-
Notifications
You must be signed in to change notification settings - Fork 8.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SIEM] [Detection Engine] Adds stable alerting ids, more scripting fo…
…r product testing, and more unit tests (#48471) (#48580) * Adds stable alerting id's by using the alert params. * Currently does a manual walk through of the alert params to find the stable id * Updated all of the endpoints to take either of the two id's. * Added several scripts to support performance testing ad-hoc such as `post_x_signals.sh` * Added scripts to support converting from saved searches to alerts. * Consolidated and fixed a lot of the backend types * Added unit tests against the router endpoints * #47013 Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ - [x] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ - [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process) - [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)
- Loading branch information
1 parent
2693f5b
commit 7ef04d4
Showing
37 changed files
with
1,668 additions
and
478 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
114 changes: 114 additions & 0 deletions
114
x-pack/legacy/plugins/siem/scripts/convert_saved_search_to_signals.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| /* | ||
| * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one | ||
| * or more contributor license agreements. Licensed under the Elastic License; | ||
| * you may not use this file except in compliance with the Elastic License. | ||
| */ | ||
|
|
||
| require('../../../../../src/setup_node_env'); | ||
|
|
||
| const fs = require('fs'); | ||
| const path = require('path'); | ||
|
|
||
| /* | ||
| * This script is used to parse a set of saved searches on a file system | ||
| * and output signal data compatible json files. | ||
| * Example: | ||
| * node saved_query_to_signals.js ${HOME}/saved_searches ${HOME}/saved_signals | ||
| * | ||
| * After editing any changes in the files of ${HOME}/saved_signals/*.json | ||
| * you can then post the signals with a CURL post script such as: | ||
| * | ||
| * ./post_signal.sh ${HOME}/saved_signals/*.json | ||
| * | ||
| * Note: This script is recursive and but does not preserve folder structure | ||
| * when it outputs the saved signals. | ||
| */ | ||
|
|
||
| // Defaults of the outputted signals since the saved KQL searches do not have | ||
| // this type of information. You usually will want to make any hand edits after | ||
| // doing a search to KQL conversion before posting it as a signal or checking it | ||
| // into another repository. | ||
| const INTERVAL = '24h'; | ||
| const SEVERITY = 1; | ||
| const TYPE = 'kql'; | ||
| const FROM = 'now-24h'; | ||
| const TO = 'now'; | ||
| const INDEX = ['auditbeat-*', 'filebeat-*', 'packetbeat-*', 'winlogbeat-*']; | ||
|
|
||
| const walk = dir => { | ||
| const list = fs.readdirSync(dir); | ||
| return list.reduce((accum, file) => { | ||
| const fileWithDir = dir + '/' + file; | ||
| const stat = fs.statSync(fileWithDir); | ||
| if (stat && stat.isDirectory()) { | ||
| return [...accum, ...walk(fileWithDir)]; | ||
| } else { | ||
| return [...accum, fileWithDir]; | ||
| } | ||
| }, []); | ||
| }; | ||
|
|
||
| //clean up the file system characters | ||
| const cleanupFileName = file => { | ||
| return path | ||
| .basename(file, path.extname(file)) | ||
| .replace(/\s+/g, '_') | ||
| .replace(/,/g, '') | ||
| .replace(/\+s/g, '') | ||
| .replace(/-/g, '') | ||
| .replace(/__/g, '_') | ||
| .toLowerCase(); | ||
| }; | ||
|
|
||
| async function main() { | ||
| if (process.argv.length !== 4) { | ||
| throw new Error( | ||
| 'usage: saved_query_to_signals [input directory with saved searches] [output directory]' | ||
| ); | ||
| } | ||
|
|
||
| const files = process.argv[2]; | ||
| const outputDir = process.argv[3]; | ||
|
|
||
| const savedSearchesJson = walk(files).filter(file => file.endsWith('.ndjson')); | ||
|
|
||
| const savedSearchesParsed = savedSearchesJson.reduce((accum, json) => { | ||
| const jsonFile = fs.readFileSync(json, 'utf8'); | ||
| try { | ||
| const parsedFile = JSON.parse(jsonFile); | ||
| parsedFile._file = json; | ||
| parsedFile.attributes.kibanaSavedObjectMeta.searchSourceJSON = JSON.parse( | ||
| parsedFile.attributes.kibanaSavedObjectMeta.searchSourceJSON | ||
| ); | ||
| return [...accum, parsedFile]; | ||
| } catch (err) { | ||
| return accum; | ||
| } | ||
| }, []); | ||
|
|
||
| savedSearchesParsed.forEach(savedSearch => { | ||
| const fileToWrite = cleanupFileName(savedSearch._file); | ||
|
|
||
| const query = savedSearch.attributes.kibanaSavedObjectMeta.searchSourceJSON.query.query; | ||
| if (query != null && query.trim() !== '') { | ||
| const outputMessage = { | ||
| id: fileToWrite, | ||
| description: savedSearch.attributes.description || savedSearch.attributes.title, | ||
| index: INDEX, | ||
| interval: INTERVAL, | ||
| name: savedSearch.attributes.title, | ||
| severity: SEVERITY, | ||
| type: TYPE, | ||
| from: FROM, | ||
| to: TO, | ||
| kql: savedSearch.attributes.kibanaSavedObjectMeta.searchSourceJSON.query.query, | ||
| }; | ||
|
|
||
| fs.writeFileSync(`${outputDir}/${fileToWrite}.json`, JSON.stringify(outputMessage, null, 2)); | ||
| } | ||
| }); | ||
| } | ||
|
|
||
| if (require.main === module) { | ||
| main(); | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
92 changes: 0 additions & 92 deletions
92
x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_signal.ts
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.