Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detections] Server-side filtering and sorting POC #126450

Closed
3 tasks done
banderror opened this issue Feb 28, 2022 · 8 comments
Closed
3 tasks done

[Security Solution][Detections] Server-side filtering and sorting POC #126450

banderror opened this issue Feb 28, 2022 · 8 comments
Assignees
@xcrzx
Labels
8.2 candidate considered, but not committed, for 8.2 release Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.2.0

Comments

@banderror
Copy link
Contributor

banderror commented Feb 28, 2022
edited by xcrzx
Loading

Epic: https://github.com/elastic/security-team/issues/1972

Summary

Create a POC to verify that we will be able to implement new filters and sorting in the Rules table in the server-side mode. No changes in the UI expected (like adding new filters). We just need some test code on the backend + some test Postman requests to the API to make sure it all works.

Fields we are interested in:

  • severity
  • risk score
  • index patterns
  • MITRE ATT&CK model

Todo

  • Make sure that filtering and sorting by severity and risk score work as expected (implemented in [ResponseOps] Mapped/searchable params #126531)
  • Implement a POC for [ResponseOps] Support aggregations in RulesClient #125659
  • Test the following fields and requests to ES for them:
    • alert.params.severity: filtering by a single and multiple values, sorting should sort by its severity level and not alphabetically
    • alert.params.riskScore: range filter, sorting
    • alert.params.index: filtering by a single and multiple values, aggregations (need to answer the questions "what index patterns do our rules have in the current space" and "how many rules have each given index pattern")
    • alert.params.threat: filtering by its properties
@banderror banderror added Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team v8.2.0 8.2 candidate considered, but not committed, for 8.2 release labels Feb 28, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@xcrzx
Copy link
Contributor

xcrzx commented Mar 15, 2022
edited
Loading

✅ Checked rules filtering and sorting by severity; works as expected. Sample queries:

curl --location --request GET 'http://localhost:5601/kbn/api/detection_engine/rules/_find?filter=alert.attributes.params.severity: medium or alert.attributes.params.severity: high' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json'
curl --location --request GET 'http://localhost:5601/kbn/api/detection_engine/rules/_find?sort_field=severity&sort_order=desc' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json'

@xcrzx
Copy link
Contributor

xcrzx commented Mar 15, 2022
edited
Loading

✅ Checked rules filtering and sorting by risk_score; works as expected. Sample queries:

curl --location --request GET 'http://localhost:5601/kbn/api/detection_engine/rules/_find?filter=alert.attributes.params.risk_score > 40 and alert.attributes.params.risk_score < 50' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' 
curl --location --request GET 'http://localhost:5601/kbn/api/detection_engine/rules/_find?sort_field=risk_score&sort_order=desc' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json'

@xcrzx
Copy link
Contributor

xcrzx commented Mar 15, 2022
edited
Loading

With regards to filtering by threat, index, or timeline. After #126531 was merged, filtering doesn't seem to be working anymore.

curl --location --request GET 'http://localhost:5601/kbn/api/detection_engine/rules/_find?filter=alert.attributes.params.threat.tactic.name: Exfiltration' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json'

Gives the following response:

{
    "message": "This key 'alert.attributes.mapped_params.threat.tactic.name' does NOT exist in alert saved object index patterns: Bad Request",
    "status_code": 400
}

I checked the above request on a commit before the mapped_params changes were introduced, it works correctly. @JiaweiWu, was it regression or an intentional change?

cc @XavierM

Confirmed with @XavierM that it's a bug and converted to an issue: #127876

@xcrzx xcrzx mentioned this issue Mar 16, 2022
Closed
@XavierM
Copy link
Contributor

XavierM commented Mar 16, 2022

With regards to filtering by threat. After #126531 was merged, filtering by threat doesn't seem to be working anymore.

curl --location --request GET 'http://localhost:5601/kbn/api/detection_engine/rules/_find?filter=alert.attributes.params.threat.tactic.name: Exfiltration' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json'

Gives the following response:

{
    "message": "This key 'alert.attributes.mapped_params.threat.tactic.name' does NOT exist in alert saved object index patterns: Bad Request",
    "status_code": 400
}

I checked the above request on a commit before the mapped_params changes were introduced, it works correctly. @JiaweiWu, was it regression or an intentional change?

cc @XavierM

UPD: getting a similar error when filtering by alert.attributes.params.index or alert.attributes.params.timeline_title.

It should be fix!!!

@xcrzx
Copy link
Contributor

xcrzx commented Mar 17, 2022

Checked RulesClient.aggregate method with minimal adjustments:

diff --git a/x-pack/plugins/alerting/server/rules_client/rules_client.ts b/x-pack/plugins/alerting/server/rules_client/rules_client.ts
index 1512959384a..22249dafbc8 100644
--- a/x-pack/plugins/alerting/server/rules_client/rules_client.ts
+++ b/x-pack/plugins/alerting/server/rules_client/rules_client.ts
@@ -783,6 +783,9 @@ export class RulesClient {
         muted: {
           terms: { field: 'alert.attributes.muteAll' },
         },
+        indices: {
+          terms: { field: 'alert.attributes.params.index' },
+        },
       },
     });
 
@@ -839,6 +842,11 @@ export class RulesClient {
       unmuted: mutedBuckets.find((bucket) => bucket.key === 0)?.doc_count ?? 0,
     };
 
+    ret.ruleIndices = resp.aggregations.indices.buckets.map((bucket) => ({
+      index: bucket.key,
+      rulesCount: bucket.doc_count,
+    }));
+
     return ret;
   }

It allows us to retrieve a list of all index patterns used in detection rules:

{
    "ruleIndices": [
        {
            "index": "winlogbeat-*",
            "rulesCount": 249
        },
        {
            "index": "logs-windows.*",
            "rulesCount": 239
        },
        {
            "index": "logs-endpoint.events.*",
            "rulesCount": 208
        },
        {
            "index": "logs-system.*",
            "rulesCount": 12
        },
        {
            "index": "auditbeat-*",
            "rulesCount": 7
        },
        {
            "index": "filebeat-*",
            "rulesCount": 4
        },
        {
            "index": "logs-*",
            "rulesCount": 4
        },
        {
            "index": "packetbeat-*",
            "rulesCount": 4
        },
        {
            "index": "endgame-*",
            "rulesCount": 3
        },
        {
            "index": "apm-*-transaction*",
            "rulesCount": 2
        }
    ]
}

@xcrzx
Copy link
Contributor

xcrzx commented Mar 17, 2022

✅ Filtering by index or threat works as expected.

curl 'http://localhost:5601/kbn/api/detection_engine/rules/_find?filter=alert.attributes.params.index: winlogbeat-*' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json'
curl 'http://localhost:5601/kbn/api/detection_engine/rules/_find?filter=alert.attributes.params.threat.tactic.name: Exfiltration' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json'

@xcrzx xcrzx closed this as completed Mar 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xcrzx xcrzx

Labels
8.2 candidate considered, but not committed, for 8.2 release Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.2.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@XavierM @xcrzx @banderror @elasticmachine