Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes #8

Merged
merged 1 commit into from
Apr 29, 2021

Conversation

dhurley14
Copy link
Collaborator

@dhurley14 dhurley14 commented Apr 28, 2021

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes

Summary

Pull down this branch and run ES locally using the following steps..

Running ES locally

  1. Edit gradle/run.gradle and add setting 'xpack.security.authc.api_key.enabled', 'true' after line 24
  2. ./gradlew run # this runs with a trial license
  3. Execute below curl script to post kibana_elastic user
curl -u elastic:password -X POST "http://127.0.01:9200/_security/user/kibana_elastic?pretty" -H 'Content-Type: application/json' -d '{"password":"changeme","roles":["superuser"],"full_name":"kibana","email":"[email protected]"}'
  1. Set kibana.dev.yml to use kibana_elastic as the user
elasticsearch:
  username: 'kibana_elastic'
  password: 'changeme'
  hosts: 'http://127.0.0.1:9200'

Start up kibana

You should now be able to create a rule which generates alerts and then "find" those alerts (using the kibana system user) using the scripts located in x-pack/plugins/rule_registry/server/scripts/get_security_solution_alert.sh

…for security solution, need to work through rule registry changes
@dhurley14 dhurley14 changed the title adding alerts actions to security plugin adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes Apr 28, 2021
Copy link
Owner

@yctercero yctercero left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@dhurley14 dhurley14 marked this pull request as ready for review April 29, 2021 13:29
@dhurley14 dhurley14 merged commit f59c33c into yctercero:rac_rbac_poc Apr 29, 2021
@dhurley14 dhurley14 deleted the rac-create-owners branch April 29, 2021 13:29
dhurley14 added a commit that referenced this pull request Apr 29, 2021
…thz get for security solution, need to work through rule registry changes (#8)"

This reverts commit f59c33c.
yctercero pushed a commit that referenced this pull request May 5, 2021
…for security solution, need to work through rule registry changes (#8)
dhurley14 added a commit that referenced this pull request May 12, 2021
…for security solution, need to work through rule registry changes (#8)
yctercero added a commit that referenced this pull request Jun 21, 2021
WIP - trying to fix integration tests, broken authz for observer user / role

updates authz feature builder to what ying had before we messed it up in our branch

fixes integration tests

add rac api access to apm

adds getIndex functionality which requires the asset name to be passed in, same style as in the rule registry data client, adds update integration tests

fix small merge conflict and update shell script

fix merge conflict in alerting test file

fix most type errors

fix the rest of the type failures

fix integration tests

fix integration tests

fix type error with feature registration in apm

fix integration tests in apm and security solution

fix type checker

fix jest tests for apm

remove console.error statements for eslint

fix type check

update security solution jest tests

cleaning up PR and adding basic unit tests

still need to clean up types in tests and update one test file

fixes snapshot for signals template

fix tests

fix type check failures

update cypress test

undo changes in alert authz class, updates alert privilege in apm feature to 'read', utilizes the 'rule' object available in executor params over querying for the rule SO directly

remove verbose logging from detection api integration tests

fix type

fix jest tests, adds missing mocked rule object to alert executor params

[RAC] [RBAC] adds function to get alerts-as-data index name (#6)

* WIP - test script and route in rule registry to pull index name. I need to test out adding this route within the APM and sec sol plugins specifically and see if they spit back the same .alerts index but with the appropriate asset name despite not providing one.

WIP - DO NOT DELETE THIS CODE

minor cleanup

updates client to require passing in index name, which is now available through the alerts as data client function getAlertsIndex

fix types

* remove outdated comment

update README, adds integration test (skipped) for testing authz with search strategy (#8)

* WIP

* update README, adds integration test (skipped) for testing authz with search strategy

* fix rebase issues

* adds typedoc docs

* adds SKIPPED integration test for timeline search strategy to be unskipped once authorization is added to search strategy

* removes unused references to the rule data client within the rule registry

squashed commit (#11)

* clean up commented out code, update PR per initial comments

* introduce index param to get route again, allowing user to specify index to search

* updating feature privileges UI to allow user to have all, read, none on alerts

Co-authored-by: Yara Tercero <[email protected]>
yctercero pushed a commit that referenced this pull request Jun 22, 2021
WIP - trying to fix integration tests, broken authz for observer user / role

updates authz feature builder to what ying had before we messed it up in our branch

fixes integration tests

add rac api access to apm

adds getIndex functionality which requires the asset name to be passed in, same style as in the rule registry data client, adds update integration tests

fix small merge conflict and update shell script

fix merge conflict in alerting test file

fix most type errors

fix the rest of the type failures

fix integration tests

fix integration tests

fix type error with feature registration in apm

fix integration tests in apm and security solution

fix type checker

fix jest tests for apm

remove console.error statements for eslint

fix type check

update security solution jest tests

cleaning up PR and adding basic unit tests

still need to clean up types in tests and update one test file

fixes snapshot for signals template

fix tests

fix type check failures

update cypress test

undo changes in alert authz class, updates alert privilege in apm feature to 'read', utilizes the 'rule' object available in executor params over querying for the rule SO directly

remove verbose logging from detection api integration tests

fix type

fix jest tests, adds missing mocked rule object to alert executor params

[RAC] [RBAC] adds function to get alerts-as-data index name (#6)

* WIP - test script and route in rule registry to pull index name. I need to test out adding this route within the APM and sec sol plugins specifically and see if they spit back the same .alerts index but with the appropriate asset name despite not providing one.

WIP - DO NOT DELETE THIS CODE

minor cleanup

updates client to require passing in index name, which is now available through the alerts as data client function getAlertsIndex

fix types

* remove outdated comment

update README, adds integration test (skipped) for testing authz with search strategy (#8)

* WIP

* update README, adds integration test (skipped) for testing authz with search strategy

* fix rebase issues

* adds typedoc docs

* adds SKIPPED integration test for timeline search strategy to be unskipped once authorization is added to search strategy

* removes unused references to the rule data client within the rule registry

squashed commit (#11)

* clean up commented out code, update PR per initial comments

* introduce index param to get route again, allowing user to specify index to search

* updating feature privileges UI to allow user to have all, read, none on alerts

Co-authored-by: Yara Tercero <[email protected]>

update tests

WIP - updated shell scripts

fixes scripts

fix update route indexName -> index

Merge pull request #12 from yctercero/rbac_update_tests

Updates tests that were previously failing and addresses some feedback.
yctercero pushed a commit that referenced this pull request Jun 24, 2021
WIP - trying to fix integration tests, broken authz for observer user / role

updates authz feature builder to what ying had before we messed it up in our branch

fixes integration tests

add rac api access to apm

adds getIndex functionality which requires the asset name to be passed in, same style as in the rule registry data client, adds update integration tests

fix small merge conflict and update shell script

fix merge conflict in alerting test file

fix most type errors

fix the rest of the type failures

fix integration tests

fix integration tests

fix type error with feature registration in apm

fix integration tests in apm and security solution

fix type checker

fix jest tests for apm

remove console.error statements for eslint

fix type check

update security solution jest tests

cleaning up PR and adding basic unit tests

still need to clean up types in tests and update one test file

fixes snapshot for signals template

fix tests

fix type check failures

update cypress test

undo changes in alert authz class, updates alert privilege in apm feature to 'read', utilizes the 'rule' object available in executor params over querying for the rule SO directly

remove verbose logging from detection api integration tests

fix type

fix jest tests, adds missing mocked rule object to alert executor params

[RAC] [RBAC] adds function to get alerts-as-data index name (#6)

* WIP - test script and route in rule registry to pull index name. I need to test out adding this route within the APM and sec sol plugins specifically and see if they spit back the same .alerts index but with the appropriate asset name despite not providing one.

WIP - DO NOT DELETE THIS CODE

minor cleanup

updates client to require passing in index name, which is now available through the alerts as data client function getAlertsIndex

fix types

* remove outdated comment

update README, adds integration test (skipped) for testing authz with search strategy (#8)

* WIP

* update README, adds integration test (skipped) for testing authz with search strategy

* fix rebase issues

* adds typedoc docs

* adds SKIPPED integration test for timeline search strategy to be unskipped once authorization is added to search strategy

* removes unused references to the rule data client within the rule registry

squashed commit (#11)

* clean up commented out code, update PR per initial comments

* introduce index param to get route again, allowing user to specify index to search

* updating feature privileges UI to allow user to have all, read, none on alerts

Co-authored-by: Yara Tercero <[email protected]>

update tests

WIP - updated shell scripts

fixes scripts

fix update route indexName -> index

Merge pull request #12 from yctercero/rbac_update_tests

Updates tests that were previously failing and addresses some feedback.
yctercero pushed a commit that referenced this pull request Jun 29, 2021
WIP - trying to fix integration tests, broken authz for observer user / role

updates authz feature builder to what ying had before we messed it up in our branch

fixes integration tests

add rac api access to apm

adds getIndex functionality which requires the asset name to be passed in, same style as in the rule registry data client, adds update integration tests

fix small merge conflict and update shell script

fix merge conflict in alerting test file

fix most type errors

fix the rest of the type failures

fix integration tests

fix integration tests

fix type error with feature registration in apm

fix integration tests in apm and security solution

fix type checker

fix jest tests for apm

remove console.error statements for eslint

fix type check

update security solution jest tests

cleaning up PR and adding basic unit tests

still need to clean up types in tests and update one test file

fixes snapshot for signals template

fix tests

fix type check failures

update cypress test

undo changes in alert authz class, updates alert privilege in apm feature to 'read', utilizes the 'rule' object available in executor params over querying for the rule SO directly

remove verbose logging from detection api integration tests

fix type

fix jest tests, adds missing mocked rule object to alert executor params

[RAC] [RBAC] adds function to get alerts-as-data index name (#6)

* WIP - test script and route in rule registry to pull index name. I need to test out adding this route within the APM and sec sol plugins specifically and see if they spit back the same .alerts index but with the appropriate asset name despite not providing one.

WIP - DO NOT DELETE THIS CODE

minor cleanup

updates client to require passing in index name, which is now available through the alerts as data client function getAlertsIndex

fix types

* remove outdated comment

update README, adds integration test (skipped) for testing authz with search strategy (#8)

* WIP

* update README, adds integration test (skipped) for testing authz with search strategy

* fix rebase issues

* adds typedoc docs

* adds SKIPPED integration test for timeline search strategy to be unskipped once authorization is added to search strategy

* removes unused references to the rule data client within the rule registry

squashed commit (#11)

* clean up commented out code, update PR per initial comments

* introduce index param to get route again, allowing user to specify index to search

* updating feature privileges UI to allow user to have all, read, none on alerts

Co-authored-by: Yara Tercero <[email protected]>

update tests

WIP - updated shell scripts

fixes scripts

fix update route indexName -> index

Merge pull request #12 from yctercero/rbac_update_tests

Updates tests that were previously failing and addresses some feedback.
yctercero pushed a commit that referenced this pull request Jun 30, 2021
WIP - trying to fix integration tests, broken authz for observer user / role

updates authz feature builder to what ying had before we messed it up in our branch

fixes integration tests

add rac api access to apm

adds getIndex functionality which requires the asset name to be passed in, same style as in the rule registry data client, adds update integration tests

fix small merge conflict and update shell script

fix merge conflict in alerting test file

fix most type errors

fix the rest of the type failures

fix integration tests

fix integration tests

fix type error with feature registration in apm

fix integration tests in apm and security solution

fix type checker

fix jest tests for apm

remove console.error statements for eslint

fix type check

update security solution jest tests

cleaning up PR and adding basic unit tests

still need to clean up types in tests and update one test file

fixes snapshot for signals template

fix tests

fix type check failures

update cypress test

undo changes in alert authz class, updates alert privilege in apm feature to 'read', utilizes the 'rule' object available in executor params over querying for the rule SO directly

remove verbose logging from detection api integration tests

fix type

fix jest tests, adds missing mocked rule object to alert executor params

[RAC] [RBAC] adds function to get alerts-as-data index name (#6)

* WIP - test script and route in rule registry to pull index name. I need to test out adding this route within the APM and sec sol plugins specifically and see if they spit back the same .alerts index but with the appropriate asset name despite not providing one.

WIP - DO NOT DELETE THIS CODE

minor cleanup

updates client to require passing in index name, which is now available through the alerts as data client function getAlertsIndex

fix types

* remove outdated comment

update README, adds integration test (skipped) for testing authz with search strategy (#8)

* WIP

* update README, adds integration test (skipped) for testing authz with search strategy

* fix rebase issues

* adds typedoc docs

* adds SKIPPED integration test for timeline search strategy to be unskipped once authorization is added to search strategy

* removes unused references to the rule data client within the rule registry

squashed commit (#11)

* clean up commented out code, update PR per initial comments

* introduce index param to get route again, allowing user to specify index to search

* updating feature privileges UI to allow user to have all, read, none on alerts

Co-authored-by: Yara Tercero <[email protected]>

update tests

WIP - updated shell scripts

fixes scripts

fix update route indexName -> index

Merge pull request #12 from yctercero/rbac_update_tests

Updates tests that were previously failing and addresses some feedback.
yctercero pushed a commit that referenced this pull request Jul 5, 2021
WIP - trying to fix integration tests, broken authz for observer user / role

updates authz feature builder to what ying had before we messed it up in our branch

fixes integration tests

add rac api access to apm

adds getIndex functionality which requires the asset name to be passed in, same style as in the rule registry data client, adds update integration tests

fix small merge conflict and update shell script

fix merge conflict in alerting test file

fix most type errors

fix the rest of the type failures

fix integration tests

fix integration tests

fix type error with feature registration in apm

fix integration tests in apm and security solution

fix type checker

fix jest tests for apm

remove console.error statements for eslint

fix type check

update security solution jest tests

cleaning up PR and adding basic unit tests

still need to clean up types in tests and update one test file

fixes snapshot for signals template

fix tests

fix type check failures

update cypress test

undo changes in alert authz class, updates alert privilege in apm feature to 'read', utilizes the 'rule' object available in executor params over querying for the rule SO directly

remove verbose logging from detection api integration tests

fix type

fix jest tests, adds missing mocked rule object to alert executor params

[RAC] [RBAC] adds function to get alerts-as-data index name (#6)

* WIP - test script and route in rule registry to pull index name. I need to test out adding this route within the APM and sec sol plugins specifically and see if they spit back the same .alerts index but with the appropriate asset name despite not providing one.

WIP - DO NOT DELETE THIS CODE

minor cleanup

updates client to require passing in index name, which is now available through the alerts as data client function getAlertsIndex

fix types

* remove outdated comment

update README, adds integration test (skipped) for testing authz with search strategy (#8)

* WIP

* update README, adds integration test (skipped) for testing authz with search strategy

* fix rebase issues

* adds typedoc docs

* adds SKIPPED integration test for timeline search strategy to be unskipped once authorization is added to search strategy

* removes unused references to the rule data client within the rule registry

squashed commit (#11)

* clean up commented out code, update PR per initial comments

* introduce index param to get route again, allowing user to specify index to search

* updating feature privileges UI to allow user to have all, read, none on alerts

Co-authored-by: Yara Tercero <[email protected]>

update tests

WIP - updated shell scripts

fixes scripts

fix update route indexName -> index

Merge pull request #12 from yctercero/rbac_update_tests

Updates tests that were previously failing and addresses some feedback.
yctercero pushed a commit that referenced this pull request Sep 2, 2024
fixes
[#8](elastic/observability-accessibility#8)
fixes
[#7](elastic/observability-accessibility#7)
 
## Summary

Fixes APM breadcrumbs on serverless

| Serverless  |  Stateful  |
|---|---|
| <img width="700px" alt="image"
src="https://github.com/user-attachments/assets/944a7d58-7de3-4a7f-be02-3c8c1110a0e2">
|<img width="800px" alt="image"
src="https://github.com/user-attachments/assets/450664b1-ddfc-4395-9fa3-a7b941affb3b">|
|<img width="500px" alt="image"
src="https://github.com/user-attachments/assets/944a7d58-7de3-4a7f-be02-3c8c1110a0e2">
|<img width="500px" alt="image"
src="https://github.com/user-attachments/assets/450664b1-ddfc-4395-9fa3-a7b941affb3b">|
| <img width="500px" alt="image"
src="https://github.com/user-attachments/assets/944a7d58-7de3-4a7f-be02-3c8c1110a0e2">
|<img width="500px" alt="image"
src="https://github.com/user-attachments/assets/cb8a39e2-ca33-4cf9-a8ac-4c84566d092d">|
|<img width="500px" alt="image"
src="https://github.com/user-attachments/assets/151a3a9c-c81e-4558-9d00-e695e3d1d79c">|<img
width="500px" alt="image"
src="https://github.com/user-attachments/assets/2562e96f-d5e4-4aa4-a221-6721f8995883">|
|<img width="500px" alt="image"
src="https://github.com/user-attachments/assets/8d877d11-8c3f-4ac5-8146-6a11125eae7c">|<img
width="500px" alt="image"
src="https://github.com/user-attachments/assets/36e588cb-4c18-4d66-a2c6-f0e66392f708">|
|<img width="500px" alt="image"
src="https://github.com/user-attachments/assets/14253196-06de-4343-811f-61aa31ea0d1e">|<img
width="500px" alt="image"
src="https://github.com/user-attachments/assets/0cdfc83f-6545-433f-8c14-5bbf2a581175">|
|<img width="500px" alt="image"
src="https://github.com/user-attachments/assets/89a58e2b-2cef-4188-b2be-f359ba6890db">|<img
width="500px" alt="image"
src="https://github.com/user-attachments/assets/f15e767f-5b60-4485-ac71-7b6fd850ec50">|
|<img width="500px" alt="image"
src="https://github.com/user-attachments/assets/a0f7bfae-bfda-4f49-b92a-e736d80fea4c">|<img
width="500px" alt="image"
src="https://github.com/user-attachments/assets/680db8ab-58b8-454b-a0d7-6e1681dbe616">|


### How to test
#### Serverless
- Start a local ES serverless instance: `yarn es serverless
--projectType=oblt --ssl -k/--insecure`
- Start a local Kibana serverless instance: ` yarn start
--serverless=oblt --no-ssl`
- Run some synthtrace scenarios
- `NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/synthtrace mobile.ts
--live --target=https://elastic_serverless:[email protected]:9200
--kibana=http://elastic_serverless:[email protected]:5601`
- `NODE_TLS_REJECT_UNAUTHORIZED=0 node scripts/synthtrace service_map.ts
--live --target=https://elastic_serverless:[email protected]:9200
--kibana=http://elastic_serverless:[email protected]:5601`
- Navigate to Applications and click through the links

### Stateful
- Start a local ES and Kibana instance
- Run the some synthtrace scenarios:
  -  `node scripts/synthtrace mobile.ts --live`
  -  `node scripts/synthtrace service_map.ts --live`
- Navigate to Applications and click through the links

---------

Co-authored-by: kibanamachine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants