[SIEM][Detection Engine] Adds variable for testing rules with Kibana Spaces (#51509)

* Added space env that for spaces testing with rules

* updated docs

* Update x-pack/legacy/plugins/siem/server/lib/detection_engine/README.md

Co-Authored-By: Garrett Spong <spong@users.noreply.github.com>

x-pack/legacy/plugins/siem/server/lib/detection_engine/README.md

@@ -177,6 +177,17 @@ Every 5 minutes if you get positive hits you will see messages on info like so:
 server    log   [09:54:59.013] [info][plugins][siem] Total signals found from signal rule "id: a556065c-0656-4ba1-ad64-a77ca9d2013b", "ruleId: rule-1": 10000
 ```
 
+Signals are space aware and default to the "default" space for these scripts if you do not export
+the variable of SPACE_URL. For example, if you want to post rules to the space `test-space` you would
+set your SPACE_URL to be:
+
+```sh
+export SPACE_URL=/s/test-space
+```
+
+So that the scripts prepend a `/s/test-space` in front of all the APIs to correctly create, modify, delete, and update
+them from within that space.
+
 See the scripts folder and the tools for more command line fun.
 
 Add the `.siem-signals-${your user id}` to your advanced SIEM settings to see any signals

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/delete_signal_by_id.sh

@@ -13,4 +13,4 @@ set -e
 curl -s -k \
  -H 'kbn-xsrf: 123' \
  -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
- -X DELETE ${KIBANA_URL}/api/detection_engine/rules?id="$1" | jq .
+ -X DELETE ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules?id="$1" | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/delete_signal_by_rule_id.sh

@@ -13,4 +13,4 @@ set -e
 curl -s -k \
  -H 'kbn-xsrf: 123' \
  -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
- -X DELETE ${KIBANA_URL}/api/detection_engine/rules?rule_id="$1" | jq .
+ -X DELETE ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules?rule_id="$1" | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/find_saved_object.sh

@@ -18,5 +18,5 @@ TYPE=${1:-alert}
 # https://www.elastic.co/guide/en/kibana/master/saved-objects-api-find.html#saved-objects-api-find-request
 curl -s -k \
   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
-  -X GET ${KIBANA_URL}/api/saved_objects/_find?type=$TYPE \
+  -X GET ${KIBANA_URL}${SPACE_URL}/api/saved_objects/_find?type=$TYPE \
   | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/find_signal_by_filter.sh

@@ -17,4 +17,4 @@ FILTER=${1:-'alert.attributes.enabled:%20true'}
 # Table of them for testing if needed: https://www.w3schools.com/tags/ref_urlencode.asp
 curl -s -k \
  -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
- -X GET ${KIBANA_URL}/api/detection_engine/rules/_find?filter=$FILTER | jq .
+ -X GET ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/_find?filter=$FILTER | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/find_signals.sh

@@ -12,4 +12,4 @@ set -e
 # Example: ./find_signals.sh
 curl -s -k \
  -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
- -X GET ${KIBANA_URL}/api/detection_engine/rules/_find | jq .
+ -X GET ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/_find | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/find_signals_sort.sh

@@ -15,5 +15,5 @@ ORDER=${2:-'asc'}
 # Example: ./find_signals_sort.sh enabled asc
 curl -s -k \
  -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
- -X GET "${KIBANA_URL}/api/detection_engine/rules/_find?sort_field=$SORT&sort_order=$ORDER" \
+ -X GET "${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules/_find?sort_field=$SORT&sort_order=$ORDER" \
  | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/get_action_instances.sh

@@ -13,5 +13,5 @@ set -e
 # https://github.com/elastic/kibana/blob/master/x-pack/legacy/plugins/actions/README.md#get-apiaction_find-find-actions
 curl -s -k \
   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
-  -X GET ${KIBANA_URL}/api/action/_find \
+  -X GET ${KIBANA_URL}${SPACE_URL}/api/action/_find \
   | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/get_action_types.sh

@@ -13,5 +13,5 @@ set -e
 # https://github.com/elastic/kibana/blob/master/x-pack/legacy/plugins/actions/README.md
 curl -s -k \
   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
-  -X GET ${KIBANA_URL}/api/action/types \
+  -X GET ${KIBANA_URL}${SPACE_URL}/api/action/types \
   | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/get_alert_instances.sh

@@ -13,5 +13,5 @@ set -e
 # https://github.com/elastic/kibana/blob/master/x-pack/legacy/plugins/alerting/README.md#get-apialert_find-find-alerts
 curl -s -k \
   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
-  -X GET ${KIBANA_URL}/api/alert/_find \
+  -X GET ${KIBANA_URL}${SPACE_URL}/api/alert/_find \
   | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/get_alert_types.sh

@@ -13,5 +13,5 @@ set -e
 # https://github.com/elastic/kibana/blob/master/x-pack/legacy/plugins/alerting/README.md#get-apialerttypes-list-alert-types
 curl -s -k \
   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
-  -X GET ${KIBANA_URL}/api/alert/types \
+  -X GET ${KIBANA_URL}${SPACE_URL}/api/alert/types \
   | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/get_saved_objects.sh

@@ -14,5 +14,5 @@ set -e
 # https://www.elastic.co/guide/en/kibana/master/saved-objects-api-get.html
 curl -s -k \
   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
-  -X GET ${KIBANA_URL}/api/saved_objects/$1/$2 \
+  -X GET ${KIBANA_URL}${SPACE_URL}/api/saved_objects/$1/$2 \
   | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/get_signal_by_id.sh

@@ -12,4 +12,4 @@ set -e
 # Example: ./get_signal_by_id.sh {rule_id}
 curl -s -k \
  -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
- -X GET ${KIBANA_URL}/api/detection_engine/rules?id="$1" | jq .
+ -X GET ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules?id="$1" | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/get_signal_by_rule_id.sh

@@ -12,4 +12,4 @@ set -e
 # Example: ./get_signal_by_rule_id.sh {rule_id}
 curl -s -k \
  -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
- -X GET ${KIBANA_URL}/api/detection_engine/rules?rule_id="$1" | jq .
+ -X GET ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules?rule_id="$1" | jq .

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/post_signal.sh

@@ -23,7 +23,7 @@ do {
   -H 'Content-Type: application/json' \
   -H 'kbn-xsrf: 123' \
   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
-  -X POST ${KIBANA_URL}/api/detection_engine/rules \
+  -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules \
   -d "$POST" \
   | jq .;
 } &

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/post_x_signals.sh

@@ -20,7 +20,7 @@ do {
  -H 'Content-Type: application/json' \
  -H 'kbn-xsrf: 123' \
  -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
- -X POST ${KIBANA_URL}/api/detection_engine/rules \
+ -X POST ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules \
   --data "{
     \"rule_id\": \"${i}\",
     \"risk_score\": \"50\",

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/root_or_admin_saved_query_1.json

@@ -10,5 +10,5 @@
   "type": "saved_query",
   "from": "now-6m",
   "to": "now",
-  "saved_id": "Test Query From SIEM"
+  "saved_id": "test-saveid"
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/root_or_admin_saved_query_2.json

@@ -10,7 +10,7 @@
   "type": "saved_query",
   "from": "now-6m",
   "to": "now",
-  "saved_id": "Test Query From SIEM Two",
+  "saved_id": "test-saveid-2",
   "query": "user.name: root or user.name: admin",
   "language": "kuery"
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/signals/root_or_admin_saved_query_3.json

@@ -10,5 +10,5 @@
   "type": "saved_query",
   "from": "now-6m",
   "to": "now",
-  "saved_id": "Test Query From SIEM Three"
+  "saved_id": "test-saveid-3"
 }

x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/update_signal.sh

@@ -23,7 +23,7 @@ do {
   -H 'Content-Type: application/json' \
   -H 'kbn-xsrf: 123' \
   -u ${ELASTICSEARCH_USERNAME}:${ELASTICSEARCH_PASSWORD} \
-  -X PUT ${KIBANA_URL}/api/detection_engine/rules \
+  -X PUT ${KIBANA_URL}${SPACE_URL}/api/detection_engine/rules \
   -d "$POST" \
   | jq .;
 } &