-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SIEM][Detection Engine] Signal ECS Mappings #47015
Comments
Pinging @elastic/siem |
Initial Brain Dump Reaction for Discussion: Thanks for getting this ball rolling! An excellent starting list.
|
I think the idea of a There is one fundamental question about signals, which is what should Other recommendations:
|
|
One more thing - I don't see all of the decorations people want from the Detail view field list in the original design doc: https://docs.google.com/document/d/1cwith7P19asZJ178cZBB2TJ6XT6DZvCcKPBEi8gl-TU/edit# |
@randomuserid you are correct, we've not addressed the IOC Matching fields anywhere yet. I think we'll need a follow-on PR after elastic/ecs#505 |
What about the severity rating - are we agreed on keeping it or should I elaborate further |
Also, severity usually gets mapped to labels like critical, high, medium, low, informational. I used to map numbers to labels in searches but it can be simpler to use labels than to maintain mappings between numbers and names. |
…nal schema changes (#48679) ## Summary Schema changes --- * Changed `signal.severity` from `number` to `string` * Change the `@timestamp` to be the time the signal was detected. To describe this more, when the alert begins processing the rule, it creates a time stamp from `now` and then populates each signal with that value of `now`. The next time the alert re-starts processes, it repeats the same thing. * Changed `signal.time_detected` to be `original_time` for any UI that wants to filter or use that. * Added a new field to `signal` called `index` which contains the original index so that locating the originating signal is possible. * Removed `error` as we are going to not push errors for each signal at this point. We can be clever and create "maintenance" signals that we generate with our ID's though if we want and reserve a block of rule id's if we do that. * Updated the other ECS fields and ECS schema to be on 1.2 from [here](https://raw.githubusercontent.com/elastic/ecs/master/generated/elasticsearch/7/template.json ) Code fixes --- * Fixed more incorrect TypeScript type bugs. * Fixed a bug where we were creating strings from arrays rather than just pushing the arrays directly in some cases. * Removed the last any's from the detection engine folder by pushing the types down. * Removed more touch points with the types where I could find them which should make changing the schema and endpoints faster next time. * #47015 ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ ~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~ ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ ~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
…nal schema changes (elastic#48679) ## Summary Schema changes --- * Changed `signal.severity` from `number` to `string` * Change the `@timestamp` to be the time the signal was detected. To describe this more, when the alert begins processing the rule, it creates a time stamp from `now` and then populates each signal with that value of `now`. The next time the alert re-starts processes, it repeats the same thing. * Changed `signal.time_detected` to be `original_time` for any UI that wants to filter or use that. * Added a new field to `signal` called `index` which contains the original index so that locating the originating signal is possible. * Removed `error` as we are going to not push errors for each signal at this point. We can be clever and create "maintenance" signals that we generate with our ID's though if we want and reserve a block of rule id's if we do that. * Updated the other ECS fields and ECS schema to be on 1.2 from [here](https://raw.githubusercontent.com/elastic/ecs/master/generated/elasticsearch/7/template.json ) Code fixes --- * Fixed more incorrect TypeScript type bugs. * Fixed a bug where we were creating strings from arrays rather than just pushing the arrays directly in some cases. * Removed the last any's from the detection engine folder by pushing the types down. * Removed more touch points with the types where I could find them which should make changing the schema and endpoints faster next time. * elastic#47015 ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ ~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~ ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ ~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
…nal schema changes (#48679) (#48701) ## Summary Schema changes --- * Changed `signal.severity` from `number` to `string` * Change the `@timestamp` to be the time the signal was detected. To describe this more, when the alert begins processing the rule, it creates a time stamp from `now` and then populates each signal with that value of `now`. The next time the alert re-starts processes, it repeats the same thing. * Changed `signal.time_detected` to be `original_time` for any UI that wants to filter or use that. * Added a new field to `signal` called `index` which contains the original index so that locating the originating signal is possible. * Removed `error` as we are going to not push errors for each signal at this point. We can be clever and create "maintenance" signals that we generate with our ID's though if we want and reserve a block of rule id's if we do that. * Updated the other ECS fields and ECS schema to be on 1.2 from [here](https://raw.githubusercontent.com/elastic/ecs/master/generated/elasticsearch/7/template.json ) Code fixes --- * Fixed more incorrect TypeScript type bugs. * Fixed a bug where we were creating strings from arrays rather than just pushing the arrays directly in some cases. * Removed the last any's from the detection engine folder by pushing the types down. * Removed more touch points with the types where I could find them which should make changing the schema and endpoints faster next time. * #47015 ### Checklist Use ~~strikethroughs~~ to remove checklist items you don't feel are applicable to this PR. ~~- [ ] This was checked for cross-browser compatibility, [including a check against IE11](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility)~~ ~~- [ ] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)~~ ~~- [ ] [Documentation](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#writing-documentation) was added for features that require explanation or tutorials~~ ~~- [ ] [Unit or functional tests](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#cross-browser-compatibility) were updated or added to match the most common scenarios~~ ~~- [ ] This was checked for [keyboard-only and screenreader accessibility](https://developer.mozilla.org/en-US/docs/Learn/Tools_and_testing/Cross_browser_testing/Accessibility#Accessibility_testing_checklist)~~ ### For maintainers ~~- [ ] This was checked for breaking API changes and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~ ~~- [ ] This includes a feature addition or change that requires a release note and was [labeled appropriately](https://github.com/elastic/kibana/blob/master/CONTRIBUTING.md#release-notes-process)~~
A few more items:
Thanks |
signal.reference is typically a link to some research or discourse which resulted in the signal being created and the nature of the TTPs that are being detected |
This ticket is no longer being updated. We will have a few minor tweaks moving forward to the signals schema but for the most part this is completed. |
current signal schema - 10/18/2019
In the new index all the ECS fields are being copied over and the new
signal
meta object tracks the additions listed below:@timestamp
2019-10-01T08:20:04.323Z
parent.index
auditbeat-8.0.0
parent.id
CsFDe5df
parent.type
event
parent.depth
1
original_time
2019-10-01T08:20:04.323Z
rule_revision
21
rule_id
siem-rule-1
rule_type
KQL
rule_query
host.name: someHost
index_patterns
[winglogbeat-*, auditbeat-*]
name
ml-anomaly-hosts
description
Host KQL Signal
severity
low
keyword
references
example.com
History
version 0 - 10/01/2019
Why a signals sub-object?
This is the current Signal ECS mapping that the SIEM UI team is using. Since some events already have severity filled in them:
and some have errors already filled in
we have chosen to not overwrite the fields of a document that a signal is being created from when copying the document to the new index by adding a sub-object called
signal
.The text was updated successfully, but these errors were encountered: