mirror of https://github.com/elastic/kibana.git synced 2025-04-24 09:48:58 -04:00

Your window into the Elastic Stack

dashboards elasticsearch hacktoberfest kibana metrics observability visualizations

Find a file

Sergi Massaneda cc66320e97 [SecuritySolution][SIEM migrations] Implement background task API (#197997 ) ## Summary It implements the background task to execute the rule migrations and the API to manage them. It also contains a basic implementation of the langGraph agent workflow that will perform the migration using generative AI. > [!NOTE] > This feature needs `siemMigrationsEnabled` experimental flag enabled to work. Otherwise, the new API routes won't be registered, and the `SiemRuleMigrationsService` _setup_ won't be called. So no migration task code can be reached, and no data stream/template will be installed to ES. ### The rule migration task implementation: - Retrieve a batch of N rule migration documents (50 rules initially, we may change that later) with `status: pending`. - Update those documents to `status: processing`. - Execute the migration for each of the N migrations in parallel. - If there is any error update the document with `status: error`. - For each rule migration that finishes we set the result to the storage, and also update `status: finished`. - When all the batch of rules is finished the task will check if there are still migration documents with `status: pending` if so it will process the next batch with a delay (10 seconds initially, we may change that later). - If the task is stopped (via API call or server shut-down), we do a bulk update for all the `status: processing` documents back to `status: pending`. ### Task API - `POST /internal/siem_migrations/rules` (implemented [here](https://github.com/elastic/security-team/issues/10654)) -> Creates the migration on the backend and stores the original rules. It returns the `migration_id` - `GET /internal/siem_migrations/rules/stats` -> Retrieves the stats for all the existing migrations, aggregated by `migration_id`. - `GET /internal/siem_migrations/rules/{migration_id}` -> Retrieves all the migration rule documents of a specific migration. - `PUT /internal/siem_migrations/rules/{migration_id}/start` -> Starts the background task for a specific migration. - `GET /internal/siem_migrations/rules/{migration_id}/stats` -> Retrieves the stats of a specific migration task. The UI will do polling to this endpoint. - `PUT /internal/siem_migrations/rules/{migration_id}/stop` -> Stops the execution of a specific migration running task. When a migration is stopped, the executing task is aborted and all the rules in the batch being processed are moved back to pending, all finished rules will remain stored. When the Kibana server shuts down all the running migrations are stopped automatically. To resume the migration we can call `{migration_id}/start` again and it will take it from the same rules batch it was left. #### Stats (UI polling) response example: ``` { "status": "running", "rules": { "total": 34, "finished": 20, "pending": 4, "processing": 10, "failed": 0 }, "last_updated_at": "2024-10-29T15:04:49.618Z" } ``` ### LLM agent Graph The initial implementation of the agent graph that is executed per rule: ![agent graph diagram](https://github.com/user-attachments/assets/9228350c-a469-449b-a58a-0b452bb805aa) The first node tries to match the original rule with an Elastic prebuilt rule. If it does not succeed, the second node will try to translate the query as a custom rule using the ES\|QL knowledge base, this composes previous PoCs: - https://github.com/elastic/kibana/pull/193900 - https://github.com/elastic/kibana/pull/196651 ## Testing locally Enable the flag ``` xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled'] ``` cURL request examples: <details> <summary>Rules migration `create` POST request</summary> ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n\| rename hostname as dest \n\| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n\| `security_content_ctime(firstTime)` \n\| `security_content_ctime(lastTime)`\n\| search *", "query_language":"spl", "mitre_attack_ids": [ "T1136" ] }, { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n\| rename host as dest \r\n\| where LIKE (process_exec, \"%chown %root%\") \r\n\| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n\| `security_content_ctime(firstTime)` \r\n\| `security_content_ctime(lastTime)`\r\n\| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] } ]' ``` </details> <details> <summary>Rules migration `start` task request</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '{ "connectorId": "azureOpenAiGPT4o" }' ``` </details> <details> <summary>Rules migration `stop` task request</summary> - Using the {{`migration_id`}} from the first POST request response. ``` curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/stop' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' ``` </details> <details> <summary>Rules migration task `stats` request</summary> - Using the {{`migration_id`}} from the first POST request response. ``` curl --location --request GET 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/stats' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' ``` </details> <details> <summary>Rules migration rules documents request</summary> - Using the {{`migration_id`}} from the first POST request response. ``` curl --location --request GET 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' ``` </details> <details> <summary>Rules migration all stats request</summary> ``` curl --location --request GET 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/stats' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' ``` </details> --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>		2024-11-06 11:25:24 -06:00
.buildkite	[ci] Add package registry promotion pipeline (#198880 )	2024-11-05 17:07:09 -06:00
.devcontainer	Fix Dev Container KBN_DIR (#195810 )	2024-10-29 00:44:36 +00:00
.github	Code owners - sort generated entries (#198901 )	2024-11-06 13:38:31 +01:00
api_docs	[api-docs] 2024-11-06 Daily api_docs build (#199078 )	2024-11-06 01:30:21 -06:00
config	[UII] Replace `kibanaVersionCheckEnabled` default value instead of config setting (#198172 )	2024-10-30 14:22:52 -07:00
dev_docs	Enhance documentation on accessing hidden SO types (#199046 )	2024-11-05 19:51:45 -06:00
docs	[DOCS] Add alerting performance enhancements to 8.16 release notes (#199043 )	2024-11-06 06:23:23 -05:00
examples	[UA][Core][API Deprecations] Add deprecate type and update copy (#198800 )	2024-11-05 23:43:56 -06:00
kbn_pm	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
legacy_rfcs	rename @elastic/* packages to @kbn/* (#138957 )	2022-08-18 08:54:42 -07:00
licenses	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
oas_docs	[Fleet] Remove deprecated epm APIs (#198434 )	2024-11-06 08:38:26 -05:00
packages	[Rendering] Parallelize ES requests (#199124 )	2024-11-06 17:09:41 +01:00
plugins
scripts	[CodeQL] Local run script (#194272 )	2024-10-28 13:40:27 +01:00
src	Flaky #111821 - Refresh index (#199136 )	2024-11-06 17:10:06 +01:00
test	[Discover] Show the fetched Discover results even when histogram request fails on some shards (#198553 )	2024-11-06 06:45:01 -06:00
typings	Updated js-yaml to v4 (#190678 )	2024-09-19 12:25:03 +02:00
x-pack	[SecuritySolution][SIEM migrations] Implement background task API (#197997 )	2024-11-06 11:25:24 -06:00
.backportrc.json	chore(NA): adds 8.16 into backportrc (#196606 )	2024-10-17 03:22:13 +01:00
.bazelignore	Remove references to deleted .ci folder (#177168 )	2024-02-20 19:54:21 +01:00
.bazeliskversion	chore(NA): upgrade bazelisk into v1.11.0 (#125070 )	2022-02-09 20:43:57 +00:00
.bazelrc	chore(NA): use new and more performant BuildBuddy servers (#130350 )	2022-04-18 02:01:38 +01:00
.bazelrc.common	Transpile packages on demand, validate all TS projects (#146212 )	2022-12-22 19:00:29 -06:00
.bazelversion	chore(NA): revert bazel upgrade for v5.2.0 (#135096 )	2022-06-24 03:57:21 +01:00
.browserslistrc	Add Firefox ESR to browserlistrc (#184462 )	2024-05-29 17:53:18 -05:00
.editorconfig
.eslintignore	[ES\|QL] New @kbn/esql-services package (#179029 )	2024-03-27 14:39:48 +01:00
.eslintrc.js	Address some of the `no_group_crossing` dependencies (#198261 )	2024-11-06 08:44:35 -06:00
.gitattributes
.gitignore	[CodeQL] Local run script (#194272 )	2024-10-28 13:40:27 +01:00
.i18nrc.json	[Logs Overview] Add a flyout to show category document examples (#194867 )	2024-10-24 15:49:27 +01:00
.node-version	Upgrade Node.js to 20.15.1 (#187791 )	2024-07-15 12:34:07 -05:00
.npmrc	[npmrc] Fix puppeteer_skip_download configuration (#177673 )	2024-02-22 18:59:01 -07:00
.nvmrc	Upgrade Node.js to 20.15.1 (#187791 )	2024-07-15 12:34:07 -05:00
.prettierignore
.prettierrc
.puppeteerrc	Add .puppeteerrc (#179847 )	2024-04-03 09:14:39 -05:00
.stylelintignore
.stylelintrc	Bump stylelint to ^14 (#136693 )	2022-07-20 10:11:00 -05:00
.telemetryrc.json	[Telemetry] Fix telemetry-tools TS parser for packages (#149819 )	2023-01-31 04:09:09 +03:00
.yarnrc
BUILD.bazel	Transpile packages on demand, validate all TS projects (#146212 )	2022-12-22 19:00:29 -06:00
catalog-info.yaml	[sonarqube] Disable cron (#190611 )	2024-08-15 09:19:09 -05:00
CODE_OF_CONDUCT.md
CONTRIBUTING.md
FAQ.md	Fix small typos in the root md files (#134609 )	2022-06-23 09:36:11 -05:00
fleet_packages.json	[main] Sync bundled packages with Package Storage (#192007 )	2024-09-03 12:26:57 -05:00
github_checks_reporter.json
kibana.d.ts	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
LICENSE.txt	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
NOTICE.txt	[React@18] `useLayoutEffect` when setting value from a prop in `react-monaco-editor` (#195775 )	2024-10-17 13:24:06 +02:00
package.json	[Fleet] [Cloud Security] Add Testing Library ESLint for handling waitFor (#198735 )	2024-11-05 14:34:18 -08:00
preinstall_check.js	Adds AGPL 3.0 license (#192025 )	2024-09-06 19:02:41 -06:00
README.md
renovate.json	Improve stack traces in dev mode (#195916 )	2024-10-18 17:35:08 +02:00
RISK_MATRIX.mdx
run_fleet_setup_parallel.sh	[Fleet] Prevent concurrent runs of Fleet setup (#183636 )	2024-05-31 16:38:51 +02:00
SECURITY.md
sonar-project.properties	[sonarqube] update memory, cpu (#190547 )	2024-09-09 16:16:30 -05:00
STYLEGUIDE.mdx	[styleguide] update path to scss theme (#140742 )	2022-09-15 10:41:14 -04:00
tsconfig.base.json	[Security Solution] Revert `security_solution_common` package which is unnecessary (#198294 )	2024-11-04 15:39:32 +01:00
tsconfig.browser.json
tsconfig.browser_bazel.json
tsconfig.json	Transpile packages on demand, validate all TS projects (#146212 )	2022-12-22 19:00:29 -06:00
TYPESCRIPT.md	Fix small typos in the root md files (#134609 )	2022-06-23 09:36:11 -05:00
updatecli-compose.yaml	deps(updatecli): bump all policies (#195865 )	2024-10-15 07:37:12 -05:00
versions.json	chore(NA): update versions after v7.17.26 bump (#197325 )	2024-10-23 01:56:33 +01:00
WORKSPACE.bazel	chore(NA): remove usage of re2 and replace it with a non native module (#188134 )	2024-07-15 20:33:28 +01:00
yarn.lock	[Fleet] [Cloud Security] Add Testing Library ESLint for handling waitFor (#198735 )	2024-11-05 14:34:18 -08:00

README.md

Kibana

Kibana is your window into the Elastic Stack. Specifically, it's a browser-based analytics and search dashboard for Elasticsearch.

Getting Started
- Using a Kibana Release
- Building and Running Kibana, and/or Contributing Code
Documentation
Version Compatibility with Elasticsearch
Questions? Problems? Suggestions?

Getting Started

If you just want to try Kibana out, check out the Elastic Stack Getting Started Page to give it a whirl.

If you're interested in diving a bit deeper and getting a taste of Kibana's capabilities, head over to the Kibana Getting Started Page.

Using a Kibana Release

If you want to use a Kibana release in production, give it a test run, or just play around:

Download the latest version on the Kibana Download Page.
Learn more about Kibana's features and capabilities on the Kibana Product Page.
We also offer a hosted version of Kibana on our Cloud Service.

Building and Running Kibana, and/or Contributing Code

You might want to build Kibana locally to contribute some code, test out the latest features, or try out an open PR:

CONTRIBUTING.md will help you get Kibana up and running.
If you would like to contribute code, please follow our STYLEGUIDE.mdx.
For all other questions, check out the FAQ.md and wiki.

Documentation

Visit Elastic.co for the full Kibana documentation.

For information about building the documentation, see the README in elastic/docs.

Version Compatibility with Elasticsearch

Ideally, you should be running Elasticsearch and Kibana with matching version numbers. If your Elasticsearch has an older version number or a newer major number than Kibana, then Kibana will fail to run. If Elasticsearch has a newer minor or patch number than Kibana, then the Kibana Server will log a warning.

Note: The version numbers below are only examples, meant to illustrate the relationships between different types of version numbers.

Situation	Example Kibana version	Example ES version	Outcome
Versions are the same.	7.15.1	7.15.1	💚 OK
ES patch number is newer.	7.15.0	7.15.1	⚠️ Logged warning
ES minor number is newer.	7.14.2	7.15.0	⚠️ Logged warning
ES major number is newer.	7.15.1	8.0.0	🚫 Fatal error
ES patch number is older.	7.15.1	7.15.0	⚠️ Logged warning
ES minor number is older.	7.15.1	7.14.2	🚫 Fatal error
ES major number is older.	8.0.0	7.15.1	🚫 Fatal error

Questions? Problems? Suggestions?

If you've found a bug or want to request a feature, please create a GitHub Issue. Please check to make sure someone else hasn't already created an issue for the same topic.
Need help using Kibana? Ask away on our Kibana Discuss Forum and a fellow community member or Elastic engineer will be glad to help you out.