[Security Solution][Detections] Adds Indicator path config for indicator match rules #91260
Conversation
There is no UI for this currently, nor is it used during rule execution.
Also adds missing plumbing that was preventing the new field from being persisted to the alert/returned in the response.
We always persist to `threat.indicator.*` on the signal, but this allows users to specify where the enrichment fields can be found on the matched indicator document.
We were not passing this from the rule itself into the threat matching logic, and so were merely getting the default value. An integration test will fix this. Incoming!
This happens closer to where we pass data from the rule to our helpers, and will prevent errors/bugs due to defaulting logic down the road. It makes tests a little more verbose, but that's okay.
rylnd
force-pushed
the
indicator_path_config
branch
from
d012c6c
to
c5004db
Compare
rylnd
added
release_note:skip
Always sending along this field, but only allowing it for threat match rules was implicitly breaking the workflow of otther rule types. By making the field conditional on the rule type, this field only impacts threat match rules. This also fixes some types and tests accordingly.
|
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
| }; | ||
| const result = formatAboutStepData(mockData); | ||
| expect(result.threat_indicator_path).toEqual('my_custom.path'); | ||
| }); |
There was a problem hiding this comment.
👍 You have some testing! Thanks
| const enrichedSignals = await enrichSignalThreatMatches( | ||
| signals, | ||
| getMatchedThreats, | ||
| 'threat.indicator' |
There was a problem hiding this comment.
nit: Suggest using a constant everywhere and put it in the common/constants area we have
…tor match rules (elastic#91260) * Add new field for overriding threat indicator path There is no UI for this currently, nor is it used during rule execution. * Adds form field for indicator path parameter Also adds missing plumbing that was preventing the new field from being persisted to the alert/returned in the response. * Wire up our indicator path config to enrichment * Add unit test for enriching from a custom indicator path We always persist to `threat.indicator.*` on the signal, but this allows users to specify where the enrichment fields can be found on the matched indicator document. * Wire up the missing piece of our indicator path config We were not passing this from the rule itself into the threat matching logic, and so were merely getting the default value. An integration test will fix this. Incoming! * Move indicator path defaulting outside of helper functions This happens closer to where we pass data from the rule to our helpers, and will prevent errors/bugs due to defaulting logic down the road. It makes tests a little more verbose, but that's okay. * Fix remaining type errors around new rule field * Make threat indicator path a conditional field Always sending along this field, but only allowing it for threat match rules was implicitly breaking the workflow of otther rule types. By making the field conditional on the rule type, this field only impacts threat match rules. This also fixes some types and tests accordingly. Co-authored-by: Kibana Machine <[email protected]>
…tor match rules (#91260) (#91593) * Add new field for overriding threat indicator path There is no UI for this currently, nor is it used during rule execution. * Adds form field for indicator path parameter Also adds missing plumbing that was preventing the new field from being persisted to the alert/returned in the response. * Wire up our indicator path config to enrichment * Add unit test for enriching from a custom indicator path We always persist to `threat.indicator.*` on the signal, but this allows users to specify where the enrichment fields can be found on the matched indicator document. * Wire up the missing piece of our indicator path config We were not passing this from the rule itself into the threat matching logic, and so were merely getting the default value. An integration test will fix this. Incoming! * Move indicator path defaulting outside of helper functions This happens closer to where we pass data from the rule to our helpers, and will prevent errors/bugs due to defaulting logic down the road. It makes tests a little more verbose, but that's okay. * Fix remaining type errors around new rule field * Make threat indicator path a conditional field Always sending along this field, but only allowing it for threat match rules was implicitly breaking the workflow of otther rule types. By making the field conditional on the rule type, this field only impacts threat match rules. This also fixes some types and tests accordingly. Co-authored-by: Kibana Machine <[email protected]> Co-authored-by: Kibana Machine <[email protected]>
* master: (157 commits) [DOCS] Adds machine learning to the security section of alerting (elastic#91501) [Uptime] Ping list step screenshot caption formatting (elastic#91403) [Vislib] Use timestamp on brush event instead of iso dates (elastic#91483) [Application Usage] Remove deprecated & unused legacy.appChanged API (elastic#91464) Migrate logstash, monitoring, url_drilldowns, xpack_legacy to ts projects (elastic#91194) [APM] Wrap Elasticsearch client errors (elastic#91125) [APM] Fix optimize-tsconfig script (elastic#91487) [Discover][docs] Add searchFieldsFromSource description (elastic#90980) Adds support for 'ip' data type (elastic#85087) [Detection Rules] Add updates from 7.11.2 rules (elastic#91553) [SECURITY SOLUTION] Eql in timeline (elastic#90816) [APM] Correlations Beta (elastic#86477) (elastic#89952) [Security Solutions][Detection Engine] Adds a warning banner when the alerts data has not been migrated yet. (elastic#90258) [Security Solution] [Timeline] Endpoint row renderers (2nd batch) (elastic#91446) skip flaky suite (elastic#91450) skip flaky suite (elastic#91592) [Security Solution][Endpoint][Admin] Endpoint Details UX Enhancements (elastic#90870) [ML] Add better UI support for runtime fields Transforms (elastic#90363) [Security Solution] [Detections] Replace 'partial failure' with 'warning' for rule statuses (elastic#91167) [Security Solution][Detections] Adds Indicator path config for indicator match rules (elastic#91260) ...
|
Thanks @rylnd for pulling this together.
Generally the dialog in the rule create/edit steps should follow the naming of the rule type, which in this case is "indicator match", so I would vote for using "Indicator" rather than "Threat Indicator." (We expect that this rule can/will be used for matching other indicators besides threat indicators.) Question, should we use "path" in this context? in ECS, the "path" concept is used for entities such as file system paths, but not generally for fields, field sets, and objects in an ECS-compatible document. In this case, it seems like we are asking the user to specify "where is the field set we should use to find the attributes of the indicator we're matching?" Thus I'm wondering if "Indicator field set" would be better. The description could be adjusted accordingly, like "Specify the field set in which attributes of the indicator are located. These attributes will be used to enrich alerts that are generated by this rule. Defaults to bigger questions Also, do we need an override field to specify the similar path/field set where the enrichment information will be stored in the alert document? Again, keeping in mind that this rule type is a generic indicator match, and future ECS field sets might define other indicator enrichments that would also be stored in the alert document, we should allow that flexibility. Again, we could infer this value based on what is specified in the |
"path" was fresh in my mind as that's what's used for nested queries, but I appreciate using terminology from ECS if possible👍 . My understanding of "field set" is it's literally "a set of fields," often (always?) sharing a common ancestor, rather than the location of that common ancestor as we're trying to describe.
I really like this idea but I'm not sure it's possible without further restricting the structure of an indicator document. Currently the indicator fieldset can exist anywhere in a document (i.e. has Additionally, such a derivation would force documents to colocate both indicator values and enrichment metadata; while the current examples assume that the rule is matching within the indicator fieldset (e.g.
This is a great point! As we start to provide other enrichment types we may very well need more configuration (or simply more rule types?). For now, the thought was that these rules would be used primarily for CTI and would thus populate TL;DR I'm leaning toward "Indicator path override" |
… Rules (#522) This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 Resolves: elastic/kibana#91965 Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings). ##### Threshold Rules: For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826 ##### Indicator Match Rules: For more details on `threat_filters` see: elastic/kibana#91260
… Rules (elastic#522) This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 Resolves: elastic/kibana#91965 Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings). ##### Threshold Rules: For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826 ##### Indicator Match Rules: For more details on `threat_filters` see: elastic/kibana#91260
… Rules (elastic#522) This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 Resolves: elastic/kibana#91965 Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings). ##### Threshold Rules: For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826 ##### Indicator Match Rules: For more details on `threat_filters` see: elastic/kibana#91260
… Rules (#522) (#540) This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 Resolves: elastic/kibana#91965 Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings). ##### Threshold Rules: For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826 ##### Indicator Match Rules: For more details on `threat_filters` see: elastic/kibana#91260
… Rules (#522) (#539) This is a rough pass at updating the [Create Rule API docs](https://www.elastic.co/guide/en/security/current/rules-api-create.html#_request_body) for the recent changes surrounding `Threshold` and `Indicator Match` rules. @madirey and @rylnd if you could verify these changes and if any additional fields should be documented that would be greatly appreciated. 🙂 Resolves: elastic/kibana#91965 Note: The grouping of optional fields per rule type makes these docs difficult to maintain (for me at least 😅), as you need to cross reference each optional field from each type, plus I'd bargain our users might find it useful to be able to look at all fields per each rule type independently. Something to verify with users/discuss, but would be a nice add for maintaining these docs (outside of writing scripts to generate the groupings). ##### Threshold Rules: For more details on `cardinality_field` and `cardinality_value` see: elastic/kibana#90826 ##### Indicator Match Rules: For more details on `threat_filters` see: elastic/kibana#91260
Summary
This adds a new rule field,
threat_indicator_path, that applies only to indicator match rules. Much like an ingest processor, users can use this field to define where their threat indicator can be found on their indicator documents. The value defaults tothreat.indicator, the proposed ECS path, if unspecified.Regardless of where the enrichment fields are found, they will be placed within the prospective ECS field,
threat.indicator, as a nested object in the generated detection alert.This configuration is critical for 7.12 to allow users to receive enrichments from the new filebeat modules, which currently do not conform to the proposed ECS but instead use
threatintel.indicator.Reviewer Notes:
In general: create an indicator index, create a rule, generate some events, and observe the resultant, enriched signals. Specifically:
Generate a custom indicator index:
Create some indicator data. The simplest approach here is to create an indicator(s) with some known value (e.g. your computer's hostname) that we can leverage later. In dev tools:
Generate source events with values matching your indicator fields above. As an example, I run auditbeat, knowing that it will generate events with our laptop's hostname in
host.name. However, you can also manually insert some documents into an index of your own creation; just ensure that they contain values that will cause the rule to generate a signal.Create an indicator match rule against your indicator index and event data:
Note: we're temporarily using dev tools here due to some ongoing fields display issues, and the _source filter is for demo cleanliness, please remove
In the interest of getting this reviewed/merged I'm going to defer integration/UI tests to a subsequent PR.
Checklist
Delete any items that are not applicable to this PR.
(https://github.com/elastic/kibana/blob/c29adfef29e921cc447d2a5ed06ac2047ceab552/src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker)
For maintainers