Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security Solution][Detections] Add ability to import/export Rule Actions #100956

Closed
spong opened this issue May 28, 2021 · 7 comments
Closed

[Security Solution][Detections] Add ability to import/export Rule Actions #100956

spong opened this issue May 28, 2021 · 7 comments
Assignees
Labels
enhancement New value added to drive a business result Feature:Rule Actions Security Solution Detection Rule Actions area Feature:Rule Management Security Solution Detection Rule Management area Team:Detections and Resp Security Detection Response Team Team:Security Solution Platform Security Solution Platform Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.16.0

Comments

@spong
Copy link
Member

spong commented May 28, 2021

Currently Rule Actions are not exported as part of the Security Detection Rule, and there is no other dedicated way of backing up and restoring the actions on a rule. With #50266, Rules, Connectors, and in turn Actions (via SO references)) will be exportable via the SO Management UI, since there is potential that Detection Rules might not be exportable via this method, we will potentially need to support the exporting/importing of actions via the dedicated Security Solution import/export flow.

Currently, whether exporting a single rule by ID, or exporting all rules, the ruleActions object is not provided, and so will end up being an empty array when exporting.

Note: As mentioned above, Actions are currently stored in the SO References array on the alerting object, however the SO References array is not exposed to consumers. This issue (#87992) should be resolved by the 7.15 timeframe, and so could be used for exporting the actions directly from the rule, however there may be additional effort required here since we maintain a separate alerting SO for managing actions configured to fire at specific intervals.

Action as returned from Read Rules API
  "throttle": "rule", // For `on each rule execution` interval, if `weekly` interval value would be "7d"
  "actions": [
    {
      "action_type_id": ".slack",
      "id": "4f29f6f0-ad19-11eb-a9a1-db4a86196788",
      "params": {
        "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts"
      },
      "group": "default"
    }
  ],
Sample Exported Rule showing now `action` (expanded from `ndjson`):

{
  "id": "29b2a240-be86-11eb-b868-a966afda346b",
  "updated_at": "2021-05-28T20:09:43.912Z",
  "updated_by": "spong",
  "created_at": "2021-05-27T00:55:00.352Z",
  "created_by": "spong",
  "name": "Test Export Rule",
  "tags": [],
  "interval": "5m",
  "enabled": false,
  "description": "Test Export Rule",
  "risk_score": 21,
  "severity": "low",
  "license": "",
  "output_index": ".siem-signals-spong-default",
  "timeline_id": "817a4ecc-d008-4b6b-87cc-04ee404bcad7",
  "timeline_title": "Best Template Ever",
  "meta": {
    "from": "1m",
    "kibana_siem_app_url": "http://localhost:5601/gew/app/security"
  },
  "author": [],
  "false_positives": [],
  "from": "now-360s",
  "rule_id": "b0b83c5b-5c7a-4c67-97f3-a84ee1843403",
  "max_signals": 100,
  "risk_score_mapping": [],
  "severity_mapping": [],
  "threat": [],
  "to": "now",
  "references": [],
  "version": 4,
  "exceptions_list": [
    {
      "list_id": "c79da945-641e-4f8f-9486-cf31f3937c0e",
      "namespace_type": "single",
      "id": "31997dd0-be86-11eb-b868-a966afda346b",
      "type": "detection"
    }
  ],
  "immutable": false,
  "type": "query",
  "language": "kuery",
  "index": [
    "apm-*-transaction*",
    "auditbeat-*",
    "endgame-*",
    "filebeat-*",
    "logs-*",
    "packetbeat-*",
    "winlogbeat-*",
    "test-index-constant-keyword-delme",
    "test-index-keyword-delme"
  ],
  "query": "host.name:*",
  "filters": [],
  "throttle": "no_actions",
  "actions": []
}

@spong spong added enhancement New value added to drive a business result Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. 7.15 candidate labels May 28, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@peluja1012 peluja1012 added Feature:Rule Actions Security Solution Detection Rule Actions area Feature:Rule Management Security Solution Detection Rule Management area Team:Security Solution Platform Security Solution Platform Team labels Sep 15, 2021
@FrankHassanabad FrankHassanabad self-assigned this Sep 15, 2021
@bilelmeddeb
Copy link

did you find any solution for this please ?

@spong
Copy link
Member Author

spong commented Sep 17, 2021

Initial groundwork for this has been merged as of #109722, and you can follow along this issue #109169 for exposing Detection Rules/Actions/Connectors/Exceptions via the Saved Object Manager under Stack Management (which will enable the exporting of rules along with their actions +more! 🙂).

There's currently open discussion on the migration of existing actions to ensure they're available and functioning post-upgrade. You can following along that here: #112327

All these changes should result in much more flexibility for you with regards to 1-click exports and the importing/exporting of all objects of a specific type (Rules), or that object and all related objects (Rules, Actions, Connectors, Exceptions, Timeline Templates, etc). This'll also open up the sharing/moving of these between objects spaces (#100067).

@bilelmeddeb
Copy link

Hello can you help me more, please!! I'm new in elastic :(

@spong
Copy link
Member Author

spong commented Oct 20, 2021

Great news @bilelmeddeb 🎉 -- this functionality was just merged as of #115243, so you can expect to see this in the upcoming Kibana 7.16 release. Please see the PR for more details, or check out the updated documentation once this version is released. Cheers! 🙂

Going to close this issue as it is resolved via #115243.

@spong spong closed this as completed Oct 20, 2021
@FrankHassanabad
Copy link
Contributor

@bilelmeddeb I would suggest choosing one of our "good first issue"

https://github.com/elastic/kibana/issues?q=is%3Aopen+label%3A%22good+first+issue%22+label%3A%22Team%3ASecurity+Solution+Platform%22

And seeing this post of ours:
https://www.elastic.co/guide/en/kibana/master/contributing.html

Once you have a PR made, ping one of us.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Rule Actions Security Solution Detection Rule Actions area Feature:Rule Management Security Solution Detection Rule Management area Team:Detections and Resp Security Detection Response Team Team:Security Solution Platform Security Solution Platform Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.16.0
Projects
None yet
Development

No branches or pull requests

5 participants