[SecuritySolution][SIEM migrations] Add macros and lookups support in the API #199370
+2,173
−766
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ns/add_macros_support
…t --include-path /api/status --include-path /api/alerting/rule/ --include-path /api/alerting/rules --include-path /api/actions --include-path /api/security/role --include-path /api/spaces --include-path /api/fleet --update'
…package' into index_adapter_base_package
…add_macros_support
…ns/add_macros_support
…add_macros_support
…add_macros_support
…add_macros_support
…add_macros_support
…add_macros_support
.../security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_base_client.ts
Show resolved
Hide resolved
...rity_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_resources_client.ts
Show resolved
Hide resolved
...security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_rules_client.ts
Show resolved
Hide resolved
...security_solution/server/lib/siem_migrations/rules/data/rule_migrations_data_rules_client.ts
Show resolved
Hide resolved
| throw error; | ||
| }); | ||
| await this.esClient.update({ index, id: _id, doc, refresh: 'wait_for' }).catch((error) => { | ||
| this.logger.error(`Error updating rule migration status to failed: ${error.message}`); |
There was a problem hiding this comment.
side note: it would be great to track telemetry on the UI on our success and failure rates and retry count as well
...k/plugins/security_solution/server/lib/siem_migrations/rules/siem_rule_migrations_service.ts
Outdated
Show resolved
Hide resolved
...ecurity_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/prompt.ts
Outdated
Show resolved
Hide resolved
...ecurity_solution/server/lib/siem_migrations/rules/task/agent/nodes/translate_query/prompt.ts
Outdated
Show resolved
Hide resolved
...gins/security_solution/server/lib/siem_migrations/rules/task/util/rule_resource_retriever.ts
Show resolved
Hide resolved
...gins/security_solution/server/lib/siem_migrations/rules/task/util/rule_resource_retriever.ts
Outdated
Show resolved
Hide resolved
|
|
||
| export const MAX_RECURSION_DEPTH = 10; | ||
|
|
||
| export class RuleResourceRetriever { |
…ns/add_macros_support
…ns/add_macros_support' into 10653/siem_migrations/add_macros_support
| @@ -56,4 +56,34 @@ describe('splResourceIdentifier', () => { | |||
| expect(result.macro).toEqual(['macro_one', 'my_lookup_table', 'third_macro']); | |||
| expect(result.list).toEqual(['real_lookup_list']); | |||
| }); | |||
|
|
|||
| it('should ignore macros or lookup tables inside string literals with double quotes', () => { | |||
There was a problem hiding this comment.
👌🏾 Thanks for adding these!
| @@ -5,21 +5,42 @@ | |||
| * 2.0. | |||
| */ | |||
|
|
|||
| /** | |||
| * Important: | |||
| }); | ||
|
|
||
| /** | ||
| * Wraps a request handler with a check for the license. If the license is not valid, it will |
michaelolo24
approved these changes
Nov 18, 2024
💛 Build succeeded, but was flaky
Failed CI StepsTest FailuresMetrics [docs]
History
cc @semd |
|
Starting backport for target branches: 8.18, 8.x https://github.com/elastic/kibana/actions/runs/11899927531 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 18, 2024
… the API (elastic#199370) (cherry picked from commit 4f3bbe8)
💔 Some backports could not be created
Note: Successful backport PRs will be merged automatically after passing CI. Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Nov 18, 2024
…ort in the API (#199370) (#200644) # Backport This will backport the following commits from `main` to `8.x`: - [[SecuritySolution][SIEM migrations] Add macros and lookups support in the API (#199370)](#199370) <!--- Backport version: 9.4.3 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Sergi Massaneda","email":"sergi.massaneda@elastic.co"},"sourceCommit":{"committedDate":"2024-11-18T19:47:32Z","message":"[SecuritySolution][SIEM migrations] Add macros and lookups support in the API (#199370)","sha":"4f3bbe8d30a962ddb4e9cd5c2d207dabaa063ffb","branchLabelMapping":{"^v9.0.0$":"main","^v8.17.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat Hunting","backport:prev-minor","v8.18.0"],"title":"[SecuritySolution][SIEM migrations] Add macros and lookups support in the API","number":199370,"url":"https://github.com/elastic/kibana/pull/199370","mergeCommit":{"message":"[SecuritySolution][SIEM migrations] Add macros and lookups support in the API (#199370)","sha":"4f3bbe8d30a962ddb4e9cd5c2d207dabaa063ffb"}},"sourceBranch":"main","suggestedTargetBranches":["8.18"],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/199370","number":199370,"mergeCommit":{"message":"[SecuritySolution][SIEM migrations] Add macros and lookups support in the API (#199370)","sha":"4f3bbe8d30a962ddb4e9cd5c2d207dabaa063ffb"}},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Sergi Massaneda <sergi.massaneda@elastic.co>
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Dec 12, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Part of: https://github.com/elastic/security-team/issues/10653
Implements the support for resources (macros and lookup lists) for SIEM rule migrations, including the API, the persistence layer and the retrieval for the LLM agent.
Note
This feature needs
siemMigrationsEnabledexperimental flag enabled to work. Otherwise, no code related to SIEM migrations is executed.Schema
The resource object schema is:
2 new routes are now exposed:
POST /internal/siem_migrations/rules/{migration_id}/resources-> Creates the resources, the ones that already exist are updated.GET /internal/siem_migrations/rules/{migration_id}/resources-> Retrieves all the stored resources for a given migrationResources index
A new index is created when the resources need to be stored:
.kibana-siem-rule-migrations-resources-[spaceId]The mapping is the same as the schema.
The
RuleMigrationsDataClienthas been extended to handle two different kinds of objects now:rulesandresources.Resource identifier
The
resourceIdentifiermodule has been implemented (x-pack/plugins/security_solution/common/siem_migrations/rules/resources/splunk_identifier.ts) to extract the resource (macros or lists) names from the queries. There will be a different implementation for each vendor/query_language.Resource retriever
The
resourceRetriever(x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/util/rule_resource_retriever.ts) has been implemented to retrieve the resources content taking only an original (splunk) query as input, combining theresourceIdentifierand the resources content stored in the index.It is used by the LLM agent to obtain the resources content when executing the query translation to ES|QL.
The
resourceRetrieverimplementation is recursive, so we can extract all the nested resources, since macros may contain other resources inside (lists or other macros).LLM Agent
A new agent call has been added to the translation node. The LLM is asked to replace all the resources in the original query with their content, so we have the query with no macro call or lookup list, everything is inline.
With the replaced query the ES|QL translation is executed as usual.
Example:
Original query:
Resources:
Inline query:
ES|QL translated query:
Considerations:
logs-*index pattern is used as a temporary workaround while integrations RAG is being implemented.