Skip to content

Commit

Permalink
[SecuritySolution][SIEM Migrations] Rule migrations storage (elastic#…
Browse files Browse the repository at this point in the history
…197032)

## Summary

issue: elastic/security-team#10654

Implements the persistence layer for the rule migrations from other
vendors, as part of the SIEM Rule migrations effort.

### Changes

- Schemas created for `SiemRuleMigration` document entity, along with
`ElasticRule` and `OriginalRule`.

- New API `/internal/siem_migrations/rules` was created:
- `POST` -> Receives an array of (original) rules and stores them with
`status: pending` to be processed. Responds with the `migration_id` that
will be used to start the migration background task (implementation
details here: elastic/security-team#10850).
  - `GET` -> (to be implemented later)

- New `SiemMigrationsService` added to the `securitySolution` route
context, to encapsulate all operations related to SIEM migrations (We
start with _rule_ migrations, but there are more "kinds" of SIEM
migrations in the pipeline: _dashboards_, _saved queries_...). It
contains:

- `SiemRuleMigrationsService` to encapsulate all operations related to
SIEM rule migrations.
- `RuleMigrationsDataStream` class to manage the
`.kibana.siem-rule-migrations-<spaceId>` data stream operations using
`DataStreamSpacesAdapter`.
- It exposes a client with abstracted operations that are exposed to the
API routes:
- `create`: indexes an array of _SiemRuleMigration_ documents to the
data stream
- `search`: searches _SiemRuleMigration_ documents by specific terms.

> [!NOTE]
> Without `siemMigrationsEnabled` experimental flag the new API route
won't be registered, and the `SiemRuleMigrationsService` _setup_ won't
be called, so no index/component template will be installed to ES.

### Testing locally

Enable the flag
```
xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
```

<details>
  <summary>Example curl request</summary>

```
curl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'
```
</details>

The newly created documents can be retrieved using Kibana DevTools
console:
```
GET .kibana.siem-rule-migrations-default/_search
```

### Screenshots

![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)

---------

Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit d7109d6)

# Conflicts:
#	x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts
#	x-pack/test/api_integration/services/security_solution_api.gen.ts
  • Loading branch information
semd committed Oct 24, 2024
1 parent 30822bf commit 1904203
Show file tree
Hide file tree
Showing 35 changed files with 1,293 additions and 8 deletions.
9 changes: 7 additions & 2 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -1595,7 +1595,12 @@ x-pack/test/security_solution_api_integration/test_suites/sources @elastic/secur
/x-pack/test/security_solution_playwright @elastic/security-engineering-productivity
/x-pack/plugins/security_solution/scripts/run_cypress @MadameSheema @patrykkopycinski @maximpn @banderror

## Security Solution sub teams - Threat Hunting Investigations
## Security Solution sub teams - Threat Hunting

/x-pack/plugins/security_solution/server/lib/siem_migrations @elastic/security-threat-hunting
/x-pack/plugins/security_solution/common/siem_migrations @elastic/security-threat-hunting

## Security Solution Threat Hunting areas - Threat Hunting Investigations

/x-pack/plugins/security_solution/common/api/timeline @elastic/security-threat-hunting-investigations
/x-pack/plugins/security_solution/common/search_strategy/timeline @elastic/security-threat-hunting-investigations
Expand Down Expand Up @@ -1625,7 +1630,7 @@ x-pack/test/security_solution_cypress/cypress/tasks/expandable_flyout @elastic/

/x-pack/plugins/security_solution/server/lib/timeline @elastic/security-threat-hunting-investigations

## Security Solution sub teams - Threat Hunting Explore
## Security Solution Threat Hunting areas - Threat Hunting Explore
/x-pack/plugins/security_solution/common/api/tags @elastic/security-threat-hunting-explore
/x-pack/plugins/security_solution/common/search_strategy/security_solution/hosts @elastic/security-threat-hunting-explore
/x-pack/plugins/security_solution/common/search_strategy/security_solution/matrix_histogram @elastic/security-threat-hunting-explore
Expand Down
21 changes: 17 additions & 4 deletions packages/kbn-data-stream-adapter/src/field_maps/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,9 @@ export interface EcsMetadata {
properties?: Record<string, { type: string }>;
}

export interface FieldMap {
[key: string]: {
export type FieldMap<T extends string = string> = Record<
T,
{
type: string;
required: boolean;
array?: boolean;
Expand All @@ -53,5 +54,17 @@ export interface FieldMap {
scaling_factor?: number;
dynamic?: boolean | 'strict';
properties?: Record<string, { type: string }>;
};
}
}
>;

// This utility type flattens all the keys of a schema object and its nested objects as a union type.
// Its purpose is to ensure that the FieldMap keys are always in sync with the schema object.
// It assumes all optional fields of the schema are required in the field map, they can always be omitted from the resulting type.
export type SchemaFieldMapKeys<
T extends Record<string, unknown>,
Key = keyof T
> = Key extends string
? NonNullable<T[Key]> extends Record<string, unknown>
? `${Key}` | `${Key}.${SchemaFieldMapKeys<NonNullable<T[Key]>>}`
: `${Key}`
: never;
Original file line number Diff line number Diff line change
Expand Up @@ -361,6 +361,11 @@ import type {
ResolveTimelineRequestQueryInput,
ResolveTimelineResponse,
} from './timeline/resolve_timeline/resolve_timeline_route.gen';
import type {
CreateRuleMigrationRequestBodyInput,
CreateRuleMigrationResponse,
GetRuleMigrationResponse,
} from '../siem_migrations/model/api/rules/rules_migration.gen';

export interface ClientOptions {
kbnClient: KbnClient;
Expand Down Expand Up @@ -647,6 +652,22 @@ Migrations are initiated per index. While the process is neither destructive nor
})
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Creates a new SIEM rules migration using the original vendor rules provided
*/
async createRuleMigration(props: CreateRuleMigrationProps) {
this.log.info(`${new Date().toISOString()} Calling API CreateRuleMigration`);
return this.kbnClient
.request<CreateRuleMigrationResponse>({
path: '/internal/siem_migrations/rules',
headers: {
[ELASTIC_HTTP_VERSION_HEADER]: '1',
},
method: 'POST',
body: props.body,
})
.catch(catchAxiosErrorFormatAndThrow);
}
async createTimelines(props: CreateTimelinesProps) {
this.log.info(`${new Date().toISOString()} Calling API CreateTimelines`);
return this.kbnClient
Expand Down Expand Up @@ -1373,6 +1394,21 @@ finalize it.
})
.catch(catchAxiosErrorFormatAndThrow);
}
/**
* Retrieves the rule migrations stored in the system
*/
async getRuleMigration() {
this.log.info(`${new Date().toISOString()} Calling API GetRuleMigration`);
return this.kbnClient
.request<GetRuleMigrationResponse>({
path: '/internal/siem_migrations/rules',
headers: {
[ELASTIC_HTTP_VERSION_HEADER]: '1',
},
method: 'GET',
})
.catch(catchAxiosErrorFormatAndThrow);
}
async getTimeline(props: GetTimelineProps) {
this.log.info(`${new Date().toISOString()} Calling API GetTimeline`);
return this.kbnClient
Expand Down Expand Up @@ -1992,6 +2028,9 @@ export interface CreateAssetCriticalityRecordProps {
export interface CreateRuleProps {
body: CreateRuleRequestBodyInput;
}
export interface CreateRuleMigrationProps {
body: CreateRuleMigrationRequestBodyInput;
}
export interface CreateTimelinesProps {
body: CreateTimelinesRequestBodyInput;
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -235,6 +235,11 @@ export const allowedExperimentalValues = Object.freeze({
* can be disabled if necessary in a given environment.
*/
entityStoreDisabled: false,

/**
* Enables the siem migrations feature
*/
siemMigrationsEnabled: false,
});

type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

export const SIEM_MIGRATIONS_PATH = '/internal/siem_migrations' as const;
export const SIEM_RULE_MIGRATIONS_PATH = `${SIEM_MIGRATIONS_PATH}/rules` as const;

export enum SiemMigrationsStatus {
PENDING = 'pending',
PROCESSING = 'processing',
FINISHED = 'finished',
ERROR = 'error',
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

/*
* NOTICE: Do not edit this file manually.
* This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
*
* info:
* title: Common SIEM Migrations Attributes
* version: not applicable
*/

import { z } from '@kbn/zod';

/**
* The GenAI connector id to use.
*/
export type ConnectorId = z.infer<typeof ConnectorId>;
export const ConnectorId = z.string();

/**
* The LangSmith options object.
*/
export type LangSmithOptions = z.infer<typeof LangSmithOptions>;
export const LangSmithOptions = z.object({
/**
* The project name.
*/
project_name: z.string(),
/**
* The API key to use for tracing.
*/
api_key: z.string(),
});
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
openapi: 3.0.3
info:
title: Common SIEM Migrations Attributes
version: 'not applicable'
paths: {}
components:
x-codegen-enabled: true
schemas:
ConnectorId:
type: string
description: The GenAI connector id to use.
LangSmithOptions:
type: object
description: The LangSmith options object.
required:
- project_name
- api_key
properties:
project_name:
type: string
description: The project name.
api_key:
type: string
description: The API key to use for tracing.
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/

/*
* NOTICE: Do not edit this file manually.
* This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
*
* info:
* title: SIEM Rules Migration API endpoint
* version: 1
*/

import { z } from '@kbn/zod';

import { OriginalRule, RuleMigration } from '../../rule_migration.gen';

export type CreateRuleMigrationRequestBody = z.infer<typeof CreateRuleMigrationRequestBody>;
export const CreateRuleMigrationRequestBody = z.array(OriginalRule);
export type CreateRuleMigrationRequestBodyInput = z.input<typeof CreateRuleMigrationRequestBody>;

export type CreateRuleMigrationResponse = z.infer<typeof CreateRuleMigrationResponse>;
export const CreateRuleMigrationResponse = z.object({
/**
* The migration id created.
*/
migration_id: z.string(),
});

export type GetRuleMigrationResponse = z.infer<typeof GetRuleMigrationResponse>;
export const GetRuleMigrationResponse = z.array(RuleMigration);
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
openapi: 3.0.3
info:
title: SIEM Rules Migration API endpoint
version: '1'
paths:
/internal/siem_migrations/rules:
post:
summary: Creates a new rule migration
operationId: CreateRuleMigration
x-codegen-enabled: true
description: Creates a new SIEM rules migration using the original vendor rules provided
tags:
- SIEM Migrations
- Rule Migrations
requestBody:
required: true
content:
application/json:
schema:
type: array
items:
$ref: '../../rule_migration.schema.yaml#/components/schemas/OriginalRule'
responses:
200:
description: Indicates migration have been created correctly.
content:
application/json:
schema:
type: object
required:
- migration_id
properties:
migration_id:
type: string
description: The migration id created.
get:
summary: Retrieves rule migrations
operationId: GetRuleMigration
x-codegen-enabled: true
description: Retrieves the rule migrations stored in the system
tags:
- SIEM Migrations
- Rule Migrations
responses:
200:
description: Indicates rule migrations have been retrieved correctly.
content:
application/json:
schema:
type: array
items:
$ref: '../../rule_migration.schema.yaml#/components/schemas/RuleMigration'
Loading

0 comments on commit 1904203

Please sign in to comment.