github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity
kibana/x-pack/plugins/security_solution/common/experimental_features.ts
Sergi Massaneda d7109d6781
[SecuritySolution][SIEM Migrations] Rule migrations storage (#197032) 
## Summary

issue: https://github.com/elastic/security-team/issues/10654?reload=1

Implements the persistence layer for the rule migrations from other
vendors, as part of the SIEM Rule migrations effort.

### Changes

- Schemas created for `SiemRuleMigration` document entity, along with
`ElasticRule` and `OriginalRule`.

- New API `/internal/siem_migrations/rules` was created:
- `POST` -> Receives an array of (original) rules and stores them with
`status: pending` to be processed. Responds with the `migration_id` that
will be used to start the migration background task (implementation
details here: https://github.com/elastic/security-team/issues/10850).
  - `GET` -> (to be implemented later)

- New `SiemMigrationsService` added to the `securitySolution` route
context, to encapsulate all operations related to SIEM migrations (We
start with _rule_ migrations, but there are more "kinds" of SIEM
migrations in the pipeline: _dashboards_, _saved queries_...). It
contains:

- `SiemRuleMigrationsService` to encapsulate all operations related to
SIEM rule migrations.
- `RuleMigrationsDataStream` class to manage the
`.kibana.siem-rule-migrations-<spaceId>` data stream operations using
`DataStreamSpacesAdapter`.
- It exposes a client with abstracted operations that are exposed to the
API routes:
- `create`: indexes an array of _SiemRuleMigration_ documents to the
data stream
- `search`: searches _SiemRuleMigration_ documents by specific terms.

> [!NOTE]  
> Without `siemMigrationsEnabled` experimental flag the new API route
won't be registered, and the `SiemRuleMigrationsService` _setup_ won't
be called, so no index/component template will be installed to ES.

### Testing locally

Enable the flag
```
xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
```

<details>
  <summary>Example curl request</summary>

```
curl --location 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'
```
</details>

The newly created documents can be retrieved using Kibana DevTools
console:
```
GET .kibana.siem-rule-migrations-default/_search
```

### Screenshots


![postman_screenshot](https://github.com/user-attachments/assets/9d3852d2-48ef-4955-b621-fdba6b249c65)

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
2024-10-24 04:56:08 -05:00

280 lines
8.2 KiB
TypeScript
Raw Blame History

/*
* Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
* or more contributor license agreements. Licensed under the Elastic License
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
export type ExperimentalFeatures = { [K in keyof typeof allowedExperimentalValues]: boolean };
/**
* A list of allowed values that can be used in `xpack.securitySolution.enableExperimental`.
* This object is then used to validate and parse the value entered.
*/
export const allowedExperimentalValues = Object.freeze({
// FIXME:PT delete?
excludePoliciesInFilterEnabled: false,
kubernetesEnabled: true,
donutChartEmbeddablesEnabled: false, // Depends on https://github.com/elastic/kibana/issues/136409 item 2 - 6
/**
* This is used for enabling the end-to-end tests for the security_solution telemetry.
* We disable the telemetry since we don't have specific roles or permissions around it and
* we don't want people to be able to violate security by getting access to whole documents
* around telemetry they should not.
* @see telemetry_detection_rules_preview_route.ts
* @see test/security_solution_api_integration/test_suites/telemetry/README.md
*/
previewTelemetryUrlEnabled: false,
/**
* Enables extended rule execution logging to Event Log. When this setting is enabled:
* - Rules write their console error, info, debug, and trace messages to Event Log,
* in addition to other events they log there (status changes and execution metrics).
* - We add a Kibana Advanced Setting that controls this behavior (on/off and log level).
* - We show a table with plain execution logs on the Rule Details page.
*/
extendedRuleExecutionLoggingEnabled: false,
/**
* Enables the SOC trends timerange and stats on D&R page
*/
socTrendsEnabled: false,
/**
* Enables the `upload` endpoint response action (v8.9)
*/
responseActionUploadEnabled: true,
/**
* Enables Automated Endpoint Process actions
*/
automatedProcessActionsEnabled: true,
/**
* Enables the ability to send Response actions to SentinelOne and persist the results
* in ES. Adds API changes to support `agentType` and supports `isolate` and `release`
* response actions in Response Console.
*
* Release: v8.13.0
*/
responseActionsSentinelOneV1Enabled: true,
/**
* Enables use of SentinelOne response actions that complete asynchronously
*
* Release: v8.14.0
*/
responseActionsSentinelOneV2Enabled: true,
/** Enables the `get-file` response action for SentinelOne */
responseActionsSentinelOneGetFileEnabled: true,
/** Enables the `kill-process` response action for SentinelOne */
responseActionsSentinelOneKillProcessEnabled: true,
/** Enable the `processes` response actions for SentinelOne */
responseActionsSentinelOneProcessesEnabled: true,
/**
* Enables the ability to send Response actions to Crowdstrike and persist the results
* in ES.
*/
responseActionsCrowdstrikeManualHostIsolationEnabled: true,
/**
* Space awareness for Elastic Defend management.
* Feature depends on Fleet's corresponding features also being enabled:
* - `subfeaturePrivileges`
* - `useSpaceAwareness`
* and Fleet must set it runtime mode to spaces by calling the following API:
* - `POST /internal/fleet/enable_space_awareness`
*/
endpointManagementSpaceAwarenessEnabled: false,
/**
* Enables new notes
*/
securitySolutionNotesEnabled: false,
/**
* Disables entity and alert previews
*/
entityAlertPreviewDisabled: false,
/**
* Enables the Assistant Model Evaluation advanced setting and API endpoint, introduced in `8.11.0`.
*/
assistantModelEvaluation: false,
/**
* Enables new Knowledge Base Entries features, introduced in `8.15.0`.
*/
assistantKnowledgeBaseByDefault: false,
/**
* Enables the Managed User section inside the new user details flyout.
*/
newUserDetailsFlyoutManagedUser: false,
/**
* Enable risk engine client and initialisation of datastream, component templates and mappings
*/
riskScoringPersistence: true,
/**
* Enables experimental Entity Analytics HTTP endpoints
*/
riskScoringRoutesEnabled: true,
/**
* disables ES|QL rules
*/
esqlRulesDisabled: false,
/**
* Enables Protection Updates tab in the Endpoint Policy Details page
*/
protectionUpdatesEnabled: true,
/**
* Disables the timeline save tour.
* This flag is used to disable the tour in cypress tests.
*/
disableTimelineSaveTour: false,
/**
* Enables the risk engine privileges route
* and associated callout in the UI
*/
riskEnginePrivilegesRouteEnabled: true,
/**
* Enables experimental Experimental S1 integration data to be available in Analyzer
*/
sentinelOneDataInAnalyzerEnabled: true,
/**
* Enables SentinelOne manual host isolation response actions directly through the connector
* sub-actions framework.
* v8.12.0
*/
sentinelOneManualHostActionsEnabled: true,
/**
* Enables experimental Crowdstrike integration data to be available in Analyzer
*/
crowdstrikeDataInAnalyzerEnabled: true,
/**
* Enables Response actions telemetry collection
* Should be enabled in 8.17.0
*/
responseActionsTelemetryEnabled: false,
/**
* Enables experimental JAMF integration data to be available in Analyzer
*/
jamfDataInAnalyzerEnabled: true,
/*
* Disables discover esql tab within timeline
*
*/
timelineEsqlTabDisabled: false,
/*
* Disables experimental Discover components, UnifiedFieldList and UnifiedDataTable in Timeline.
*/
unifiedComponentsInTimelineDisabled: false,
/*
* Disables date pickers and sourcerer in analyzer if needed.
*
*/
analyzerDatePickersAndSourcererDisabled: false,
/**
* Enables an ability to customize Elastic prebuilt rules.
*
* Ticket: https://github.com/elastic/kibana/issues/174168
* Owners: https://github.com/orgs/elastic/teams/security-detection-rule-management
* Added: on Jun 24, 2024 in https://github.com/elastic/kibana/pull/186823
* Turned: TBD
* Expires: TBD
*/
prebuiltRulesCustomizationEnabled: false,
/**
* Makes Elastic Defend integration's Malware On-Write Scan option available to edit.
*/
malwareOnWriteScanOptionAvailable: true,
/**
* Enables unified manifest that replaces existing user artifacts manifest SO with a new approach of creating a SO per package policy.
*/
unifiedManifestEnabled: true,
/**
* Enables the new modal for the value list items
*/
valueListItemsModalEnabled: true,
/**
* Adds a new option to filter descendants of a process for Management / Event Filters
*/
filterProcessDescendantsForEventFiltersEnabled: true,
/**
* Enables the new data ingestion hub
*/
dataIngestionHubEnabled: false,
/**
* Disables Security's Entity Store engine routes. The Entity Store feature is available by default, but
* can be disabled if necessary in a given environment.
*/
entityStoreDisabled: false,
/**
* Enables the siem migrations feature
*/
siemMigrationsEnabled: false,
});
type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;
type Mutable<T> = { -readonly [P in keyof T]: T[P] };
const allowedKeys = Object.keys(allowedExperimentalValues) as Readonly<ExperimentalConfigKeys>;
/**
* Parses the string value used in `xpack.securitySolution.enableExperimental` kibana configuration,
* which should be a string of values delimited by a comma (`,`)
*
* @param configValue
* @throws SecuritySolutionInvalidExperimentalValue
*/
export const parseExperimentalConfigValue = (
configValue: string[]
): { features: ExperimentalFeatures; invalid: string[] } => {
const enabledFeatures: Mutable<Partial<ExperimentalFeatures>> = {};
const invalidKeys: string[] = [];
for (const value of configValue) {
if (!allowedKeys.includes(value as keyof ExperimentalFeatures)) {
invalidKeys.push(value);
} else {
enabledFeatures[value as keyof ExperimentalFeatures] = true;
}
}
return {
features: {
...allowedExperimentalValues,
...enabledFeatures,
},
invalid: invalidKeys,
};
};
export const getExperimentalAllowedValues = (): string[] => [...allowedKeys];
Reference in a new issue View git blame Copy permalink