Expose index connector and action in custom security detection configuration #110550
Assignees
Labels
enhancement
New value added to drive a business result
epic
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
Feature:Rule Actions
Security Solution Rule Actions feature
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v7.16.0
Comments
jethr0null
added
enhancement
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
jethr0null
changed the title
Merged
1 task
|
Created a draft PR adding this functionality (it's a 1-liner 🙂) and in testing everything seems to be functional 👍. Only thing of note here is that it doesn't appear to be possible to index multiple documents per action firing, so a rule execution could create 100 alerts (to Without the ability to write multiple documents per action firing, I question the usefulness of this feature and if it'll just prove to be more of a headache to users expecting a larger degree of flexibility here. That said, it can at least be leveraged to write data to arbitrary indices, so more functionality/flexibility than is available today. At this point I think it's a Product/UX decision on if we want to move forward here as-is, or include prioritization of multi-document support as part of this effort. Would need to check with @elastic/kibana-alerting-services on LOE there since they own this connector, but wouldn't imagine this to be too large of an effort, just impactful since it would most likely change the accepted format from valid JSON. cc @jethr0null @elastic/security-design |
|
From doing a quick search, it seems correct, I don't think we have a workaround at this time other than solving the problem. The @elastic/kibana-alerting-services team is tracking such limitations under #89430. |
spong
added a commit
that referenced
this issue
Oct 19, 2021
… Detection Actions (#111813) ## Summary This PR enables the [Index Connector and Action](https://www.elastic.co/guide/en/kibana/master/index-action-type.html) for the detection engine, addressing #110550. <details><summary>Action type available in list:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774871-285ff387-eebe-44ee-9172-3143d0283b09.png" /> </p> </details> <details><summary>No Connector UI:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774935-e7e71061-e3b6-40ae-bc77-4adb76132de0.png" /> </p> </details> <details><summary>Create Connector UI:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774985-50980dcf-b022-4101-809a-a2d5a617a892.png" /> </p> </details> <details><summary>Connector Template:</summary> <p> ``` json { "rule_id": "{{context.rule.id}}", "rule_name": "{{context.rule.name}}", "alert_id": "{{alert.id}}", "context_message": "Threshold Results: {{#context.alerts}}{{#signal.threshold_result.terms}}{{value}}, {{/signal.threshold_result.terms}}{{/context.alerts}}" } ``` <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775311-3091ed5d-d7df-4dc1-89d6-c02a93c04779.png" /> </p> </p> </details> <details><summary>Documents successfully written:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775457-128f0e62-0978-46a6-ae6e-bd951a1d6c96.png" /> </p> </details> --- If wanting to store the alert index timestamp, create index first with `timestamp` field and use `Define timefield for each document` option: ``` PUT .homemade-alerts-index { "mappings" : { "dynamic": "true", "properties" : { "@timestamp": { "type": "date" } } } } ``` <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775842-ac6534a7-289d-426f-851b-f5f2c2bb5716.png" /> </p> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132776120-2def172f-3bfa-4a7e-b041-155e817173ab.png" /> </p> ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials (will need to update documentation if we proceed with this PR)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Oct 19, 2021
… Detection Actions (elastic#111813) ## Summary This PR enables the [Index Connector and Action](https://www.elastic.co/guide/en/kibana/master/index-action-type.html) for the detection engine, addressing elastic#110550. <details><summary>Action type available in list:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774871-285ff387-eebe-44ee-9172-3143d0283b09.png" /> </p> </details> <details><summary>No Connector UI:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774935-e7e71061-e3b6-40ae-bc77-4adb76132de0.png" /> </p> </details> <details><summary>Create Connector UI:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774985-50980dcf-b022-4101-809a-a2d5a617a892.png" /> </p> </details> <details><summary>Connector Template:</summary> <p> ``` json { "rule_id": "{{context.rule.id}}", "rule_name": "{{context.rule.name}}", "alert_id": "{{alert.id}}", "context_message": "Threshold Results: {{#context.alerts}}{{#signal.threshold_result.terms}}{{value}}, {{/signal.threshold_result.terms}}{{/context.alerts}}" } ``` <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775311-3091ed5d-d7df-4dc1-89d6-c02a93c04779.png" /> </p> </p> </details> <details><summary>Documents successfully written:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775457-128f0e62-0978-46a6-ae6e-bd951a1d6c96.png" /> </p> </details> --- If wanting to store the alert index timestamp, create index first with `timestamp` field and use `Define timefield for each document` option: ``` PUT .homemade-alerts-index { "mappings" : { "dynamic": "true", "properties" : { "@timestamp": { "type": "date" } } } } ``` <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775842-ac6534a7-289d-426f-851b-f5f2c2bb5716.png" /> </p> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132776120-2def172f-3bfa-4a7e-b041-155e817173ab.png" /> </p> ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials (will need to update documentation if we proceed with this PR)
kibanamachine
added a commit
that referenced
this issue
Oct 19, 2021
… Detection Actions (#111813) (#115563) ## Summary This PR enables the [Index Connector and Action](https://www.elastic.co/guide/en/kibana/master/index-action-type.html) for the detection engine, addressing #110550. <details><summary>Action type available in list:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774871-285ff387-eebe-44ee-9172-3143d0283b09.png" /> </p> </details> <details><summary>No Connector UI:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774935-e7e71061-e3b6-40ae-bc77-4adb76132de0.png" /> </p> </details> <details><summary>Create Connector UI:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132774985-50980dcf-b022-4101-809a-a2d5a617a892.png" /> </p> </details> <details><summary>Connector Template:</summary> <p> ``` json { "rule_id": "{{context.rule.id}}", "rule_name": "{{context.rule.name}}", "alert_id": "{{alert.id}}", "context_message": "Threshold Results: {{#context.alerts}}{{#signal.threshold_result.terms}}{{value}}, {{/signal.threshold_result.terms}}{{/context.alerts}}" } ``` <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775311-3091ed5d-d7df-4dc1-89d6-c02a93c04779.png" /> </p> </p> </details> <details><summary>Documents successfully written:</summary> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775457-128f0e62-0978-46a6-ae6e-bd951a1d6c96.png" /> </p> </details> --- If wanting to store the alert index timestamp, create index first with `timestamp` field and use `Define timefield for each document` option: ``` PUT .homemade-alerts-index { "mappings" : { "dynamic": "true", "properties" : { "@timestamp": { "type": "date" } } } } ``` <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132775842-ac6534a7-289d-426f-851b-f5f2c2bb5716.png" /> </p> <p align="center"> <img width="500" src="https://user-images.githubusercontent.com/2946766/132776120-2def172f-3bfa-4a7e-b041-155e817173ab.png" /> </p> ### Checklist Delete any items that are not applicable to this PR. - [ ] [Documentation](https://www.elastic.co/guide/en/kibana/master/development-documentation.html) was added for features that require explanation or tutorials (will need to update documentation if we proceed with this PR) Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Kibana alerting users are able to utilize the index connector and action when configuring alerts. We should explore exposing this capability when configuring custom security detections (rules).
This connector should index a document per alert (vs. a single document for all alerts generated by a rule execution).
Use cases for multi-document indexing:
The text was updated successfully, but these errors were encountered: