[Fleet] Install security_rule assets as saved objects (#95885)
* [Fleet] Install security_rule assets as saved objects * Add security-rule to update_assets.ts * Update UUIDs for security_rule asset * Change .type to match the saved object type not the asset type * Add saved object mapping for security-rule * Make SO non-hidden * Fix SO mapping for security-rule * Make security-rule a non-hidden asset
This commit is contained in:
Ross Wolf
GitHub
parent
d5b3829210
commit
93965343e5
|
|
@ -31,6 +31,7 @@ describe('Fleet - packageToPackagePolicy', () => {
|
|||
map: [],
|
||||
lens: [],
|
||||
ml_module: [],
|
||||
security_rule: [],
|
||||
},
|
||||
elasticsearch: {
|
||||
ingest_pipeline: [],
|
||||
|
|
|
|||
|
|
@ -50,6 +50,7 @@ export enum KibanaAssetType {
|
|||
indexPattern = 'index_pattern',
|
||||
map = 'map',
|
||||
lens = 'lens',
|
||||
securityRule = 'security_rule',
|
||||
mlModule = 'ml_module',
|
||||
}
|
||||
|
||||
|
|
@ -64,6 +65,7 @@ export enum KibanaSavedObjectType {
|
|||
map = 'map',
|
||||
lens = 'lens',
|
||||
mlModule = 'ml-module',
|
||||
securityRule = 'security-rule',
|
||||
}
|
||||
|
||||
export enum ElasticsearchAssetType {
|
||||
|
|
|
|||
|
|
@ -33,6 +33,7 @@ export const AssetTitleMap: Record<AssetType, string> = {
|
|||
map: 'Map',
|
||||
data_stream_ilm_policy: 'Data Stream ILM Policy',
|
||||
lens: 'Lens',
|
||||
security_rule: 'Security Rule',
|
||||
ml_module: 'ML Module',
|
||||
};
|
||||
|
||||
|
|
@ -48,6 +49,7 @@ export const AssetIcons: Record<KibanaAssetType, IconType> = {
|
|||
visualization: 'visualizeApp',
|
||||
map: 'emsApp',
|
||||
lens: 'lensApp',
|
||||
security_rule: 'securityApp',
|
||||
ml_module: 'mlApp',
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ const KibanaSavedObjectTypeMapping: Record<KibanaAssetType, KibanaSavedObjectTyp
|
|||
[KibanaAssetType.visualization]: KibanaSavedObjectType.visualization,
|
||||
[KibanaAssetType.lens]: KibanaSavedObjectType.lens,
|
||||
[KibanaAssetType.mlModule]: KibanaSavedObjectType.mlModule,
|
||||
[KibanaAssetType.securityRule]: KibanaSavedObjectType.securityRule,
|
||||
};
|
||||
|
||||
// Define how each asset type will be installed
|
||||
|
|
@ -55,6 +56,7 @@ const AssetInstallers: Record<
|
|||
[KibanaAssetType.visualization]: installKibanaSavedObjects,
|
||||
[KibanaAssetType.lens]: installKibanaSavedObjects,
|
||||
[KibanaAssetType.mlModule]: installKibanaSavedObjects,
|
||||
[KibanaAssetType.securityRule]: installKibanaSavedObjects,
|
||||
};
|
||||
|
||||
export async function getKibanaAsset(key: string): Promise<ArchiveAsset> {
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ const tests = [
|
|||
name: 'coredns',
|
||||
version: '1.0.1',
|
||||
},
|
||||
// Non existant dataset
|
||||
// Non existent dataset
|
||||
dataset: 'foo',
|
||||
filter: (path: string) => {
|
||||
return true;
|
||||
|
|
|
|||
|
|
@ -53,3 +53,27 @@ export const type: SavedObjectsType = {
|
|||
namespaceType: 'single',
|
||||
mappings: ruleStatusSavedObjectMappings,
|
||||
};
|
||||
|
||||
export const ruleAssetSavedObjectType = 'security-rule';
|
||||
|
||||
export const ruleAssetSavedObjectMappings: SavedObjectsType['mappings'] = {
|
||||
dynamic: false,
|
||||
properties: {
|
||||
name: {
|
||||
type: 'keyword',
|
||||
},
|
||||
rule_id: {
|
||||
type: 'keyword',
|
||||
},
|
||||
version: {
|
||||
type: 'long',
|
||||
},
|
||||
},
|
||||
};
|
||||
|
||||
export const ruleAssetType: SavedObjectsType = {
|
||||
name: ruleAssetSavedObjectType,
|
||||
hidden: false,
|
||||
namespaceType: 'agnostic',
|
||||
mappings: ruleAssetSavedObjectMappings,
|
||||
};
|
||||
|
|
|
|||
|
|
@ -8,7 +8,10 @@
|
|||
import { CoreSetup } from '../../../../src/core/server';
|
||||
|
||||
import { noteType, pinnedEventType, timelineType } from './lib/timeline/saved_object_mappings';
|
||||
import { type as ruleStatusType } from './lib/detection_engine/rules/saved_object_mappings';
|
||||
import {
|
||||
type as ruleStatusType,
|
||||
ruleAssetType,
|
||||
} from './lib/detection_engine/rules/saved_object_mappings';
|
||||
import { type as ruleActionsType } from './lib/detection_engine/rule_actions/saved_object_mappings';
|
||||
import { type as signalsMigrationType } from './lib/detection_engine/migrations/saved_objects';
|
||||
import {
|
||||
|
|
@ -21,6 +24,7 @@ const types = [
|
|||
pinnedEventType,
|
||||
ruleActionsType,
|
||||
ruleStatusType,
|
||||
ruleAssetType,
|
||||
timelineType,
|
||||
exceptionsArtifactType,
|
||||
manifestType,
|
||||
|
|
|
|||
|
|
@ -399,6 +399,11 @@ const expectAssetsInstalled = ({
|
|||
id: 'sample_ml_module',
|
||||
});
|
||||
expect(resMlModule.id).equal('sample_ml_module');
|
||||
const resSecurityRule = await kibanaServer.savedObjects.get({
|
||||
type: 'security-rule',
|
||||
id: 'sample_security_rule',
|
||||
});
|
||||
expect(resSecurityRule.id).equal('sample_security_rule');
|
||||
const resIndexPattern = await kibanaServer.savedObjects.get({
|
||||
type: 'index-pattern',
|
||||
id: 'test-*',
|
||||
|
|
@ -472,6 +477,10 @@ const expectAssetsInstalled = ({
|
|||
id: 'sample_search',
|
||||
type: 'search',
|
||||
},
|
||||
{
|
||||
id: 'sample_security_rule',
|
||||
type: 'security-rule',
|
||||
},
|
||||
{
|
||||
id: 'sample_visualization',
|
||||
type: 'visualization',
|
||||
|
|
@ -537,6 +546,7 @@ const expectAssetsInstalled = ({
|
|||
{ id: 'e21b59b5-eb76-5ab0-bef2-1c8e379e6197', type: 'epm-packages-assets' },
|
||||
{ id: '4c758d70-ecf1-56b3-b704-6d8374841b34', type: 'epm-packages-assets' },
|
||||
{ id: 'e786cbd9-0f3b-5a0b-82a6-db25145ebf58', type: 'epm-packages-assets' },
|
||||
{ id: 'd8b175c3-0d42-5ec7-90c1-d1e4b307a4c2', type: 'epm-packages-assets' },
|
||||
{ id: '53c94591-aa33-591d-8200-cd524c2a0561', type: 'epm-packages-assets' },
|
||||
{ id: 'b658d2d4-752e-54b8-afc2-4c76155c1466', type: 'epm-packages-assets' },
|
||||
],
|
||||
|
|
|
|||
|
|
@ -296,6 +296,10 @@ export default function (providerContext: FtrProviderContext) {
|
|||
id: 'sample_lens',
|
||||
type: 'lens',
|
||||
},
|
||||
{
|
||||
id: 'sample_security_rule',
|
||||
type: 'security-rule',
|
||||
},
|
||||
{
|
||||
id: 'sample_ml_module',
|
||||
type: 'ml-module',
|
||||
|
|
@ -350,6 +354,7 @@ export default function (providerContext: FtrProviderContext) {
|
|||
{ id: '7f4c5aca-b4f5-5f0a-95af-051da37513fc', type: 'epm-packages-assets' },
|
||||
{ id: '4281a436-45a8-54ab-9724-fda6849f789d', type: 'epm-packages-assets' },
|
||||
{ id: '2e56f08b-1d06-55ed-abee-4708e1ccf0aa', type: 'epm-packages-assets' },
|
||||
{ id: '4035007b-9c33-5227-9803-2de8a17523b5', type: 'epm-packages-assets' },
|
||||
{ id: 'c7bf1a39-e057-58a0-afde-fb4b48751d8c', type: 'epm-packages-assets' },
|
||||
{ id: '8c665f28-a439-5f43-b5fd-8fda7b576735', type: 'epm-packages-assets' },
|
||||
],
|
||||
|
|
|
|||
|
|
@ -0,0 +1,50 @@
|
|||
{
|
||||
"attributes": {
|
||||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.*",
|
||||
"logs-windows.*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Svchost spawning Cmd",
|
||||
"query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
|
||||
"risk_score": 21,
|
||||
"rule_id": "sample_security_rule",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Host",
|
||||
"Windows",
|
||||
"Threat Detection",
|
||||
"Execution"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT\u0026CK",
|
||||
"tactic": {
|
||||
"id": "TA0002",
|
||||
"name": "Execution",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0002/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1059",
|
||||
"name": "Command and Scripting Interpreter",
|
||||
"reference": "https://attack.mitre.org/techniques/T1059/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 7
|
||||
},
|
||||
"id": "sample_security_rule",
|
||||
"type": "security-rule"
|
||||
}
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
{
|
||||
"attributes": {
|
||||
"author": [
|
||||
"Elastic"
|
||||
],
|
||||
"description": "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe",
|
||||
"from": "now-9m",
|
||||
"index": [
|
||||
"winlogbeat-*",
|
||||
"logs-endpoint.events.*",
|
||||
"logs-windows.*"
|
||||
],
|
||||
"language": "kuery",
|
||||
"license": "Elastic License v2",
|
||||
"name": "Svchost spawning Cmd",
|
||||
"query": "event.category:process and event.type:(start or process_started) and process.parent.name:svchost.exe and process.name:cmd.exe",
|
||||
"risk_score": 21,
|
||||
"rule_id": "sample_security_rule",
|
||||
"severity": "low",
|
||||
"tags": [
|
||||
"Elastic",
|
||||
"Host",
|
||||
"Windows",
|
||||
"Threat Detection",
|
||||
"Execution"
|
||||
],
|
||||
"threat": [
|
||||
{
|
||||
"framework": "MITRE ATT\u0026CK",
|
||||
"tactic": {
|
||||
"id": "TA0002",
|
||||
"name": "Execution",
|
||||
"reference": "https://attack.mitre.org/tactics/TA0002/"
|
||||
},
|
||||
"technique": [
|
||||
{
|
||||
"id": "T1059",
|
||||
"name": "Command and Scripting Interpreter",
|
||||
"reference": "https://attack.mitre.org/techniques/T1059/"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"timestamp_override": "event.ingested",
|
||||
"type": "query",
|
||||
"version": 7
|
||||
},
|
||||
"id": "sample_security_rule",
|
||||
"type": "security-rule"
|
||||
}
|
||||
Loading…
Reference in a new issue