Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM][Detections] Create Endpoint/Alert pre-packaged promotion rules #65942

Closed
spong opened this issue May 9, 2020 · 5 comments
Closed

[SIEM][Detections] Create Endpoint/Alert pre-packaged promotion rules #65942

spong opened this issue May 9, 2020 · 5 comments
Assignees
@spong
Labels
enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0

Comments

@spong
Copy link
Member

spong commented May 9, 2020
edited
Loading

This issue if for creating the Elastic Endpoint and External Alerts pre-packaged promotion rules that will enable external alerts to be used in investigations. This effort will need to be coordinated with @elastic/security-intelligence-analytics as they manage pre-packaged rule additions.

This will require the additional Detection Rule fields from #65941.

Update: @peluja1012 and I met with the I&A folks on 13-MAY to outline these changes and the overall workflow around the promotion rules. Once #65941 is complete, we'll open an issue in the elastic/siem-rules repo detailing the configuration for the above promotion rules and we'll follow the existing workflow for getting rules into the Detection Engine.
@spong spong added enhancement New value added to drive a business result Team:SIEM v7.9.0 Feature:Detection Rules Security Solution rules and Detection Engine labels May 9, 2020
@spong spong self-assigned this May 9, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@spong spong mentioned this issue May 9, 2020
Closed
@jonathan-buttner
Copy link
Contributor

@spong I'm working on some functionality for resolver. We'd like to be able to show the enriched information for an alert in the resolver UI. In the kibana backend how would I go about querying for the enriched information like who the alert is assigned to, whether it is archived, etc?

Would all that information be stored in .siem-signals-default?

@jonathan-buttner jonathan-buttner mentioned this issue Jun 5, 2020
Merged
@spong
Copy link
Member Author

spong commented Jun 8, 2020

Correct @jonathan-buttner, all that enriched information will be stored on the alert in the .siem-signals-[space] index. Note: the index name can be overridden using the following kibana.yml config: xpack.securitySolution.signalsIndex. For enrichment, we don't currently have assigned_to, but there is status that can be marked as open or closed, and we're adding support for in_progress as part of this issue (internal).

While it's just a data index (so you can query with the Elasticsearch DSL), we do have some helper API's for fetching Alerts and updating their status. Just a heads up that while the front end has been migrated from signals->alerts, the server still uses signals for the time being.

This was referenced Jul 8, 2020
Closed
Merged
@spong
Copy link
Member Author

spong commented Jul 9, 2020
edited
Loading

First half if this has been completed as part of elastic/detection-rules#42 to get the rules into the detection-rules repo. Next step will be the PR from the I&A team for getting this into Kibana which is located here: #71332

@spong
Copy link
Member Author

spong commented Jul 14, 2020

Closing as #71332 has been merged! 🙂

@spong spong closed this as completed Jul 14, 2020
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spong spong

Labels
enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.9.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@MindyRS @spong @elasticmachine @jonathan-buttner