-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RAC][Security Solution] Register Security Detection Rules with Rule Registry #96015
Conversation
After playing around in here, I'd suggest a couple of new rule type factories: |
d47bc97
to
1ab31aa
Compare
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
x-pack/plugins/apm/public/components/alerting/register_apm_alerts.ts
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unsure why @elastic/uptime was pinged, but I have built this locally and all appears well with our products, and none of the files in the diff are owned by my team.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍🏻 from me once the APM change is reverted.
...ns/security_solution/server/lib/detection_engine/signals/threshold/find_threshold_signals.ts
Show resolved
Hide resolved
…DEFAULT_ALERT_INDEX on plugin start
…uery alerts as data index if configured
💚 Build SucceededMetrics [docs]Public APIs missing comments
Async chunks
Page load bundle
Unknown metric groupsAPI count
References to deprecated APIs
History
To update your PR or re-run it, just comment with: |
💔 Backport failed
To backport manually run: |
…Registry (elastic#96015) ## Summary This PR starts the migration of the Security Solution rules to use the rule-registry introduced in elastic#95903. This is a pathfinding effort in porting over the existing Security Solution rules, and may include some temporary reference rules for testing out different paradigms as we move the rules over. See elastic#95735 for details Enable via the following feature flags in your `kibana.dev.yml`: ``` # Security Solution Rules on Rule Registry xpack.ruleRegistry.index: '.kibana-[USERNAME]-alerts' # Only necessary to scope from other devs testing, if not specified defaults to `.alerts-security-solution` xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled'] ``` > Note: if setting a custom `xpack.ruleRegistry.index`, for the time being you must also update the [DEFAULT_ALERTS_INDEX](https://github.com/elastic/kibana/blob/9e213fb7a5a0337591a50a0567924ebe950b9791/x-pack/plugins/security_solution/common/constants.ts#L28) in order for the UI to display alerts within the alerts table. --- Three reference rule types have been added (`query`, `eql`, `threshold`), along with scripts for creating them located in: ``` x-pack/plugins/security_solution/server/lib/detection_engine/reference_rules/scripts/ ``` Main Detection page TGrid queries have been short-circuited to query `.alerts-security-solution*` for displaying alerts from the new alerts as data indices. To test, checkout, enable the above feature flag(s), and run one of the scripts from the above directory, e.g. `./create_reference_rule_query.sh` (ensure your ENV vars as set! :) Alerts as data within the main Detection Page 🎉 <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/119911768-39cfba00-bf17-11eb-8996-63c0b813fdcc.png" /> </p> cc @madirey @dgieselaar @pmuellr @yctercero @dhurley14 @marshallmain # Conflicts: # x-pack/plugins/security_solution/server/plugin.ts
* master: (77 commits) [RAC][Security Solution] Register Security Detection Rules with Rule Registry (elastic#96015) [Enterprise Search] Log warning for Kibana/EntSearch version mismatches (elastic#100809) updating the saved objects test to include more saved object types (elastic#100828) [ML] Fix categorization job view examples link when datafeed uses multiple indices (elastic#100789) Fixing ES archive mapping failure (elastic#100835) Fix bug with Observability > APM header navigation (elastic#100845) [Security Solution][Endpoint] Add event filters summary card to the fleet endpoint tab (elastic#100668) [Actions] Taking space id into account when creating email footer link (elastic#100734) Ensure comments on parameters in arrow functions are captured in the docs and ci metrics. (elastic#100823) [Security Solution] Improve find rule and find rule status route performance (elastic#99678) [DOCS] Adds video to introduction (elastic#100906) [Fleet] Improve combo box for fleet settings (elastic#100603) [Security Solution][Endpoint] Endpoint generator and data loader support for Host Isolation (elastic#100813) [DOCS] Adds Lens video (elastic#100898) [TSVB] [Table tab] Fix "Math" aggregation (elastic#100765) chore(NA): moving @kbn/io-ts-utils into bazel (elastic#100810) [Alerting] Adding feature flag for enabling/disabling rule import and export (elastic#100718) [TSVB] Fix Upgrading from 7.12.1 to 7.13.0 breaks TSVB (elastic#100864) [Lens] Adds dynamic table cell coloring (elastic#95217) [Security Solution][Endpoint] Do not display searchbar in security-trusted apps if there are no items (elastic#100853) ...
…Registry (#96015) (#100940) ## Summary This PR starts the migration of the Security Solution rules to use the rule-registry introduced in #95903. This is a pathfinding effort in porting over the existing Security Solution rules, and may include some temporary reference rules for testing out different paradigms as we move the rules over. See #95735 for details Enable via the following feature flags in your `kibana.dev.yml`: ``` # Security Solution Rules on Rule Registry xpack.ruleRegistry.index: '.kibana-[USERNAME]-alerts' # Only necessary to scope from other devs testing, if not specified defaults to `.alerts-security-solution` xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled'] ``` > Note: if setting a custom `xpack.ruleRegistry.index`, for the time being you must also update the [DEFAULT_ALERTS_INDEX](https://github.com/elastic/kibana/blob/9e213fb7a5a0337591a50a0567924ebe950b9791/x-pack/plugins/security_solution/common/constants.ts#L28) in order for the UI to display alerts within the alerts table. --- Three reference rule types have been added (`query`, `eql`, `threshold`), along with scripts for creating them located in: ``` x-pack/plugins/security_solution/server/lib/detection_engine/reference_rules/scripts/ ``` Main Detection page TGrid queries have been short-circuited to query `.alerts-security-solution*` for displaying alerts from the new alerts as data indices. To test, checkout, enable the above feature flag(s), and run one of the scripts from the above directory, e.g. `./create_reference_rule_query.sh` (ensure your ENV vars as set! :) Alerts as data within the main Detection Page 🎉 <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/119911768-39cfba00-bf17-11eb-8996-63c0b813fdcc.png" /> </p> cc @madirey @dgieselaar @pmuellr @yctercero @dhurley14 @marshallmain # Conflicts: # x-pack/plugins/security_solution/server/plugin.ts
Summary
This PR starts the migration of the Security Solution rules to use the rule-registry introduced in #95903. This is a pathfinding effort in porting over the existing Security Solution rules, and may include some temporary reference rules for testing out different paradigms as we move the rules over. See #95735 for details
Enable via the following feature flags in your
kibana.dev.yml
:Three reference rule types have been added (
query
,eql
,threshold
), along with scripts for creating them located in:Main Detection page TGrid queries have been short-circuited to query
.alerts-security-solution*
for displaying alerts from the new alerts as data indices.To test, checkout, enable the above feature flag(s), and run one of the scripts from the above directory, e.g.
./create_reference_rule_query.sh
(ensure your ENV vars as set! :)Alerts as data within the main Detection Page 🎉
cc @madirey @dgieselaar @pmuellr @yctercero @dhurley14 @marshallmain