselaar @pmuellr @yctercero @dhurley14 @marshallmain

# Conflicts:
#	x-pack/plugins/security_solution/server/plugin.ts
@spong spong deleted the reference-rule-playground branch April 12, 2022 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
auto-backport Deprecated - use backport:version if exact versions are needed Feature:Event Correlation (EQL) Rule Security Solution Event Correlation (EQL) rule type Feature:Indicator Match Rule Security Solution Indicator Match rule type Feature:ML Rule Security Solution Machine Learning rule type Feature:Rule Value Lists Security Solution Detection Rule Value Lists area Feature:Threshold Rule Security Solution Threshold rule type release_note:skip Skip the PR/issue when compiling release notes Team:APM All issues that need APM UI Team support Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Uptime - DEPRECATED Synthetics & RUM sub-team of Application Observability Theme: rac label obsolete v7.14.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

8 participants