Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[logging] Downgrade hapi connection errors when connecting with the w… #11209

Merged
merged 2 commits into from
Jul 10, 2017
Merged

[logging] Downgrade hapi connection errors when connecting with the w… #11209

merged 2 commits into from
Jul 10, 2017

Conversation

jbudz
Copy link
Member

@jbudz jbudz commented Apr 12, 2017

When serving Kibana over http and a request comes in over https, kibana logs a "Parse Error" to the standard application log.

When serving Kibana over https and a request comes in over http, kibana logs a "routines:SSL23_GET_CLIENT_HELLO:http request" to the standard application log. This won't be testable until the http -> https redirect with httpolyglot is removed. See #10930.

This downgrades both log types to debug output.

@jbudz jbudz added Team:Operations Team label for Operations Team review v6.0.0 labels Apr 12, 2017
@jbudz jbudz force-pushed the log-ssl-connection branch from ccf058a to 04b0d21 Compare April 12, 2017 21:47
@jbudz jbudz mentioned this pull request Apr 12, 2017
Merged
spalger
spalger reviewed Apr 14, 2017
View reviewed changes
Copy link
Contributor

@spalger spalger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the answer to my question is "yes, that's our only option" then this LGTM

src/server/logging/log_interceptor.js Outdated
}

downgradeIfHTTPSWhenHTTP(event) {
return downgradeIfErrorMessage('Parse Error', event);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is error message matching our only option here? Parse Error is pretty vague isn't it? I guess we're still limiting it by the tag list, but I'd really like to use a value that's intended for machines (like errno) rather than one that's intended for humans (and much more likely to change/conflict)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I went straight for text because there was no errno. But there is a code for Parse Error sot hat looks like it's the way to go:

{
    event: 'log',
    timestamp: 1492194353021,
    tags: ['connection', 'client', 'error'],
    data: {
        Error: Parse Error at Error(native) bytesParsed: 0,
        code: 'HPE_INVALID_METHOD'
    },
    pid: 73405
}

For the http when https case there isn't more:

{
    event: 'log',
    timestamp: 1492194569892,
    tags: ['connection', 'client', 'error'],
    data: Error: 140736014037952: error: 1407609 C: SSL routines: SSL23_GET_CLIENT_HELLO: http request: ../deps/openssl/openssl/ssl/s23_srvr.c:394:at Error(native),
    pid: 74537
}

@jbudz jbudz force-pushed the log-ssl-connection branch from 04b0d21 to f9d0f6e Compare April 18, 2017 20:50
@epixa epixa self-requested a review May 17, 2017 18:12
kimjoar pushed a commit that referenced this pull request Jul 7, 2017
@jbudz @kimjoar
Revert same port http -> https redirect (#10930)
c79e223 
- httpolyglot is removed, we no longer automatically redirect from http to https
- server.ssl.redirectHttpFromPort option added to allow for http -> https redirect from one port to another
- We no longer start the dev server with tls by default, it can be turned on with the --ssl flag, npm start -- --ssl, or ./bin/kibana --dev --ssl
- There will currently be error log messages if you connect over the wrong protocol, we have #11209 for downgrading these
@kimjoar kimjoar force-pushed the log-ssl-connection branch from f9d0f6e to 3d8b0c3 Compare July 10, 2017 15:29
@kimjoar
Copy link
Contributor

kimjoar commented Jul 10, 2017

Rebased master, works as expected in my testing.

Below are examples when debug logging is enabled.

ssl.enabled: true + http request:

log   [15:27:52.252] [debug][connection] 140735775310784:error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request:../deps/openssl/openssl/ssl/s23_srvr.c:394:

ssl.enabled: false + https request:

log   [15:30:06.249] [debug][connection][hpe_invalid_method] HPE_INVALID_METHOD: Socket was closed by the client (probably the browser) before it could be read completely

epixa
epixa approved these changes Jul 10, 2017
View reviewed changes
Copy link
Contributor

@epixa epixa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on green

@kimjoar kimjoar merged commit 00cd9ea into elastic:master Jul 10, 2017
@jportner jportner mentioned this pull request Sep 14, 2020
Closed
e40pud added a commit to e40pud/kibana that referenced this pull request Nov 19, 2024
@e40pud
[Rules migration] Add rules migrations update route (elastic#11209)
77db9cf
e40pud added a commit that referenced this pull request Nov 20, 2024
@e40pud @kibanamachine
[Rules migration] Add rules migrations update route (#11209) (#200815)
f6ac2cf 
## Summary

Changes in this PR:
* Added `update` route to handle bulk rule migrations docs updates
* Exposed `id` field in `RuleMigration` object needed for ES bulk update
operation
* Updated SIEM migrations schemas to use `NonEmptyString` when it is
needed

## Testing locally

Enable the flag
```
xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
```

Create and start a rule migration. Then use `update` API to updated
corresponding docs.

cURL request examples:

<details>
  <summary>Rules migration `create` POST request</summary>

```
curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'
```
</details>

<details>
  <summary>Rules migration `start` task request</summary>

- Assuming the connector `azureOpenAiGPT4o` is already created in the
local environment.
- Using the {{`migration_id`}} from the first POST request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '{
    "connectorId": "azureOpenAiGPT4o"
}'
```
</details>

<details>
  <summary>Rules migration rules documents request</summary>

- Using the {{`migration_id`}} from the first POST request response.

```
curl --location --request GET 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' 
```
</details>

<details>
  <summary>Rules migration `update` PUT request</summary>

- Using the {{`rule_migration_id_1`}} and {{`rule_migration_id_2`}} from
previous GET request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' 
--data '[
    {
        "comments": [
            "## Migration Summary\n- The `FROM` command is used to select the `logs-*` index pattern.\n- The `RENAME` command is used to rename the `host` field to `dest`.\n- The `WHERE` command filters the rows where `process_exec` contains the pattern `*chown *root*`.\n- The `STATS` command is used to aggregate the data, counting the number of occurrences and finding the minimum and maximum timestamps, grouped by `process_exec`, `proctitle`, `normalized_proctitle_delimiter`, and `dest`.\n- The macros `security_content_ctime` and `linux_auditd_change_file_owner_to_root_filter` are placeholders for the corresponding Splunk macros.",
            "Additional comment 2.0"
        ],
        "translation_result": "full",
        "id": "{{rule_migration_id_1}}"
    },
    {
        "created_by": "elastic2.0",
        "elastic_rule": {
            "severity": "high",
            "title": "Linux Auditd Change File Owner To Root (UPDATED)"
        },
        "id": "{{rule_migration_id_2}}"
    }
]'
```
</details>

---------

Co-authored-by: kibanamachine <[email protected]>
kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Nov 20, 2024
@e40pud
[Rules migration] Add rules migrations update route (elastic#11209) (e…
7b5da61 
…lastic#200815)

## Summary

Changes in this PR:
* Added `update` route to handle bulk rule migrations docs updates
* Exposed `id` field in `RuleMigration` object needed for ES bulk update
operation
* Updated SIEM migrations schemas to use `NonEmptyString` when it is
needed

## Testing locally

Enable the flag
```
xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
```

Create and start a rule migration. Then use `update` API to updated
corresponding docs.

cURL request examples:

<details>
  <summary>Rules migration `create` POST request</summary>

```
curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'
```
</details>

<details>
  <summary>Rules migration `start` task request</summary>

- Assuming the connector `azureOpenAiGPT4o` is already created in the
local environment.
- Using the {{`migration_id`}} from the first POST request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '{
    "connectorId": "azureOpenAiGPT4o"
}'
```
</details>

<details>
  <summary>Rules migration rules documents request</summary>

- Using the {{`migration_id`}} from the first POST request response.

```
curl --location --request GET 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1'
```
</details>

<details>
  <summary>Rules migration `update` PUT request</summary>

- Using the {{`rule_migration_id_1`}} and {{`rule_migration_id_2`}} from
previous GET request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1'
--data '[
    {
        "comments": [
            "## Migration Summary\n- The `FROM` command is used to select the `logs-*` index pattern.\n- The `RENAME` command is used to rename the `host` field to `dest`.\n- The `WHERE` command filters the rows where `process_exec` contains the pattern `*chown *root*`.\n- The `STATS` command is used to aggregate the data, counting the number of occurrences and finding the minimum and maximum timestamps, grouped by `process_exec`, `proctitle`, `normalized_proctitle_delimiter`, and `dest`.\n- The macros `security_content_ctime` and `linux_auditd_change_file_owner_to_root_filter` are placeholders for the corresponding Splunk macros.",
            "Additional comment 2.0"
        ],
        "translation_result": "full",
        "id": "{{rule_migration_id_1}}"
    },
    {
        "created_by": "elastic2.0",
        "elastic_rule": {
            "severity": "high",
            "title": "Linux Auditd Change File Owner To Root (UPDATED)"
        },
        "id": "{{rule_migration_id_2}}"
    }
]'
```
</details>

---------

Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit f6ac2cf)
e40pud added a commit to e40pud/kibana that referenced this pull request Nov 20, 2024
@e40pud
[Rules migration] Add rules migrations update route (elastic#11209) (e…
12e94d3 
…lastic#200815)

## Summary

Changes in this PR:
* Added `update` route to handle bulk rule migrations docs updates
* Exposed `id` field in `RuleMigration` object needed for ES bulk update
operation
* Updated SIEM migrations schemas to use `NonEmptyString` when it is
needed

## Testing locally

Enable the flag
```
xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
```

Create and start a rule migration. Then use `update` API to updated
corresponding docs.

cURL request examples:

<details>
  <summary>Rules migration `create` POST request</summary>

```
curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'
```
</details>

<details>
  <summary>Rules migration `start` task request</summary>

- Assuming the connector `azureOpenAiGPT4o` is already created in the
local environment.
- Using the {{`migration_id`}} from the first POST request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '{
    "connectorId": "azureOpenAiGPT4o"
}'
```
</details>

<details>
  <summary>Rules migration rules documents request</summary>

- Using the {{`migration_id`}} from the first POST request response.

```
curl --location --request GET 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1'
```
</details>

<details>
  <summary>Rules migration `update` PUT request</summary>

- Using the {{`rule_migration_id_1`}} and {{`rule_migration_id_2`}} from
previous GET request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1'
--data '[
    {
        "comments": [
            "## Migration Summary\n- The `FROM` command is used to select the `logs-*` index pattern.\n- The `RENAME` command is used to rename the `host` field to `dest`.\n- The `WHERE` command filters the rows where `process_exec` contains the pattern `*chown *root*`.\n- The `STATS` command is used to aggregate the data, counting the number of occurrences and finding the minimum and maximum timestamps, grouped by `process_exec`, `proctitle`, `normalized_proctitle_delimiter`, and `dest`.\n- The macros `security_content_ctime` and `linux_auditd_change_file_owner_to_root_filter` are placeholders for the corresponding Splunk macros.",
            "Additional comment 2.0"
        ],
        "translation_result": "full",
        "id": "{{rule_migration_id_1}}"
    },
    {
        "created_by": "elastic2.0",
        "elastic_rule": {
            "severity": "high",
            "title": "Linux Auditd Change File Owner To Root (UPDATED)"
        },
        "id": "{{rule_migration_id_2}}"
    }
]'
```
</details>

---------

Co-authored-by: kibanamachine <[email protected]>
(cherry picked from commit f6ac2cf)
e40pud added a commit that referenced this pull request Nov 20, 2024
@e40pud
[8.x] [Rules migration] Add rules migrations update route (#11209) (#…
33263b2 
…200815) (#200910)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Rules migration] Add rules migrations update route (#11209)
(#200815)](#200815)

<!--- Backport version: 8.9.8 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Ievgen
Sorokopud","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-20T12:36:37Z","message":"[Rules
migration] Add rules migrations update route (#11209) (#200815)\n\n##
Summary\r\n\r\nChanges in this PR:\r\n* Added `update` route to handle
bulk rule migrations docs updates\r\n* Exposed `id` field in
`RuleMigration` object needed for ES bulk update\r\noperation\r\n*
Updated SIEM migrations schemas to use `NonEmptyString` when it
is\r\nneeded\r\n\r\n## Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\nCreate and start a rule
migration. Then use `update` API to updated\r\ncorresponding
docs.\r\n\r\ncURL request examples:\r\n\r\n<details>\r\n <summary>Rules
migration `create` POST request</summary>\r\n\r\n```\r\ncurl --location
--request POST
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\n<details>\r\n
<summary>Rules migration `start` task request</summary>\r\n\r\n-
Assuming the connector `azureOpenAiGPT4o` is already created in
the\r\nlocal environment.\r\n- Using the {{`migration_id`}} from the
first POST request response\r\n\r\n```\r\ncurl --location --request PUT
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '{\r\n
\"connectorId\":
\"azureOpenAiGPT4o\"\r\n}'\r\n```\r\n</details>\r\n\r\n<details>\r\n
<summary>Rules migration rules documents request</summary>\r\n\r\n-
Using the {{`migration_id`}} from the first POST request
response.\r\n\r\n```\r\ncurl --location --request GET
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\r\n```\r\n</details>\r\n\r\n<details>\r\n <summary>Rules migration
`update` PUT request</summary>\r\n\r\n- Using the
{{`rule_migration_id_1`}} and {{`rule_migration_id_2`}} from\r\nprevious
GET request response\r\n\r\n```\r\ncurl --location --request PUT
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1' \r\n--data
'[\r\n {\r\n \"comments\": [\r\n \"## Migration Summary\\n- The `FROM`
command is used to select the `logs-*` index pattern.\\n- The `RENAME`
command is used to rename the `host` field to `dest`.\\n- The `WHERE`
command filters the rows where `process_exec` contains the pattern
`*chown *root*`.\\n- The `STATS` command is used to aggregate the data,
counting the number of occurrences and finding the minimum and maximum
timestamps, grouped by `process_exec`, `proctitle`,
`normalized_proctitle_delimiter`, and `dest`.\\n- The macros
`security_content_ctime` and
`linux_auditd_change_file_owner_to_root_filter` are placeholders for the
corresponding Splunk macros.\",\r\n \"Additional comment 2.0\"\r\n
],\r\n \"translation_result\": \"full\",\r\n \"id\":
\"{{rule_migration_id_1}}\"\r\n },\r\n {\r\n \"created_by\":
\"elastic2.0\",\r\n \"elastic_rule\": {\r\n \"severity\": \"high\",\r\n
\"title\": \"Linux Auditd Change File Owner To Root (UPDATED)\"\r\n
},\r\n \"id\": \"{{rule_migration_id_2}}\"\r\n
}\r\n]'\r\n```\r\n</details>\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"f6ac2cf8603ca633070e719f69b4fcef45ea92cb","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat
Hunting","Team:
SecuritySolution","backport:prev-minor"],"number":200815,"url":"https://github.com/elastic/kibana/pull/200815","mergeCommit":{"message":"[Rules
migration] Add rules migrations update route (#11209) (#200815)\n\n##
Summary\r\n\r\nChanges in this PR:\r\n* Added `update` route to handle
bulk rule migrations docs updates\r\n* Exposed `id` field in
`RuleMigration` object needed for ES bulk update\r\noperation\r\n*
Updated SIEM migrations schemas to use `NonEmptyString` when it
is\r\nneeded\r\n\r\n## Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\nCreate and start a rule
migration. Then use `update` API to updated\r\ncorresponding
docs.\r\n\r\ncURL request examples:\r\n\r\n<details>\r\n <summary>Rules
migration `create` POST request</summary>\r\n\r\n```\r\ncurl --location
--request POST
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\n<details>\r\n
<summary>Rules migration `start` task request</summary>\r\n\r\n-
Assuming the connector `azureOpenAiGPT4o` is already created in
the\r\nlocal environment.\r\n- Using the {{`migration_id`}} from the
first POST request response\r\n\r\n```\r\ncurl --location --request PUT
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '{\r\n
\"connectorId\":
\"azureOpenAiGPT4o\"\r\n}'\r\n```\r\n</details>\r\n\r\n<details>\r\n
<summary>Rules migration rules documents request</summary>\r\n\r\n-
Using the {{`migration_id`}} from the first POST request
response.\r\n\r\n```\r\ncurl --location --request GET
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\r\n```\r\n</details>\r\n\r\n<details>\r\n <summary>Rules migration
`update` PUT request</summary>\r\n\r\n- Using the
{{`rule_migration_id_1`}} and {{`rule_migration_id_2`}} from\r\nprevious
GET request response\r\n\r\n```\r\ncurl --location --request PUT
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1' \r\n--data
'[\r\n {\r\n \"comments\": [\r\n \"## Migration Summary\\n- The `FROM`
command is used to select the `logs-*` index pattern.\\n- The `RENAME`
command is used to rename the `host` field to `dest`.\\n- The `WHERE`
command filters the rows where `process_exec` contains the pattern
`*chown *root*`.\\n- The `STATS` command is used to aggregate the data,
counting the number of occurrences and finding the minimum and maximum
timestamps, grouped by `process_exec`, `proctitle`,
`normalized_proctitle_delimiter`, and `dest`.\\n- The macros
`security_content_ctime` and
`linux_auditd_change_file_owner_to_root_filter` are placeholders for the
corresponding Splunk macros.\",\r\n \"Additional comment 2.0\"\r\n
],\r\n \"translation_result\": \"full\",\r\n \"id\":
\"{{rule_migration_id_1}}\"\r\n },\r\n {\r\n \"created_by\":
\"elastic2.0\",\r\n \"elastic_rule\": {\r\n \"severity\": \"high\",\r\n
\"title\": \"Linux Auditd Change File Owner To Root (UPDATED)\"\r\n
},\r\n \"id\": \"{{rule_migration_id_2}}\"\r\n
}\r\n]'\r\n```\r\n</details>\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"f6ac2cf8603ca633070e719f69b4fcef45ea92cb"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/200815","number":200815,"mergeCommit":{"message":"[Rules
migration] Add rules migrations update route (#11209) (#200815)\n\n##
Summary\r\n\r\nChanges in this PR:\r\n* Added `update` route to handle
bulk rule migrations docs updates\r\n* Exposed `id` field in
`RuleMigration` object needed for ES bulk update\r\noperation\r\n*
Updated SIEM migrations schemas to use `NonEmptyString` when it
is\r\nneeded\r\n\r\n## Testing locally\r\n\r\nEnable the
flag\r\n```\r\nxpack.securitySolution.enableExperimental:
['siemMigrationsEnabled']\r\n```\r\n\r\nCreate and start a rule
migration. Then use `update` API to updated\r\ncorresponding
docs.\r\n\r\ncURL request examples:\r\n\r\n<details>\r\n <summary>Rules
migration `create` POST request</summary>\r\n\r\n```\r\ncurl --location
--request POST
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '[\r\n
{\r\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Add User Account Type\",\r\n
\"description\": \"The following analytic detects the suspicious add
user account type. This behavior is critical for a SOC to monitor
because it may indicate attempts to gain unauthorized access or maintain
control over a system. Such actions could be signs of malicious
activity. If confirmed, this could lead to serious consequences,
including a compromised system, unauthorized access to sensitive data,
or even a wider breach affecting the entire network. Detecting and
responding to these signs early is essential to prevent potential
security incidents.\",\r\n \"query\": \"sourcetype=\\\"linux:audit\\\"
type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time)
as firstTime max(_time) as lastTime by exe pid dest res UID type \\n|
`security_content_ctime(firstTime)` \\n|
`security_content_ctime(lastTime)`\\n| search *\",\r\n
\"query_language\":\"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1136\"\r\n ]\r\n },\r\n {\r\n \"id\":
\"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\r\n \"vendor\":
\"splunk\",\r\n \"title\": \"Linux Auditd Change File Owner To
Root\",\r\n \"description\": \"The following analytic detects the use of
the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on
a Linux system. It leverages Linux Auditd telemetry, specifically
monitoring command-line executions and process details. This activity is
significant as it may indicate an attempt to escalate privileges by
adversaries, malware, or red teamers. If confirmed malicious, this
action could allow an attacker to gain root-level access, leading to
full control over the compromised host and potential persistence within
the environment.\",\r\n \"query\": \"`linux_auditd`
`linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest
\\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats
count min(_time) as firstTime max(_time) as lastTime by process_exec
proctitle normalized_proctitle_delimiter dest \\r\\n|
`security_content_ctime(firstTime)` \\r\\n|
`security_content_ctime(lastTime)`\\r\\n|
`linux_auditd_change_file_owner_to_root_filter`\",\r\n
\"query_language\": \"spl\",\r\n \"mitre_attack_ids\": [\r\n
\"T1222\"\r\n ]\r\n }\r\n]'\r\n```\r\n</details>\r\n\r\n<details>\r\n
<summary>Rules migration `start` task request</summary>\r\n\r\n-
Assuming the connector `azureOpenAiGPT4o` is already created in
the\r\nlocal environment.\r\n- Using the {{`migration_id`}} from the
first POST request response\r\n\r\n```\r\ncurl --location --request PUT
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\\\r\n--header 'Content-Type: application/json' \\\r\n--data '{\r\n
\"connectorId\":
\"azureOpenAiGPT4o\"\r\n}'\r\n```\r\n</details>\r\n\r\n<details>\r\n
<summary>Rules migration rules documents request</summary>\r\n\r\n-
Using the {{`migration_id`}} from the first POST request
response.\r\n\r\n```\r\ncurl --location --request GET
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1'
\r\n```\r\n</details>\r\n\r\n<details>\r\n <summary>Rules migration
`update` PUT request</summary>\r\n\r\n- Using the
{{`rule_migration_id_1`}} and {{`rule_migration_id_2`}} from\r\nprevious
GET request response\r\n\r\n```\r\ncurl --location --request PUT
'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules'
\\\r\n--header 'kbn-xsrf;' \\\r\n--header 'x-elastic-internal-origin:
security-solution' \\\r\n--header 'elastic-api-version: 1' \r\n--data
'[\r\n {\r\n \"comments\": [\r\n \"## Migration Summary\\n- The `FROM`
command is used to select the `logs-*` index pattern.\\n- The `RENAME`
command is used to rename the `host` field to `dest`.\\n- The `WHERE`
command filters the rows where `process_exec` contains the pattern
`*chown *root*`.\\n- The `STATS` command is used to aggregate the data,
counting the number of occurrences and finding the minimum and maximum
timestamps, grouped by `process_exec`, `proctitle`,
`normalized_proctitle_delimiter`, and `dest`.\\n- The macros
`security_content_ctime` and
`linux_auditd_change_file_owner_to_root_filter` are placeholders for the
corresponding Splunk macros.\",\r\n \"Additional comment 2.0\"\r\n
],\r\n \"translation_result\": \"full\",\r\n \"id\":
\"{{rule_migration_id_1}}\"\r\n },\r\n {\r\n \"created_by\":
\"elastic2.0\",\r\n \"elastic_rule\": {\r\n \"severity\": \"high\",\r\n
\"title\": \"Linux Auditd Change File Owner To Root (UPDATED)\"\r\n
},\r\n \"id\": \"{{rule_migration_id_2}}\"\r\n
}\r\n]'\r\n```\r\n</details>\r\n\r\n---------\r\n\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"f6ac2cf8603ca633070e719f69b4fcef45ea92cb"}}]}]
BACKPORT-->
paulinashakirova pushed a commit to paulinashakirova/kibana that referenced this pull request Nov 26, 2024
@e40pud @kibanamachine @paulinashakirova
[Rules migration] Add rules migrations update route (elastic#11209) (e…
862f5f3 
…lastic#200815)

## Summary

Changes in this PR:
* Added `update` route to handle bulk rule migrations docs updates
* Exposed `id` field in `RuleMigration` object needed for ES bulk update
operation
* Updated SIEM migrations schemas to use `NonEmptyString` when it is
needed

## Testing locally

Enable the flag
```
xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
```

Create and start a rule migration. Then use `update` API to updated
corresponding docs.

cURL request examples:

<details>
  <summary>Rules migration `create` POST request</summary>

```
curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'
```
</details>

<details>
  <summary>Rules migration `start` task request</summary>

- Assuming the connector `azureOpenAiGPT4o` is already created in the
local environment.
- Using the {{`migration_id`}} from the first POST request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '{
    "connectorId": "azureOpenAiGPT4o"
}'
```
</details>

<details>
  <summary>Rules migration rules documents request</summary>

- Using the {{`migration_id`}} from the first POST request response.

```
curl --location --request GET 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' 
```
</details>

<details>
  <summary>Rules migration `update` PUT request</summary>

- Using the {{`rule_migration_id_1`}} and {{`rule_migration_id_2`}} from
previous GET request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' 
--data '[
    {
        "comments": [
            "## Migration Summary\n- The `FROM` command is used to select the `logs-*` index pattern.\n- The `RENAME` command is used to rename the `host` field to `dest`.\n- The `WHERE` command filters the rows where `process_exec` contains the pattern `*chown *root*`.\n- The `STATS` command is used to aggregate the data, counting the number of occurrences and finding the minimum and maximum timestamps, grouped by `process_exec`, `proctitle`, `normalized_proctitle_delimiter`, and `dest`.\n- The macros `security_content_ctime` and `linux_auditd_change_file_owner_to_root_filter` are placeholders for the corresponding Splunk macros.",
            "Additional comment 2.0"
        ],
        "translation_result": "full",
        "id": "{{rule_migration_id_1}}"
    },
    {
        "created_by": "elastic2.0",
        "elastic_rule": {
            "severity": "high",
            "title": "Linux Auditd Change File Owner To Root (UPDATED)"
        },
        "id": "{{rule_migration_id_2}}"
    }
]'
```
</details>

---------

Co-authored-by: kibanamachine <[email protected]>
CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
@e40pud @kibanamachine @CAWilson94
[Rules migration] Add rules migrations update route (elastic#11209) (e…
359ef50 
…lastic#200815)

## Summary

Changes in this PR:
* Added `update` route to handle bulk rule migrations docs updates
* Exposed `id` field in `RuleMigration` object needed for ES bulk update
operation
* Updated SIEM migrations schemas to use `NonEmptyString` when it is
needed

## Testing locally

Enable the flag
```
xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']
```

Create and start a rule migration. Then use `update` API to updated
corresponding docs.

cURL request examples:

<details>
  <summary>Rules migration `create` POST request</summary>

```
curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '[
    {
        "id": "f8c325ea-506e-4105-8ccf-da1492e90115",
        "vendor": "splunk",
        "title": "Linux Auditd Add User Account Type",
        "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.",
        "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *",
        "query_language":"spl",
        "mitre_attack_ids": [
            "T1136"
        ]
    },
    {
        "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90",
        "vendor": "splunk",
        "title": "Linux Auditd Change File Owner To Root",
        "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.",
        "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`",
        "query_language": "spl",
        "mitre_attack_ids": [
            "T1222"
        ]
    }
]'
```
</details>

<details>
  <summary>Rules migration `start` task request</summary>

- Assuming the connector `azureOpenAiGPT4o` is already created in the
local environment.
- Using the {{`migration_id`}} from the first POST request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' \
--header 'Content-Type: application/json' \
--data '{
    "connectorId": "azureOpenAiGPT4o"
}'
```
</details>

<details>
  <summary>Rules migration rules documents request</summary>

- Using the {{`migration_id`}} from the first POST request response.

```
curl --location --request GET 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' 
```
</details>

<details>
  <summary>Rules migration `update` PUT request</summary>

- Using the {{`rule_migration_id_1`}} and {{`rule_migration_id_2`}} from
previous GET request response

```
curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \
--header 'kbn-xsrf;' \
--header 'x-elastic-internal-origin: security-solution' \
--header 'elastic-api-version: 1' 
--data '[
    {
        "comments": [
            "## Migration Summary\n- The `FROM` command is used to select the `logs-*` index pattern.\n- The `RENAME` command is used to rename the `host` field to `dest`.\n- The `WHERE` command filters the rows where `process_exec` contains the pattern `*chown *root*`.\n- The `STATS` command is used to aggregate the data, counting the number of occurrences and finding the minimum and maximum timestamps, grouped by `process_exec`, `proctitle`, `normalized_proctitle_delimiter`, and `dest`.\n- The macros `security_content_ctime` and `linux_auditd_change_file_owner_to_root_filter` are placeholders for the corresponding Splunk macros.",
            "Additional comment 2.0"
        ],
        "translation_result": "full",
        "id": "{{rule_migration_id_1}}"
    },
    {
        "created_by": "elastic2.0",
        "elastic_rule": {
            "severity": "high",
            "title": "Linux Auditd Change File Owner To Root (UPDATED)"
        },
        "id": "{{rule_migration_id_2}}"
    }
]'
```
</details>

---------

Co-authored-by: kibanamachine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spalger spalger spalger left review comments

@epixa epixa epixa approved these changes

Assignees
No one assigned
Labels
release_note:enhancement review Team:Operations Team label for Operations Team v6.0.0-beta1 v6.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jbudz @kimjoar @epixa @spalger @jimgoodwin