adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes #10
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…for security solution, need to work through rule registry changes
yctercero
pushed a commit
that referenced
this pull request
May 5, 2021
…for security solution, need to work through rule registry changes (#10) * adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes * minor cleanup * undo owner change in rule registry, will come in different pr * enhances user experience of test scripts * response error
dhurley14
added a commit
that referenced
this pull request
May 12, 2021
…for security solution, need to work through rule registry changes (#10) * adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes * minor cleanup * undo owner change in rule registry, will come in different pr * enhances user experience of test scripts * response error
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes
Summary
Pull down this branch and run ES locally using the following steps..
Running ES locally
gradle/run.gradleand add setting'xpack.security.authc.api_key.enabled', 'true'after line 24./gradlew run# this runs with a trial licensekibana_elasticuserkibana.dev.ymlto usekibana_elasticas the userStart up kibana
You should now be able to create a rule which generates alerts and then "find" those alerts (using the kibana system user) using the scripts located in
x-pack/plugins/rule_registry/server/scripts/get_security_solution_alert.shTest data
Create a rule to query
myfa*and it should generate an alert in the security solutionTo get the alert, change directory into
x-pack/plugins/rule_registry/server/scriptsand executeThis script will post the security role and observer role and execute a find using the new alerts as data client. To test the authz functionality execute the below, expecting a 403 response.
term$ ./get_security_solution_alert.sh observer term$ { "statusCode": 401, "error": "Unauthorized", "message": "Unauthorized to get \"rac:8.0.0:siem/get\" alert\"" }