New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Timeline] Add Indicator Match Timeline Template #95840
Conversation
Pinging @elastic/security-solution (Team: SecuritySolution) |
@peasead this is awesome! Timeline templates are powerful, and I'm psyched to see this new one being added! Question: What would you think about calling this a generic threat match timeline template? Two reasons why I ask:
|
Great feedback, thanks @MikePaquette Absolutely makes sense to change the name. I can do that and update the PR. |
Can anyone help me with these checks? |
@elasticmachine merge upstream |
@elasticmachine merge upstream |
Thanks @rylnd What're the next steps? Anything I need to do? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was able to verify the changes with the following steps
- set the following env vars
export ELASTICSEARCH_USERNAME=${user}
export ELASTICSEARCH_PASSWORD=${password}
export ELASTICSEARCH_URL=https://${ip}:9200
export KIBANA_URL=http://localhost:5601
export TASK_MANAGER_INDEX=.kibana-task-manager-${your user id}
export KIBANA_INDEX=.kibana-${your user id}
and source ~/.bash_profile
-
add
xpack.securitySolution.signalsIndex: .siem-signals-${username}
toconfig/kibana.dev.yml
-
run the following
brew update && brew install curl && brew install jq
cd x-pack/plugins/security_solution/server/lib/detection_engine/scripts
sh ./timelines/add_prepackaged_timelines.sh
- go to http://localhost:5601/app/security#/detections/rules and click on Install Elastic prebuild rules
after following the steps above, I was able to find and interact with the threat match template. I was able to find my previously generated alerts in the timeline view.
LGTM!
@elasticmachine merge upstream |
💚 Build SucceededMetrics [docs]
History
To update your PR or re-run it, just comment with: |
We need to backport this to 7.x to get it into the 7.x releases. Doing that now! |
* added threat-match timeline template * added indicator match timeline template * updated name to threat match * updated name to threat match * changed file name to threat.json Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* added threat-match timeline template * added indicator match timeline template * updated name to threat match * updated name to threat match * changed file name to threat.json Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
* added threat-match timeline template * added indicator match timeline template * updated name to threat match * updated name to threat match * changed file name to threat.json Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Summary
Currently, there are generic timelines for network, endpoint, and processes.
I would like to add a generic indicator match timeline for the Indicator Match detection rule.
This includes the
threat.indicator.matched.atomic
,threat.indicator.matched.field
, andthreat.indicator.matched.type fields
.Resolves #95565
Checklist
Delete any items that are not applicable to this PR.
Using the documentation here, I was able to successfully run the
add_prepackaged_timelines.sh
and./timelines/find_timeline_by_filter.sh
scripts to load and verify the Timeline templates in7.12.0
.For maintainers