[Lateral Movement Detection] Add dashboard and release to production

[sodhikirti07]

What does this PR do?

This PR adds the following enhancements in the Lateral Movement Detection package:

• Dashboard
• Updated README with instructions to add dashboard
• Updated changelog and manifest yml files: added a new condition property for premium subscription, changed package version for production release and added license.
• Added ML tags and bumped version in security rules

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• [ ]

How to test this PR locally

Related issues

• https://github.com/elastic/security-ml/issues/203

Screenshots

Refer to below comment for screenshots!

[sodhikirti07]

Lateral Movement Detection package updated for version 0.0.2 with dashboard asset:

Anomaly detection jobs created and started:

Detection rules enabled and started without warnings:

ML tag added to the detection rules using machine learning jobs:

Dashboard asset installed and available without any errors:

[szeitlin]

Looks great! Ship it!

Great work getting this done so fast! 🎉

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-01-20T16:24:01.852+0000

• Duration: 15 min 43 sec

Test stats 🧪

Test	Results
Failed	0
Passed	1
Skipped	0
Total	1

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[susan-shu-c]

🚀

[sodhikirti07]

Screenshot of dashboard with data:

[peteharverson]

As discussed with @sodhikirti07, note that anyone viewing the dashboard will also need read access to the .ml-anomalies* index to be able to see the visualizations which query that index directly. To create the data view you also need to enable Allow hidden and system indices inside the Advanced settings.

[sodhikirti07]

Thank you for catching this. I've made the changes.

[andrewkroh]

The package-spec [^1] appears to allow you to codify this with:

conditions:
  elastic:
    subscription: platinum

I'm not sure what the behavior is, but thought I would mention it.

https://github.com/elastic/package-spec/blob/60560379ad6ed5ffa6fc3beb13ec22ad89bdddc4/spec/integration/manifest.spec.yml#L42-L59

[sodhikirti07]

Done!

[ajosh0504]

Suggested change

	Before going to the dashboard, make sure you have the following settings configured in your Kibana.
	For the dashboard to work as expected, the following settings need to be configured in Kibana.

[sodhikirti07]

Done

[ajosh0504]

Allow hidden and system indices should happen before they can proceed to naming the pattern, so maybe that should be the first sentence in the bullet.

Also maybe explicitly mention what the Name and Data View ID must be, since I'm guessing the dashboard is relying on a specific ID.

[sodhikirti07]

Done

[ajosh0504]

Consider making this index pattern more specific. I believe the job results go to .ml-anomalies-shared by default, unless you're specifying custom indices.

[sodhikirti07]

Thanks for pointing this out! Changed the dashboard to include .ml-anomalies-shared index-pattern.

[ajosh0504]

Bump the version number since you're updating the rule.

[sodhikirti07]

Done

[sodhikirti07]

@andrewkroh Thanks for mentioning this. Added the platinum subscription condition in manifest.yml and removed it from package description. @ajosh0504 @susan-shu-c We should do it for other packages as well.

[andrewkroh]

manifest.yml changes LGTM,

[szeitlin]

lgtm!

[szeitlin]

I see Requires a Platinum subscription got removed <-- is this no longer true?

[sodhikirti07]

It is true for our package but I added it under condition property in manifest.yml. So, it will appear on right hand side of the package's main page (see the screenshot above).

[szeitlin]

Thanks, I dislike how github doesn't have a way to insert screenshots into the code review view, so I was just looking at the code when I wrote that.

[szeitlin]

FWIW, in the future this is the kind of thing you could put in the description of the PR (it's ok to update that as you go along).

[droberts195]

Directly granting access to machine learning results indices has implications for using spaces to control ML job visibility. I think this should be made clear. Something along the lines of this:

Suggested change

2. You have **read** access to **.ml-anomalies*** index or are assigned the **machine_learning_user** role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html).

2. You have **read** access to **.ml-anomalies*** index or are assigned the **machine_learning_user** role. For more information on roles, please refer to [Built-in roles in Elastic](https://www.elastic.co/guide/en/elasticsearch/reference/current/built-in-roles.html). Please be aware that a user who has access to the underlying machine learning results indices can see the results of _all_ jobs in _all_ spaces. Do not grant these permissions if you use Kibana spaces to control which users can see which machine learning results. For more information on machine learning privileges see [here](https://www.elastic.co/guide/en/machine-learning/current/setup.html#setup-privileges).

[ajosh0504]

Looking great! Nice work! 🚢

[droberts195]

The ML permissions documentation LGTM.

[elasticmachine]

Package lmd - 1.0.0 containing this change is available at https://epr.elastic.co/search?package=lmd