Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] Elastic Endpoint and External Alerts #42

Merged
merged 13 commits into from
Jul 9, 2020
Merged

[New Rule] Elastic Endpoint and External Alerts #42

merged 13 commits into from
Jul 9, 2020

Conversation

spong
Copy link
Member

@spong spong commented Jul 9, 2020
edited
Loading

Issues

Resolves #41

Summary

In support of elastic/kibana#65942 to create two new pre-packaged rules that will enable Elastic Endpoint Alerts and External Alerts to be used in investigations.

This also includes updates to schema.py for the new fields added to the rules_schema as part of elastic/kibana#70288. These new fields include:

export interface TheseAreTheNewFields {
  author: string[];
  building_block_type: string; // 'default'
  license: string;
  risk_score_mapping: Array<
    {
      field: string;
      operator: string; // 'equals'
      value: string;
    }
  >;
  rule_name_override: string;
  severity_mapping: Array<
    {
      field: string;
      operator: string; // 'equals'
      value: string;
      severity: string; // 'low' | 'medium' | 'high' | 'critical'
    }
  >;
  timestamp_override: string;
}

Note: risk_score_mapping and severity_mapping are subject to change depending on the desired implementation.

Contributor checklist

spong
spong commented Jul 9, 2020
View reviewed changes
detection_rules/schema.py Outdated Show resolved Hide resolved
spong
spong commented Jul 9, 2020
View reviewed changes
rules/cross-platform/external_alerts.toml Outdated
rule_name_override = "message"
severity = "medium"
tags = ["Elastic"]
timestamp_override = "event.ingested"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want to override the timestamp here since event.ingested might not be filled in for most external alerts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when a timestamp override is defined and missing, does it default back to @timestamp?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, will need to add to signal metadata so the user knows this happened.

rw-access
rw-access reviewed Jul 9, 2020
View reviewed changes
detection_rules/schema.py Outdated Show resolved Hide resolved
rw-access
rw-access reviewed Jul 9, 2020
View reviewed changes
detection_rules/schema.py Outdated Show resolved Hide resolved
@rw-access
Copy link
Contributor

For the folder layout, I think we can rename the endpoint folder to promotions and put all promotion rules in there. Endgame, Endpoint, External Alerts, etc.

spong
spong commented Jul 9, 2020
View reviewed changes
rules/cross-platform/external_alerts.toml Outdated
investigating external alerts in the app.
"""
language = "kuery"
license = "Elastic License"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add max_signals = unbounded (and support for unbounded 😉 )

spong
spong commented Jul 9, 2020
View reviewed changes
detection_rules/schema.py Outdated Show resolved Hide resolved
spong and others added 4 commits July 9, 2020 12:59
@spong @rw-access
Apply suggestions from code review
c607703 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
@spong @brokensound77
Update rules/cross-platform/external_alerts.toml
8da7262 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
@spong
Last fixes from review
316d96b
@spong
Fixing test for unrequired default
c17ea37
brokensound77
brokensound77 approved these changes Jul 9, 2020
View reviewed changes
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@brokensound77 brokensound77 added Rule: New Proposal for new rule v7.9.0 labels Jul 9, 2020
rw-access
rw-access approved these changes Jul 9, 2020
View reviewed changes
Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM if we can make logs-* more precise

spong
spong commented Jul 9, 2020
View reviewed changes
rules/promotions/elastic_endpoint.toml


[[rule.risk_score_mapping]]
field = "event.risk_score"
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to use event.risk_score_norm here, but I'm not quite sure the endpoint is populate that field as well. Will verify during testing.

@spong
Copy link
Member Author

spong commented Jul 9, 2020

LGTM if we can make logs-* more precise

I've asked internally for what we could refine this further to. Will leave the comment above unresolved for reference/tracking.

@rw-access rw-access merged commit c28795c into elastic:main Jul 9, 2020
@spong spong deleted the create-promotion-rules branch July 9, 2020 21:26
@spong spong mentioned this pull request Jul 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rw-access rw-access rw-access approved these changes

@brokensound77 brokensound77 brokensound77 approved these changes

Assignees
No one assigned
Labels
Rule: New Proposal for new rule v7.9.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[New Rule] Elastic Endpoint and External Alerts
3 participants
@spong @rw-access @brokensound77