[Security Solution] Siem signals -> alerts as data field and index aliases

x-pack/plugins/rule_registry/server/rule_data_client/index.ts

@@ -96,7 +96,8 @@ export class RuleDataClient implements IRuleDataClient {
  if (response.body.errors) {
  if (
  response.body.items.length > 0 &&
- response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception'
+ (response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception' ||
+ response.body.items?.[0]?.index?.error?.type === 'illegal_argument_exception')
  ) {
  return this.createWriteTargetIfNeeded({ namespace }).then(() => {
  return clusterClient.bulk(requestWithDefaultParameters);
@@ -116,29 +117,22 @@ export class RuleDataClient implements IRuleDataClient {
 
  const clusterClient = await this.getClusterClient();
 
- const { body: aliasExists } = await clusterClient.indices.existsAlias({
- name: alias,
- });
-
  const concreteIndexName = `${alias}-000001`;
-
- if (!aliasExists) {
- try {
- await clusterClient.indices.create({
- index: concreteIndexName,
- body: {
- aliases: {
- [alias]: {
- is_write_index: true,
- },
+ try {
+ await clusterClient.indices.create({
+ index: concreteIndexName,
+ body: {
+ aliases: {
+ [alias]: {
+ is_write_index: true,
  },
  },
- });
- } catch (err) {
-  // something might have created the index already, that sounds OK
-  if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception') {
-  throw err;
- }
+ },
+ });
+ } catch (err) {
+ // something might have created the index already, that sounds OK
+ if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception') {
+ throw err;
  }
  }
  }

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts

@@ -26,8 +26,10 @@ import signalsPolicy from './signals_policy.json';
 import { templateNeedsUpdate } from './check_template_version';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
+import { parseExperimentalConfigValue } from '../../../../../common/experimental_features';
+import { ConfigType } from '../../../../config';
 
-export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
+export const createIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => {
  router.post(
  {
  path: DETECTION_ENGINE_INDEX_URL,
@@ -37,6 +39,10 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
  },
  },
  async (context, request, response) => {
+ const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental);
+ if (ruleRegistryEnabled) {
+ return response.ok({ body: { acknowledged: true } });
+ }
  const siemResponse = buildSiemResponse(response);
 
  try {

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json

@@ -0,0 +1,93 @@
+{
+ "signal.ancestors.depth": "kibana.alert.ancestors.depth",
+ "signal.ancestors.id": "kibana.alert.ancestors.id",
+ "signal.ancestors.index": "kibana.alert.ancestors.index",
+ "signal.ancestors.type": "kibana.alert.ancestors.type",
+ "signal.depth": "kibana.alert.depth",
+ "signal.original_event.action": "kibana.alert.original_event.action",
+ "signal.original_event.category": "kibana.alert.original_event.category",
+ "signal.original_event.code": "kibana.alert.original_event.code",
+ "signal.original_event.created": "kibana.alert.original_event.created",
+ "signal.original_event.dataset": "kibana.alert.original_event.dataset",
+ "signal.original_event.duration": "kibana.alert.original_event.duration",
+ "signal.original_event.end": "kibana.alert.original_event.end",
+ "signal.original_event.hash": "kibana.alert.original_event.hash",
+ "signal.original_event.id": "kibana.alert.original_event.id",
+ "signal.original_event.kind": "kibana.alert.original_event.kind",
+ "signal.original_event.module": "kibana.alert.original_event.module",
+ "signal.original_event.outcome": "kibana.alert.original_event.outcome",
+ "signal.original_event.provider": "kibana.alert.original_event.provider",
+ "signal.original_event.risk_score": "kibana.alert.original_event.risk_score",
+ "signal.original_event.risk_score_norm": "kibana.alert.original_event.risk_score_norm",
+ "signal.original_event.sequence": "kibana.alert.original_event.sequence",
+ "signal.original_event.severity": "kibana.alert.original_event.severity",
+ "signal.original_event.start": "kibana.alert.original_event.start",
+ "signal.original_event.timezone": "kibana.alert.original_event.timezone",
+ "signal.original_event.type": "kibana.alert.original_event.type",
+ "signal.original_time": "kibana.alert.original_time",
+ "signal.rule.author": "kibana.alert.rule.author",
+ "signal.rule.building_block_type": "kibana.alert.rule.building_block_type",
+ "signal.rule.created_at": "kibana.alert.rule.created_at",
+ "signal.rule.created_by": "kibana.alert.rule.created_by",
+ "signal.rule.description": "kibana.alert.rule.description",
+ "signal.rule.enabled": "kibana.alert.rule.enabled",
+ "signal.rule.false_positives": "kibana.alert.rule.false_positives",
+ "signal.rule.from": "kibana.alert.rule.from",
+ "signal.rule.id": "kibana.alert.rule.id",
+ "signal.rule.immutable": "kibana.alert.rule.immutable",
+ "signal.rule.index": "kibana.alert.rule.index",
+ "signal.rule.interval": "kibana.alert.rule.interval",
+ "signal.rule.language": "kibana.alert.rule.language",
+ "signal.rule.license": "kibana.alert.rule.license",
+ "signal.rule.max_signals": "kibana.alert.rule.max_signals",
+ "signal.rule.name": "kibana.alert.rule.name",
+ "signal.rule.note": "kibana.alert.rule.note",
+ "signal.rule.query": "kibana.alert.rule.query",
+ "signal.rule.references": "kibana.alert.rule.references",
+ "signal.rule.risk_score": "kibana.alert.risk_score",
+ "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field",
+ "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator",
+ "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value",
+ "signal.rule.rule_id": "kibana.alert.rule.rule_id",
+ "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override",
+ "signal.rule.saved_id": "kibana.alert.rule.saved_id",
+ "signal.rule.severity": "kibana.alert.severity",
+ "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field",
+ "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator",
+ "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value",
+ "signal.rule.severity_mapping.severity": "kibana.alert.rule.severity_mapping.severity",
+ "signal.rule.tags": "kibana.alert.rule.tags",
+ "signal.rule.threat.framework": "kibana.alert.rule.threat.framework",
+ "signal.rule.threat.tactic.id": "kibana.alert.rule.threat.tactic.id",
+ "signal.rule.threat.tactic.name": "kibana.alert.rule.threat.tactic.name",
+ "signal.rule.threat.tactic.reference": "kibana.alert.rule.threat.tactic.reference",
+ "signal.rule.threat.technique.id": "kibana.alert.rule.threat.technique.id",
+ "signal.rule.threat.technique.name": "kibana.alert.rule.threat.technique.name",
+ "signal.rule.threat.technique.reference": "kibana.alert.rule.threat.technique.reference",
+ "signal.rule.threat.technique.subtechnique.id": "kibana.alert.rule.threat.technique.subtechnique.id",
+ "signal.rule.threat.technique.subtechnique.name": "kibana.alert.rule.threat.technique.subtechnique.name",
+ "signal.rule.threat.technique.subtechnique.reference": "kibana.alert.rule.threat.technique.subtechnique.reference",
+ "signal.rule.threat_index": "kibana.alert.rule.threat_index",
+ "signal.rule.threat_indicator_path": "kibana.alert.rule.threat_indicator_path",
+ "signal.rule.threat_language": "kibana.alert.rule.threat_language",
+ "signal.rule.threat_mapping.entries.field": "kibana.alert.rule.threat_mapping.entries.field",
+ "signal.rule.threat_mapping.entries.value": "kibana.alert.rule.threat_mapping.entries.value",
+ "signal.rule.threat_mapping.entries.type": "kibana.alert.rule.threat_mapping.entries.type",
+ "signal.rule.threat_query": "kibana.alert.rule.threat_query",
+ "signal.rule.threshold.field": "kibana.alert.rule.threshold.field",
+ "signal.rule.threshold.value": "kibana.alert.rule.threshold.value",
+ "signal.rule.timeline_id": "kibana.alert.rule.timeline_id",
+ "signal.rule.timeline_title": "kibana.alert.rule.timeline_title",
+ "signal.rule.to": "kibana.alert.rule.to",
+ "signal.rule.type": "kibana.alert.rule.type",
+ "signal.rule.updated_at": "kibana.alert.rule.updated_at",
+ "signal.rule.updated_by": "kibana.alert.rule.updated_by",
+ "signal.rule.version": "kibana.alert.rule.version",
+ "signal.status": "kibana.alert.workflow_status",
+ "signal.threshold_result.from": "kibana.alert.threshold_result.from",
+ "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field",
+ "signal.threshold_result.terms.value": "kibana.alert.threshold_result.terms.value",
+ "signal.threshold_result.cardinality.field": "kibana.alert.threshold_result.cardinality.field",
+ "signal.threshold_result.cardinality.value": "kibana.alert.threshold_result.cardinality.value",
+ "signal.threshold_result.count": "kibana.alert.threshold_result.count"
+}

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_extra_fields.json

@@ -0,0 +1,195 @@
+{
+ "signal": {
+ "type": "object",
+ "properties": {
+ "_meta": {
+ "type": "object",
+ "properties": {
+ "version": {
+ "type": "long"
+ }
+ }
+ },
+ "ancestors": {
+ "properties": {
+ "rule": {
+ "type": "keyword"
+ },
+ "index": {
+ "type": "keyword"
+ },
+ "id": {
+ "type": "keyword"
+ },
+ "type": {
+ "type": "keyword"
+ },
+ "depth": {
+ "type": "long"
+ }
+ }
+ },
+ "depth": {
+ "type": "integer"
+ },
+ "group": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "keyword"
+ },
+ "index": {
+ "type": "integer"
+ }
+ }
+ },
+ "rule": {
+ "type": "object",
+ "properties": {
+ "author": {
+ "type": "keyword"
+ },
+ "building_block_type": {
+ "type": "keyword"
+ },
+ "license": {
+ "type": "keyword"
+ },
+ "note": {
+ "type": "text"
+ },
+ "risk_score_mapping": {
+ "type": "object",
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "operator": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "keyword"
+ }
+ }
+ },
+ "rule_name_override": {
+ "type": "keyword"
+ },
+ "severity_mapping": {
+ "type": "object",
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "operator": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "keyword"
+ },
+ "severity": {
+ "type": "keyword"
+ }
+ }
+ },
+ "threat": {
+ "type": "object",
+ "properties": {
+ "technique": {
+ "type": "object",
+ "properties": {
+ "subtechnique": {
+ "type": "object",
+ "properties": {
+ "id": {
+ "type": "keyword"
+ },
+ "name": {
+ "type": "keyword"
+ },
+ "reference": {
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "threat_index": {
+ "type": "keyword"
+ },
+ "threat_indicator_path": {
+ "type": "keyword"
+ },
+ "threat_language": {
+ "type": "keyword"
+ },
+ "threat_mapping": {
+ "type": "object",
+ "properties": {
+ "entries": {
+ "type": "object",
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "keyword"
+ },
+ "type": {
+ "type": "keyword"
+ }
+ }
+ }
+ }
+ },
+ "threat_query": {
+ "type": "keyword"
+ },
+ "threshold": {
+ "type": "object",
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "float"
+ }
+ }
+ }
+ }
+ },
+ "threshold_result": {
+ "properties": {
+ "from": {
+ "type": "date"
+ },
+ "terms": {
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "keyword"
+ }
+ }
+ },
+ "cardinality": {
+ "properties": {
+ "field": {
+ "type": "keyword"
+ },
+ "value": {
+ "type": "long"
+ }
+ }
+ },
+ "count": {
+ "type": "long"
+ }
+ }
+ }
+ }
+ }
+}