[FR] Add support for threshold rules #63

threat-punter · 2020-07-15T20:42:45Z

Is your feature request related to a problem? Please describe.
N/A

Describe the solution you'd like
Our 7.9 release will provide support for threshold rules in the SIEM's detection engine. We need to add support to the detection-rules CLI for threshold rules.

Describe alternatives you've considered
N/A

Additional context
Below is an email threshold rule that I exported from the SIEM. Please note that including a value for field is not mandatory.

Example threshold rule

{
    "author": [],
    "actions": [],
    "created_at": "2020-07-15T03:55:01.873Z",
    "updated_at": "2020-07-15T13:23:49.678Z",
    "created_by": "threatpunter",
    "description": "Identifies a high number of failed Okta user authentication attempts from a single IP address, which could be indicative of a brute force or password spraying attack. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts.",
    "enabled": true,
    "false_positives": [],
    "filters": [],
    "from": "now-360s",
    "id": "a216c36f-1e60-49d7-b452-e6c0c0011929",
    "immutable": false,
    "index": [
        "filebeat-*"
    ],
    "interval": "5m",
    "rule_id": "db2efd83-4e17-4fd8-a56c-13c526722540",
    "language": "kuery",
    "license": "",
    "output_index": ".siem-signals-username-default",
    "max_signals": 100,
    "risk_score": 47,
    "risk_score_mapping": [],
    "name": "Okta Brute Force or Password Spraying Attack",
    "query": "event.module:okta and event.dataset:okta.system and event.category:authentication and event.outcome:failure",
    "references": [],
    "meta": {
        "from": "1m",
        "kibana_siem_app_url": "http://localhost:5603/jyr/app/security/detections"
    },
    "severity": "medium",
    "severity_mapping": [],
    "updated_by": "threatpunter",
    "tags": [
        "Elastic",
        "Okta"
    ],
    "to": "now",
    "type": "threshold",
    "threat": [],
    "threshold": {
        "field": "source.ip",
        "value": 25
    },
    "throttle": "no_actions",
    "version": 2,
    "exceptions_list": []
}

The text was updated successfully, but these errors were encountered:

brokensound77 · 2020-07-16T01:31:51Z

Thanks for the info @threat-punter. I modified the title since there is more involved than the CLI, which should inherit support from the schema changes. I also reformatted the json data to be more readable.

REF: elastic/kibana#71371

brokensound77 · 2020-09-17T16:02:57Z

resolved by #65

threat-punter added enhancement New feature or request cli command line tooling labels Jul 15, 2020

threat-punter assigned brokensound77 Jul 15, 2020

brokensound77 changed the title ~~[FR] Add support for threshold rules to detection-rules CLI~~ [FR] Add support for threshold rules Jul 16, 2020

brokensound77 removed the cli command line tooling label Jul 16, 2020

brokensound77 mentioned this issue Jul 16, 2020

Add support for threshold rules #65

Merged

rw-access added the cli command line tooling label Jul 16, 2020

brokensound77 closed this as completed Sep 17, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FR] Add support for threshold rules #63

[FR] Add support for threshold rules #63

threat-punter commented Jul 15, 2020 •

edited by brokensound77

Loading

brokensound77 commented Jul 16, 2020 •

edited

Loading

brokensound77 commented Sep 17, 2020

[FR] Add support for threshold rules #63

[FR] Add support for threshold rules #63

Comments

threat-punter commented Jul 15, 2020 • edited by brokensound77 Loading

brokensound77 commented Jul 16, 2020 • edited Loading

brokensound77 commented Sep 17, 2020

threat-punter commented Jul 15, 2020 •

edited by brokensound77

Loading

brokensound77 commented Jul 16, 2020 •

edited

Loading