Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add timeline_id to detection rules #95

Merged
merged 20 commits into from
Oct 27, 2020
Merged

Add timeline_id to detection rules #95

merged 20 commits into from
Oct 27, 2020

Conversation

dcode
Copy link
Contributor

@dcode dcode commented Jul 27, 2020
edited
Loading

Issues

Summary

Kibana 7.9 adds support for timeline templates (elastic/kibana#67496). This PR associates the default generic templates with rules where they make sense. This should make the analytic workflow smoother when analyzing detections that we ship out of the box.

Contributor checklist

@dcode dcode added the v7.9.0 label Jul 27, 2020
@dcode dcode self-assigned this Jul 27, 2020
rw-access
rw-access suggested changes Jul 27, 2020
View reviewed changes
Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dcode looks like this branched from main, which is actually targeting 7.10.
If you want it in 7.9, you'll have to branch from 7.9 and target 7.9 with this PR

@rw-access rw-access self-requested a review July 28, 2020 13:31
@dcode dcode force-pushed the dcode/add-timeline-ids branch from 3617781 to 872469e Compare July 28, 2020 14:55
@dcode dcode changed the base branch from main to 7.9 July 28, 2020 16:23
@dcode dcode marked this pull request as ready for review July 28, 2020 16:32
@dcode dcode requested a review from brokensound77 as a code owner July 28, 2020 16:32
@rw-access rw-access requested a review from bm11100 August 3, 2020 16:36
@dcode dcode mentioned this pull request Aug 3, 2020
Closed
@dcode dcode added the blocked label Aug 3, 2020
@dcode
Copy link
Contributor Author

dcode commented Aug 3, 2020

blocked on elastic/kibana#74161

@rw-access rw-access changed the base branch from 7.9 to main August 3, 2020 20:10
@rw-access rw-access added v7.10.0 and removed v7.9.0 labels Aug 3, 2020
@brokensound77 brokensound77 added the Rule: Tuning tweaking or tuning an existing rule label Sep 9, 2020
brokensound77 and others added 2 commits October 7, 2020 12:15
@brokensound77
Re-organize commands under more specific click groups (elastic#356)
bd680a2 
* Restructure commands under more specific click groups
* standardize CLI error handling
* add global debug options
* move es and kibana clients into their click groups
* move commands and groups to dedicated files 
* distinguish variable names for better env/config parsing
@SHolzhauer @rw-access @brokensound77
Add kibana-upload --space option (elastic#251)
60b3d47 
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
@rw-access rw-access added v7.11.0 and removed v7.10.0 labels Oct 22, 2020
@rw-access rw-access changed the title Adds timeline_id to detection rules Add timeline_id to detection rules Oct 22, 2020
@rw-access rw-access changed the base branch from main to 7.10 October 22, 2020 05:42
@rw-access rw-access added v7.10.0 and removed v7.11.0 labels Oct 22, 2020
dcode added 5 commits October 22, 2020 12:10
@dcode
Adds timeline_id to all network rules
baf77df 
- Uses the ID for the 'Generic Network Timeline' from Elastic
@dcode
Adds timeline_id to all endpoint rules
d67e36c 
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
@dcode
Adds timeline_id to all process-oriented rules
4ab890c 
    - Uses the ID for the 'Generic Process Timeline' from Elastic
@dcode
revert to 7.9 version of schema
366d318
@dcode
Ran tests and toml-lint
a51b75d
@dcode dcode force-pushed the dcode/add-timeline-ids branch from 685bede to 1e48bd1 Compare October 22, 2020 18:05
@dcode dcode removed the blocked label Oct 22, 2020
rw-access
rw-access approved these changes Oct 22, 2020
View reviewed changes
Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cool beans

rules/README.md Show resolved Hide resolved
@bm11100
Copy link
Contributor

bm11100 commented Oct 26, 2020

The templateTimelineId matches what's in Kibana. However, when looking at the templates, they have a specified start and end date. Each time a Generic timeline is opened, it defaults to the hardcoded date range (all are in April 2020). This isn't ideal and may be a blocker until adjusted.

image

image

@dcode
Copy link
Contributor Author

dcode commented Oct 27, 2020

We're actually good on this now. I met with @XavierM this morning and discussed. When a user clicks to "investigate in timeline" on an alert, the datetime range is updated to fit the current time window being investigated. I'll re-merge and push back to the branch to bring it up to date.

bm11100
bm11100 approved these changes Oct 27, 2020
View reviewed changes
Copy link
Contributor

@bm11100 bm11100 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dcode dcode merged commit 580db2c into elastic:7.10 Oct 27, 2020
@dcode dcode deleted the dcode/add-timeline-ids branch October 27, 2020 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rw-access rw-access rw-access approved these changes

@bm11100 bm11100 bm11100 approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

Assignees

@dcode dcode

Labels
Rule: Tuning tweaking or tuning an existing rule v7.10.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Rule Tuning] Network rules should use the new 'Generic Network Timeline'
5 participants
@dcode @bm11100 @rw-access @brokensound77 @SHolzhauer