[Rules migration] Adding initial implementation of integration RAG #200922
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
P1llus
added
release_note:skip
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
P1llus
commented
Nov 21, 2024
x-pack/plugins/security_solution/server/lib/siem_migrations/rules/api/create.ts
Show resolved
Hide resolved
semd
reviewed
Nov 22, 2024
x-pack/plugins/security_solution/common/siem_migrations/model/rule_migration.gen.ts
Outdated
Show resolved
Hide resolved
semd
reviewed
Nov 22, 2024
...b/siem_migrations/rules/task/agent/sub_graphs/translate_rule/nodes/translate_rule/prompts.ts
Outdated
Show resolved
Hide resolved
semd
reviewed
Nov 22, 2024
x-pack/plugins/security_solution/server/lib/siem_migrations/rules/task/agent/graph.ts
Show resolved
Hide resolved
💛 Build succeeded, but was flaky
Failed CI StepsMetrics [docs]
History
|
|
Starting backport for target branches: 8.x |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Nov 22, 2024
…lastic#200922) ## Summary This is part 1 of a 2-3 part PR. This involes the initial implementation of the integration RAG, while part 2 focuses on prompt tuning, and a potential part 3 is the change from local JSON file to EPR client and further tuning of prompts and search result ranking. The change introduces a new feature to the rule migration, enriching the current graph implementation with metadata from available integrations, allowing us to currently choose the correct index patterns needed if a relevant integration is found. Changes in the PR: - Introduction of the `integration data client`, which might later be moved under resource. - Moving` translate_rule` node to its own subgraph, then divided into multiple nodes to support the RAG search step. - The creation and population of the index used to store the integration metadata, together with the `semantic_text` mapping used by the default included ELSER model. - Updates to `elastic_rule` type, to include the integration ID's and index patterns. ## Example finished task: ```json [ { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language": "spl", "mitre_attack_ids": [ "T1136" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:01.397Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `sourcetype=\"linux:audit\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\n\n2. Event type filtering:\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \"ADD_USER\"` to achieve the same filtering.\n\n3. Field renaming:\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\n\n4. Statistics calculation:\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\n - The grouping fields are adjusted to match ECS field names:\n - `exe` -> `process.executable`\n - `pid` -> `process.pid`\n - `dest` remains the same (after renaming)\n - `res` -> `event.outcome`\n - `UID` -> `user.id`\n - `type` -> `event.type`\n\n5. Time conversion:\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\n\n6. Additional notes:\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\n\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\n| WHERE event.type == \"ADD_USER\"\n| RENAME host.hostname AS dest\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "index_patterns": [ "logs-system_audit.package-*", "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*", "logs-auditd.log-*" ], "query_language": "esql", "title": "Linux Auditd Add User Account Type", "integration_ids": [ "system_audit", "endpoint", "auditd" ] }, "_id": "8eKDTpMBwtRPKDL_CLKW" }, { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:04.527Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\n\n2. Field mapping:\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\n - `process_exec` is mapped to `process.executable` in ECS.\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\n - `_time` is replaced with `@timestamp` in ECS.\n\n3. Filtering:\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\n - We're checking for \"chown\" in the process executable and \"root\" in the process arguments.\n\n4. Statistics:\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\n - The `BY` clause groups the results by the relevant fields.\n\n5. Sorting:\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\n\n6. Removed:\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\n\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\n| WHERE process.executable LIKE \"%chown%\" AND process.args LIKE \"%root%\"\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \n process.command_line, \n process.args, \n host.name\n| SORT count DESC", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "index_patterns": [ "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*" ], "query_language": "esql", "title": "Linux Auditd Change File Owner To Root", "integration_ids": [ "endpoint" ] }, "_id": "8uKDTpMBwtRPKDL_CLKW" } ] ``` ## Testing locally Enable the flag ``` xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled'] ``` Create the rule migration, add relevant macro resources and initiate the task. cURL request examples: <details> <summary>Rules migration `create` POST request</summary> ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language":"spl", "mitre_attack_ids": [ "T1136" ] }, { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] } ]' ``` </details> <details> <summary>Add resources to migration ID</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/respirces' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "type": "macro", "name": "security_content_ctime", "content": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)" }, { "type": "macro", "name": "linux_auditd_add_user_account_type_filter", "content": "search *" }, { "type": "macro", "name": "linux_auditd", "content": "sourcetype=\"linux:audit\"" }, { "type": "macro", "name": "linux_auditd_change_file_owner_to_root_filter", "content": "search *" } ]' ``` </details> <details> <summary>Rules migration `start` task request</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '{ "connectorId": "azureOpenAiGPT4o" }' ``` </details> (cherry picked from commit 556edb9)
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
kibanamachine
added
the
backport missing
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
1 similar comment
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
paulinashakirova
pushed a commit
to paulinashakirova/kibana
that referenced
this pull request
Nov 26, 2024
…lastic#200922) ## Summary This is part 1 of a 2-3 part PR. This involes the initial implementation of the integration RAG, while part 2 focuses on prompt tuning, and a potential part 3 is the change from local JSON file to EPR client and further tuning of prompts and search result ranking. The change introduces a new feature to the rule migration, enriching the current graph implementation with metadata from available integrations, allowing us to currently choose the correct index patterns needed if a relevant integration is found. Changes in the PR: - Introduction of the `integration data client`, which might later be moved under resource. - Moving` translate_rule` node to its own subgraph, then divided into multiple nodes to support the RAG search step. - The creation and population of the index used to store the integration metadata, together with the `semantic_text` mapping used by the default included ELSER model. - Updates to `elastic_rule` type, to include the integration ID's and index patterns. ## Example finished task: ```json [ { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language": "spl", "mitre_attack_ids": [ "T1136" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:01.397Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `sourcetype=\"linux:audit\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\n\n2. Event type filtering:\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \"ADD_USER\"` to achieve the same filtering.\n\n3. Field renaming:\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\n\n4. Statistics calculation:\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\n - The grouping fields are adjusted to match ECS field names:\n - `exe` -> `process.executable`\n - `pid` -> `process.pid`\n - `dest` remains the same (after renaming)\n - `res` -> `event.outcome`\n - `UID` -> `user.id`\n - `type` -> `event.type`\n\n5. Time conversion:\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\n\n6. Additional notes:\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\n\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\n| WHERE event.type == \"ADD_USER\"\n| RENAME host.hostname AS dest\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "index_patterns": [ "logs-system_audit.package-*", "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*", "logs-auditd.log-*" ], "query_language": "esql", "title": "Linux Auditd Add User Account Type", "integration_ids": [ "system_audit", "endpoint", "auditd" ] }, "_id": "8eKDTpMBwtRPKDL_CLKW" }, { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:04.527Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\n\n2. Field mapping:\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\n - `process_exec` is mapped to `process.executable` in ECS.\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\n - `_time` is replaced with `@timestamp` in ECS.\n\n3. Filtering:\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\n - We're checking for \"chown\" in the process executable and \"root\" in the process arguments.\n\n4. Statistics:\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\n - The `BY` clause groups the results by the relevant fields.\n\n5. Sorting:\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\n\n6. Removed:\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\n\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\n| WHERE process.executable LIKE \"%chown%\" AND process.args LIKE \"%root%\"\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \n process.command_line, \n process.args, \n host.name\n| SORT count DESC", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "index_patterns": [ "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*" ], "query_language": "esql", "title": "Linux Auditd Change File Owner To Root", "integration_ids": [ "endpoint" ] }, "_id": "8uKDTpMBwtRPKDL_CLKW" } ] ``` ## Testing locally Enable the flag ``` xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled'] ``` Create the rule migration, add relevant macro resources and initiate the task. cURL request examples: <details> <summary>Rules migration `create` POST request</summary> ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language":"spl", "mitre_attack_ids": [ "T1136" ] }, { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] } ]' ``` </details> <details> <summary>Add resources to migration ID</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/respirces' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "type": "macro", "name": "security_content_ctime", "content": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)" }, { "type": "macro", "name": "linux_auditd_add_user_account_type_filter", "content": "search *" }, { "type": "macro", "name": "linux_auditd", "content": "sourcetype=\"linux:audit\"" }, { "type": "macro", "name": "linux_auditd_change_file_owner_to_root_filter", "content": "search *" } ]' ``` </details> <details> <summary>Rules migration `start` task request</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '{ "connectorId": "azureOpenAiGPT4o" }' ``` </details>
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
2 similar comments
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
|
Friendly reminder: Looks like this PR hasn’t been backported yet. |
semd
pushed a commit
to semd/kibana
that referenced
this pull request
Nov 30, 2024
…lastic#200922) ## Summary This is part 1 of a 2-3 part PR. This involes the initial implementation of the integration RAG, while part 2 focuses on prompt tuning, and a potential part 3 is the change from local JSON file to EPR client and further tuning of prompts and search result ranking. The change introduces a new feature to the rule migration, enriching the current graph implementation with metadata from available integrations, allowing us to currently choose the correct index patterns needed if a relevant integration is found. Changes in the PR: - Introduction of the `integration data client`, which might later be moved under resource. - Moving` translate_rule` node to its own subgraph, then divided into multiple nodes to support the RAG search step. - The creation and population of the index used to store the integration metadata, together with the `semantic_text` mapping used by the default included ELSER model. - Updates to `elastic_rule` type, to include the integration ID's and index patterns. ## Example finished task: ```json [ { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language": "spl", "mitre_attack_ids": [ "T1136" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:01.397Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `sourcetype=\"linux:audit\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\n\n2. Event type filtering:\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \"ADD_USER\"` to achieve the same filtering.\n\n3. Field renaming:\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\n\n4. Statistics calculation:\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\n - The grouping fields are adjusted to match ECS field names:\n - `exe` -> `process.executable`\n - `pid` -> `process.pid`\n - `dest` remains the same (after renaming)\n - `res` -> `event.outcome`\n - `UID` -> `user.id`\n - `type` -> `event.type`\n\n5. Time conversion:\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\n\n6. Additional notes:\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\n\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\n| WHERE event.type == \"ADD_USER\"\n| RENAME host.hostname AS dest\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "index_patterns": [ "logs-system_audit.package-*", "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*", "logs-auditd.log-*" ], "query_language": "esql", "title": "Linux Auditd Add User Account Type", "integration_ids": [ "system_audit", "endpoint", "auditd" ] }, "_id": "8eKDTpMBwtRPKDL_CLKW" }, { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:04.527Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\n\n2. Field mapping:\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\n - `process_exec` is mapped to `process.executable` in ECS.\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\n - `_time` is replaced with `@timestamp` in ECS.\n\n3. Filtering:\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\n - We're checking for \"chown\" in the process executable and \"root\" in the process arguments.\n\n4. Statistics:\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\n - The `BY` clause groups the results by the relevant fields.\n\n5. Sorting:\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\n\n6. Removed:\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\n\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\n| WHERE process.executable LIKE \"%chown%\" AND process.args LIKE \"%root%\"\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \n process.command_line, \n process.args, \n host.name\n| SORT count DESC", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "index_patterns": [ "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*" ], "query_language": "esql", "title": "Linux Auditd Change File Owner To Root", "integration_ids": [ "endpoint" ] }, "_id": "8uKDTpMBwtRPKDL_CLKW" } ] ``` ## Testing locally Enable the flag ``` xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled'] ``` Create the rule migration, add relevant macro resources and initiate the task. cURL request examples: <details> <summary>Rules migration `create` POST request</summary> ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language":"spl", "mitre_attack_ids": [ "T1136" ] }, { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] } ]' ``` </details> <details> <summary>Add resources to migration ID</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/respirces' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "type": "macro", "name": "security_content_ctime", "content": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)" }, { "type": "macro", "name": "linux_auditd_add_user_account_type_filter", "content": "search *" }, { "type": "macro", "name": "linux_auditd", "content": "sourcetype=\"linux:audit\"" }, { "type": "macro", "name": "linux_auditd_change_file_owner_to_root_filter", "content": "search *" } ]' ``` </details> <details> <summary>Rules migration `start` task request</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '{ "connectorId": "azureOpenAiGPT4o" }' ``` </details> (cherry picked from commit 556edb9)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
semd
added a commit
that referenced
this pull request
Nov 30, 2024
…RAG (#200922) (#202381) # Backport This will backport the following commits from `main` to `8.x`: - [[Rules migration] Adding initial implementation of integration RAG (#200922)](#200922) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Marius Iversen","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-11-22T14:42:57Z","message":"[Rules migration] Adding initial implementation of integration RAG (#200922)\n\n## Summary\n\nThis is part 1 of a 2-3 part PR. This involes the initial implementation\nof the integration RAG, while part 2 focuses on prompt tuning, and a\npotential part 3 is the change from local JSON file to EPR client and\nfurther tuning of prompts and search result ranking.\n\nThe change introduces a new feature to the rule migration, enriching the\ncurrent graph implementation with metadata from available integrations,\nallowing us to currently choose the correct index patterns needed if a\nrelevant integration is found.\n\nChanges in the PR:\n\n- Introduction of the `integration data client`, which might later be\nmoved under resource.\n- Moving` translate_rule` node to its own subgraph, then divided into\nmultiple nodes to support the RAG search step.\n- The creation and population of the index used to store the integration\nmetadata, together with the `semantic_text` mapping used by the default\nincluded ELSER model.\n- Updates to `elastic_rule` type, to include the integration ID's and\nindex patterns.\n\n\n## Example finished task:\n```json\n[\n {\n \"migration_id\": \"3d4cae35-eb8d-49fe-960a-2ef17bc026c6\",\n \"original_rule\": {\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1136\"\n ]\n },\n \"@timestamp\": \"2024-11-21T11:37:10.548Z\",\n \"status\": \"completed\",\n \"created_by\": \"elastic\",\n \"updated_at\": \"2024-11-21T11:38:01.397Z\",\n \"updated_by\": \"elastic\",\n \"comments\": [\n \"## Migration Summary\\n\\n1. Source selection:\\n - The original SPL query used `sourcetype=\\\"linux:audit\\\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\\n\\n2. Event type filtering:\\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \\\"ADD_USER\\\"` to achieve the same filtering.\\n\\n3. Field renaming:\\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\\n\\n4. Statistics calculation:\\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\\n - The grouping fields are adjusted to match ECS field names:\\n - `exe` -> `process.executable`\\n - `pid` -> `process.pid`\\n - `dest` remains the same (after renaming)\\n - `res` -> `event.outcome`\\n - `UID` -> `user.id`\\n - `type` -> `event.type`\\n\\n5. Time conversion:\\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\\n\\n6. Additional notes:\\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\\n\\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate.\"\n ],\n \"translation_result\": \"full\",\n \"elastic_rule\": {\n \"severity\": \"low\",\n \"query\": \"FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\\n| WHERE event.type == \\\"ADD_USER\\\"\\n| RENAME host.hostname AS dest\\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"index_patterns\": [\n \"logs-system_audit.package-*\",\n \"logs-endpoint.events.api-*\",\n \"logs-endpoint.events.file-*\",\n \"logs-endpoint.events.library-*\",\n \"logs-endpoint.events.network-*\",\n \"logs-endpoint.events.process-*\",\n \"logs-endpoint.events.registry-*\",\n \"logs-endpoint.events.security-*\",\n \"logs-auditd.log-*\"\n ],\n \"query_language\": \"esql\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"integration_ids\": [\n \"system_audit\",\n \"endpoint\",\n \"auditd\"\n ]\n },\n \"_id\": \"8eKDTpMBwtRPKDL_CLKW\"\n },\n {\n \"migration_id\": \"3d4cae35-eb8d-49fe-960a-2ef17bc026c6\",\n \"original_rule\": {\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"description\": \"The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1222\"\n ]\n },\n \"@timestamp\": \"2024-11-21T11:37:10.548Z\",\n \"status\": \"completed\",\n \"created_by\": \"elastic\",\n \"updated_at\": \"2024-11-21T11:38:04.527Z\",\n \"updated_by\": \"elastic\",\n \"comments\": [\n \"## Migration Summary\\n\\n1. Source selection:\\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\\n\\n2. Field mapping:\\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\\n - `process_exec` is mapped to `process.executable` in ECS.\\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\\n - `_time` is replaced with `@timestamp` in ECS.\\n\\n3. Filtering:\\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\\n - We're checking for \\\"chown\\\" in the process executable and \\\"root\\\" in the process arguments.\\n\\n4. Statistics:\\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\\n - The `BY` clause groups the results by the relevant fields.\\n\\n5. Sorting:\\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\\n\\n6. Removed:\\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\\n\\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed.\"\n ],\n \"translation_result\": \"full\",\n \"elastic_rule\": {\n \"severity\": \"low\",\n \"query\": \"FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\\n| WHERE process.executable LIKE \\\"%chown%\\\" AND process.args LIKE \\\"%root%\\\"\\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \\n process.command_line, \\n process.args, \\n host.name\\n| SORT count DESC\",\n \"description\": \"The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"index_patterns\": [\n \"logs-endpoint.events.api-*\",\n \"logs-endpoint.events.file-*\",\n \"logs-endpoint.events.library-*\",\n \"logs-endpoint.events.network-*\",\n \"logs-endpoint.events.process-*\",\n \"logs-endpoint.events.registry-*\",\n \"logs-endpoint.events.security-*\"\n ],\n \"query_language\": \"esql\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"integration_ids\": [\n \"endpoint\"\n ]\n },\n \"_id\": \"8uKDTpMBwtRPKDL_CLKW\"\n }\n]\n```\n\n\n## Testing locally\n\nEnable the flag\n```\nxpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']\n```\n\nCreate the rule migration, add relevant macro resources and initiate the\ntask.\n\ncURL request examples:\n\n<details>\n <summary>Rules migration `create` POST request</summary>\n\n```\ncurl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '[\n {\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\n \"query_language\":\"spl\",\n \"mitre_attack_ids\": [\n \"T1136\"\n ]\n },\n {\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"description\": \"The following analytic detects the use of the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1222\"\n ]\n }\n]'\n```\n</details>\n\n<details>\n <summary>Add resources to migration ID</summary>\n\n- Assuming the connector `azureOpenAiGPT4o` is already created in the\nlocal environment.\n- Using the {{`migration_id`}} from the first POST request response\n\n```\ncurl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/respirces' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '[\n {\n \"type\": \"macro\",\n \"name\": \"security_content_ctime\",\n \"content\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd_add_user_account_type_filter\",\n \"content\": \"search *\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd\",\n \"content\": \"sourcetype=\\\"linux:audit\\\"\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd_change_file_owner_to_root_filter\",\n \"content\": \"search *\"\n }\n]'\n```\n</details>\n\n<details>\n <summary>Rules migration `start` task request</summary>\n\n- Assuming the connector `azureOpenAiGPT4o` is already created in the\nlocal environment.\n- Using the {{`migration_id`}} from the first POST request response\n\n```\ncurl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"connectorId\": \"azureOpenAiGPT4o\"\n}'\n```\n</details>","sha":"556edb99718a947e3e88b68d30af6e280f7da518","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","backport missing","v9.0.0","Team: SecuritySolution","backport:prev-minor"],"number":200922,"url":"https://github.com/elastic/kibana/pull/200922","mergeCommit":{"message":"[Rules migration] Adding initial implementation of integration RAG (#200922)\n\n## Summary\n\nThis is part 1 of a 2-3 part PR. This involes the initial implementation\nof the integration RAG, while part 2 focuses on prompt tuning, and a\npotential part 3 is the change from local JSON file to EPR client and\nfurther tuning of prompts and search result ranking.\n\nThe change introduces a new feature to the rule migration, enriching the\ncurrent graph implementation with metadata from available integrations,\nallowing us to currently choose the correct index patterns needed if a\nrelevant integration is found.\n\nChanges in the PR:\n\n- Introduction of the `integration data client`, which might later be\nmoved under resource.\n- Moving` translate_rule` node to its own subgraph, then divided into\nmultiple nodes to support the RAG search step.\n- The creation and population of the index used to store the integration\nmetadata, together with the `semantic_text` mapping used by the default\nincluded ELSER model.\n- Updates to `elastic_rule` type, to include the integration ID's and\nindex patterns.\n\n\n## Example finished task:\n```json\n[\n {\n \"migration_id\": \"3d4cae35-eb8d-49fe-960a-2ef17bc026c6\",\n \"original_rule\": {\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1136\"\n ]\n },\n \"@timestamp\": \"2024-11-21T11:37:10.548Z\",\n \"status\": \"completed\",\n \"created_by\": \"elastic\",\n \"updated_at\": \"2024-11-21T11:38:01.397Z\",\n \"updated_by\": \"elastic\",\n \"comments\": [\n \"## Migration Summary\\n\\n1. Source selection:\\n - The original SPL query used `sourcetype=\\\"linux:audit\\\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\\n\\n2. Event type filtering:\\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \\\"ADD_USER\\\"` to achieve the same filtering.\\n\\n3. Field renaming:\\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\\n\\n4. Statistics calculation:\\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\\n - The grouping fields are adjusted to match ECS field names:\\n - `exe` -> `process.executable`\\n - `pid` -> `process.pid`\\n - `dest` remains the same (after renaming)\\n - `res` -> `event.outcome`\\n - `UID` -> `user.id`\\n - `type` -> `event.type`\\n\\n5. Time conversion:\\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\\n\\n6. Additional notes:\\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\\n\\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate.\"\n ],\n \"translation_result\": \"full\",\n \"elastic_rule\": {\n \"severity\": \"low\",\n \"query\": \"FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\\n| WHERE event.type == \\\"ADD_USER\\\"\\n| RENAME host.hostname AS dest\\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"index_patterns\": [\n \"logs-system_audit.package-*\",\n \"logs-endpoint.events.api-*\",\n \"logs-endpoint.events.file-*\",\n \"logs-endpoint.events.library-*\",\n \"logs-endpoint.events.network-*\",\n \"logs-endpoint.events.process-*\",\n \"logs-endpoint.events.registry-*\",\n \"logs-endpoint.events.security-*\",\n \"logs-auditd.log-*\"\n ],\n \"query_language\": \"esql\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"integration_ids\": [\n \"system_audit\",\n \"endpoint\",\n \"auditd\"\n ]\n },\n \"_id\": \"8eKDTpMBwtRPKDL_CLKW\"\n },\n {\n \"migration_id\": \"3d4cae35-eb8d-49fe-960a-2ef17bc026c6\",\n \"original_rule\": {\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"description\": \"The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1222\"\n ]\n },\n \"@timestamp\": \"2024-11-21T11:37:10.548Z\",\n \"status\": \"completed\",\n \"created_by\": \"elastic\",\n \"updated_at\": \"2024-11-21T11:38:04.527Z\",\n \"updated_by\": \"elastic\",\n \"comments\": [\n \"## Migration Summary\\n\\n1. Source selection:\\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\\n\\n2. Field mapping:\\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\\n - `process_exec` is mapped to `process.executable` in ECS.\\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\\n - `_time` is replaced with `@timestamp` in ECS.\\n\\n3. Filtering:\\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\\n - We're checking for \\\"chown\\\" in the process executable and \\\"root\\\" in the process arguments.\\n\\n4. Statistics:\\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\\n - The `BY` clause groups the results by the relevant fields.\\n\\n5. Sorting:\\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\\n\\n6. Removed:\\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\\n\\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed.\"\n ],\n \"translation_result\": \"full\",\n \"elastic_rule\": {\n \"severity\": \"low\",\n \"query\": \"FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\\n| WHERE process.executable LIKE \\\"%chown%\\\" AND process.args LIKE \\\"%root%\\\"\\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \\n process.command_line, \\n process.args, \\n host.name\\n| SORT count DESC\",\n \"description\": \"The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"index_patterns\": [\n \"logs-endpoint.events.api-*\",\n \"logs-endpoint.events.file-*\",\n \"logs-endpoint.events.library-*\",\n \"logs-endpoint.events.network-*\",\n \"logs-endpoint.events.process-*\",\n \"logs-endpoint.events.registry-*\",\n \"logs-endpoint.events.security-*\"\n ],\n \"query_language\": \"esql\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"integration_ids\": [\n \"endpoint\"\n ]\n },\n \"_id\": \"8uKDTpMBwtRPKDL_CLKW\"\n }\n]\n```\n\n\n## Testing locally\n\nEnable the flag\n```\nxpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']\n```\n\nCreate the rule migration, add relevant macro resources and initiate the\ntask.\n\ncURL request examples:\n\n<details>\n <summary>Rules migration `create` POST request</summary>\n\n```\ncurl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '[\n {\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\n \"query_language\":\"spl\",\n \"mitre_attack_ids\": [\n \"T1136\"\n ]\n },\n {\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"description\": \"The following analytic detects the use of the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1222\"\n ]\n }\n]'\n```\n</details>\n\n<details>\n <summary>Add resources to migration ID</summary>\n\n- Assuming the connector `azureOpenAiGPT4o` is already created in the\nlocal environment.\n- Using the {{`migration_id`}} from the first POST request response\n\n```\ncurl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/respirces' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '[\n {\n \"type\": \"macro\",\n \"name\": \"security_content_ctime\",\n \"content\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd_add_user_account_type_filter\",\n \"content\": \"search *\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd\",\n \"content\": \"sourcetype=\\\"linux:audit\\\"\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd_change_file_owner_to_root_filter\",\n \"content\": \"search *\"\n }\n]'\n```\n</details>\n\n<details>\n <summary>Rules migration `start` task request</summary>\n\n- Assuming the connector `azureOpenAiGPT4o` is already created in the\nlocal environment.\n- Using the {{`migration_id`}} from the first POST request response\n\n```\ncurl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"connectorId\": \"azureOpenAiGPT4o\"\n}'\n```\n</details>","sha":"556edb99718a947e3e88b68d30af6e280f7da518"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","labelRegex":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/200922","number":200922,"mergeCommit":{"message":"[Rules migration] Adding initial implementation of integration RAG (#200922)\n\n## Summary\n\nThis is part 1 of a 2-3 part PR. This involes the initial implementation\nof the integration RAG, while part 2 focuses on prompt tuning, and a\npotential part 3 is the change from local JSON file to EPR client and\nfurther tuning of prompts and search result ranking.\n\nThe change introduces a new feature to the rule migration, enriching the\ncurrent graph implementation with metadata from available integrations,\nallowing us to currently choose the correct index patterns needed if a\nrelevant integration is found.\n\nChanges in the PR:\n\n- Introduction of the `integration data client`, which might later be\nmoved under resource.\n- Moving` translate_rule` node to its own subgraph, then divided into\nmultiple nodes to support the RAG search step.\n- The creation and population of the index used to store the integration\nmetadata, together with the `semantic_text` mapping used by the default\nincluded ELSER model.\n- Updates to `elastic_rule` type, to include the integration ID's and\nindex patterns.\n\n\n## Example finished task:\n```json\n[\n {\n \"migration_id\": \"3d4cae35-eb8d-49fe-960a-2ef17bc026c6\",\n \"original_rule\": {\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1136\"\n ]\n },\n \"@timestamp\": \"2024-11-21T11:37:10.548Z\",\n \"status\": \"completed\",\n \"created_by\": \"elastic\",\n \"updated_at\": \"2024-11-21T11:38:01.397Z\",\n \"updated_by\": \"elastic\",\n \"comments\": [\n \"## Migration Summary\\n\\n1. Source selection:\\n - The original SPL query used `sourcetype=\\\"linux:audit\\\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\\n\\n2. Event type filtering:\\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \\\"ADD_USER\\\"` to achieve the same filtering.\\n\\n3. Field renaming:\\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\\n\\n4. Statistics calculation:\\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\\n - The grouping fields are adjusted to match ECS field names:\\n - `exe` -> `process.executable`\\n - `pid` -> `process.pid`\\n - `dest` remains the same (after renaming)\\n - `res` -> `event.outcome`\\n - `UID` -> `user.id`\\n - `type` -> `event.type`\\n\\n5. Time conversion:\\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\\n\\n6. Additional notes:\\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\\n\\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate.\"\n ],\n \"translation_result\": \"full\",\n \"elastic_rule\": {\n \"severity\": \"low\",\n \"query\": \"FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\\n| WHERE event.type == \\\"ADD_USER\\\"\\n| RENAME host.hostname AS dest\\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"index_patterns\": [\n \"logs-system_audit.package-*\",\n \"logs-endpoint.events.api-*\",\n \"logs-endpoint.events.file-*\",\n \"logs-endpoint.events.library-*\",\n \"logs-endpoint.events.network-*\",\n \"logs-endpoint.events.process-*\",\n \"logs-endpoint.events.registry-*\",\n \"logs-endpoint.events.security-*\",\n \"logs-auditd.log-*\"\n ],\n \"query_language\": \"esql\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"integration_ids\": [\n \"system_audit\",\n \"endpoint\",\n \"auditd\"\n ]\n },\n \"_id\": \"8eKDTpMBwtRPKDL_CLKW\"\n },\n {\n \"migration_id\": \"3d4cae35-eb8d-49fe-960a-2ef17bc026c6\",\n \"original_rule\": {\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"description\": \"The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1222\"\n ]\n },\n \"@timestamp\": \"2024-11-21T11:37:10.548Z\",\n \"status\": \"completed\",\n \"created_by\": \"elastic\",\n \"updated_at\": \"2024-11-21T11:38:04.527Z\",\n \"updated_by\": \"elastic\",\n \"comments\": [\n \"## Migration Summary\\n\\n1. Source selection:\\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\\n\\n2. Field mapping:\\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\\n - `process_exec` is mapped to `process.executable` in ECS.\\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\\n - `_time` is replaced with `@timestamp` in ECS.\\n\\n3. Filtering:\\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\\n - We're checking for \\\"chown\\\" in the process executable and \\\"root\\\" in the process arguments.\\n\\n4. Statistics:\\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\\n - The `BY` clause groups the results by the relevant fields.\\n\\n5. Sorting:\\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\\n\\n6. Removed:\\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\\n\\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed.\"\n ],\n \"translation_result\": \"full\",\n \"elastic_rule\": {\n \"severity\": \"low\",\n \"query\": \"FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\\n| WHERE process.executable LIKE \\\"%chown%\\\" AND process.args LIKE \\\"%root%\\\"\\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \\n process.command_line, \\n process.args, \\n host.name\\n| SORT count DESC\",\n \"description\": \"The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"index_patterns\": [\n \"logs-endpoint.events.api-*\",\n \"logs-endpoint.events.file-*\",\n \"logs-endpoint.events.library-*\",\n \"logs-endpoint.events.network-*\",\n \"logs-endpoint.events.process-*\",\n \"logs-endpoint.events.registry-*\",\n \"logs-endpoint.events.security-*\"\n ],\n \"query_language\": \"esql\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"integration_ids\": [\n \"endpoint\"\n ]\n },\n \"_id\": \"8uKDTpMBwtRPKDL_CLKW\"\n }\n]\n```\n\n\n## Testing locally\n\nEnable the flag\n```\nxpack.securitySolution.enableExperimental: ['siemMigrationsEnabled']\n```\n\nCreate the rule migration, add relevant macro resources and initiate the\ntask.\n\ncURL request examples:\n\n<details>\n <summary>Rules migration `create` POST request</summary>\n\n```\ncurl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '[\n {\n \"id\": \"f8c325ea-506e-4105-8ccf-da1492e90115\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Add User Account Type\",\n \"description\": \"The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.\",\n \"query\": \"sourcetype=\\\"linux:audit\\\" type=ADD_USER \\n| rename hostname as dest \\n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \\n| `security_content_ctime(firstTime)` \\n| `security_content_ctime(lastTime)`\\n| search *\",\n \"query_language\":\"spl\",\n \"mitre_attack_ids\": [\n \"T1136\"\n ]\n },\n {\n \"id\": \"7b87c556-0ca4-47e0-b84c-6cd62a0a3e90\",\n \"vendor\": \"splunk\",\n \"title\": \"Linux Auditd Change File Owner To Root\",\n \"description\": \"The following analytic detects the use of the '\\''chown'\\'' command to change a file owner to '\\''root'\\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.\",\n \"query\": \"`linux_auditd` `linux_auditd_normalized_proctitle_process`\\r\\n| rename host as dest \\r\\n| where LIKE (process_exec, \\\"%chown %root%\\\") \\r\\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \\r\\n| `security_content_ctime(firstTime)` \\r\\n| `security_content_ctime(lastTime)`\\r\\n| `linux_auditd_change_file_owner_to_root_filter`\",\n \"query_language\": \"spl\",\n \"mitre_attack_ids\": [\n \"T1222\"\n ]\n }\n]'\n```\n</details>\n\n<details>\n <summary>Add resources to migration ID</summary>\n\n- Assuming the connector `azureOpenAiGPT4o` is already created in the\nlocal environment.\n- Using the {{`migration_id`}} from the first POST request response\n\n```\ncurl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/respirces' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '[\n {\n \"type\": \"macro\",\n \"name\": \"security_content_ctime\",\n \"content\": \"convert timeformat=\\\"%Y-%m-%dT%H:%M:%S\\\" ctime($field$)\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd_add_user_account_type_filter\",\n \"content\": \"search *\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd\",\n \"content\": \"sourcetype=\\\"linux:audit\\\"\"\n },\n {\n \"type\": \"macro\",\n \"name\": \"linux_auditd_change_file_owner_to_root_filter\",\n \"content\": \"search *\"\n }\n]'\n```\n</details>\n\n<details>\n <summary>Rules migration `start` task request</summary>\n\n- Assuming the connector `azureOpenAiGPT4o` is already created in the\nlocal environment.\n- Using the {{`migration_id`}} from the first POST request response\n\n```\ncurl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \\\n--header 'kbn-xsrf;' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'elastic-api-version: 1' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"connectorId\": \"azureOpenAiGPT4o\"\n}'\n```\n</details>","sha":"556edb99718a947e3e88b68d30af6e280f7da518"}}]}] BACKPORT--> Co-authored-by: Marius Iversen <[email protected]>
kibanamachine
added
v8.18.0
and removed
backport missing
CAWilson94
pushed a commit
to CAWilson94/kibana
that referenced
this pull request
Dec 12, 2024
…lastic#200922) ## Summary This is part 1 of a 2-3 part PR. This involes the initial implementation of the integration RAG, while part 2 focuses on prompt tuning, and a potential part 3 is the change from local JSON file to EPR client and further tuning of prompts and search result ranking. The change introduces a new feature to the rule migration, enriching the current graph implementation with metadata from available integrations, allowing us to currently choose the correct index patterns needed if a relevant integration is found. Changes in the PR: - Introduction of the `integration data client`, which might later be moved under resource. - Moving` translate_rule` node to its own subgraph, then divided into multiple nodes to support the RAG search step. - The creation and population of the index used to store the integration metadata, together with the `semantic_text` mapping used by the default included ELSER model. - Updates to `elastic_rule` type, to include the integration ID's and index patterns. ## Example finished task: ```json [ { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language": "spl", "mitre_attack_ids": [ "T1136" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:01.397Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `sourcetype=\"linux:audit\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\n\n2. Event type filtering:\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \"ADD_USER\"` to achieve the same filtering.\n\n3. Field renaming:\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\n\n4. Statistics calculation:\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\n - The grouping fields are adjusted to match ECS field names:\n - `exe` -> `process.executable`\n - `pid` -> `process.pid`\n - `dest` remains the same (after renaming)\n - `res` -> `event.outcome`\n - `UID` -> `user.id`\n - `type` -> `event.type`\n\n5. Time conversion:\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\n\n6. Additional notes:\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\n\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\n| WHERE event.type == \"ADD_USER\"\n| RENAME host.hostname AS dest\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "index_patterns": [ "logs-system_audit.package-*", "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*", "logs-auditd.log-*" ], "query_language": "esql", "title": "Linux Auditd Add User Account Type", "integration_ids": [ "system_audit", "endpoint", "auditd" ] }, "_id": "8eKDTpMBwtRPKDL_CLKW" }, { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:04.527Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\n\n2. Field mapping:\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\n - `process_exec` is mapped to `process.executable` in ECS.\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\n - `_time` is replaced with `@timestamp` in ECS.\n\n3. Filtering:\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\n - We're checking for \"chown\" in the process executable and \"root\" in the process arguments.\n\n4. Statistics:\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\n - The `BY` clause groups the results by the relevant fields.\n\n5. Sorting:\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\n\n6. Removed:\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\n\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\n| WHERE process.executable LIKE \"%chown%\" AND process.args LIKE \"%root%\"\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \n process.command_line, \n process.args, \n host.name\n| SORT count DESC", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "index_patterns": [ "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*" ], "query_language": "esql", "title": "Linux Auditd Change File Owner To Root", "integration_ids": [ "endpoint" ] }, "_id": "8uKDTpMBwtRPKDL_CLKW" } ] ``` ## Testing locally Enable the flag ``` xpack.securitySolution.enableExperimental: ['siemMigrationsEnabled'] ``` Create the rule migration, add relevant macro resources and initiate the task. cURL request examples: <details> <summary>Rules migration `create` POST request</summary> ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language":"spl", "mitre_attack_ids": [ "T1136" ] }, { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the '\''chown'\'' command to change a file owner to '\''root'\'' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] } ]' ``` </details> <details> <summary>Add resources to migration ID</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request POST 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/respirces' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '[ { "type": "macro", "name": "security_content_ctime", "content": "convert timeformat=\"%Y-%m-%dT%H:%M:%S\" ctime($field$)" }, { "type": "macro", "name": "linux_auditd_add_user_account_type_filter", "content": "search *" }, { "type": "macro", "name": "linux_auditd", "content": "sourcetype=\"linux:audit\"" }, { "type": "macro", "name": "linux_auditd_change_file_owner_to_root_filter", "content": "search *" } ]' ``` </details> <details> <summary>Rules migration `start` task request</summary> - Assuming the connector `azureOpenAiGPT4o` is already created in the local environment. - Using the {{`migration_id`}} from the first POST request response ``` curl --location --request PUT 'http://elastic:changeme@localhost:5601/internal/siem_migrations/rules/{{migration_id}}/start' \ --header 'kbn-xsrf;' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'elastic-api-version: 1' \ --header 'Content-Type: application/json' \ --data '{ "connectorId": "azureOpenAiGPT4o" }' ``` </details>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This is part 1 of a 2-3 part PR. This involes the initial implementation of the integration RAG, while part 2 focuses on prompt tuning, and a potential part 3 is the change from local JSON file to EPR client and further tuning of prompts and search result ranking.
The change introduces a new feature to the rule migration, enriching the current graph implementation with metadata from available integrations, allowing us to currently choose the correct index patterns needed if a relevant integration is found.
Changes in the PR:
integration data client, which might later be moved under resource.translate_rulenode to its own subgraph, then divided into multiple nodes to support the RAG search step.semantic_textmapping used by the default included ELSER model.elastic_ruletype, to include the integration ID's and index patterns.Example finished task:
[ { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "f8c325ea-506e-4105-8ccf-da1492e90115", "vendor": "splunk", "title": "Linux Auditd Add User Account Type", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "query": "sourcetype=\"linux:audit\" type=ADD_USER \n| rename hostname as dest \n| stats count min(_time) as firstTime max(_time) as lastTime by exe pid dest res UID type \n| `security_content_ctime(firstTime)` \n| `security_content_ctime(lastTime)`\n| search *", "query_language": "spl", "mitre_attack_ids": [ "T1136" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:01.397Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `sourcetype=\"linux:audit\"`. In the ES|QL query, we're using the provided index patterns that include logs related to system audit and auditd.\n\n2. Event type filtering:\n - The SPL query filtered for `type=ADD_USER`. In ES|QL, we use `WHERE event.type == \"ADD_USER\"` to achieve the same filtering.\n\n3. Field renaming:\n - The SPL query renamed `hostname` to `dest`. In ES|QL, we use the `RENAME` command to rename `host.hostname` to `dest`, assuming the ECS field mapping.\n\n4. Statistics calculation:\n - The SPL query used `stats` to calculate count, min(_time), and max(_time). In ES|QL, we use the `STATS` command with `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` to achieve similar results.\n - The grouping fields are adjusted to match ECS field names:\n - `exe` -> `process.executable`\n - `pid` -> `process.pid`\n - `dest` remains the same (after renaming)\n - `res` -> `event.outcome`\n - `UID` -> `user.id`\n - `type` -> `event.type`\n\n5. Time conversion:\n - The SPL query used `security_content_ctime` function for time conversion. In ES|QL, we use the `EVAL` command with `TO_DATETIME` function to convert the `firstTime` and `lastTime` fields to datetime format.\n\n6. Additional notes:\n - The `search *` at the end of the SPL query is not necessary in ES|QL as it doesn't change the result set.\n - The ES|QL query assumes that the `@timestamp` field is used for event timestamps, which is standard in ECS.\n\nThis ES|QL query should provide equivalent functionality to the original Splunk query, adapted for Elastic Security and using ECS field names where appropriate." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-system_audit.package-* logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-* logs-auditd.log-*\n| WHERE event.type == \"ADD_USER\"\n| RENAME host.hostname AS dest\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, process.pid, dest, event.outcome, user.id, event.type\n| EVAL firstTime = TO_DATETIME(firstTime), lastTime = TO_DATETIME(lastTime)", "description": "The following analytic detects the suspicious add user account type. This behavior is critical for a SOC to monitor because it may indicate attempts to gain unauthorized access or maintain control over a system. Such actions could be signs of malicious activity. If confirmed, this could lead to serious consequences, including a compromised system, unauthorized access to sensitive data, or even a wider breach affecting the entire network. Detecting and responding to these signs early is essential to prevent potential security incidents.", "index_patterns": [ "logs-system_audit.package-*", "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*", "logs-auditd.log-*" ], "query_language": "esql", "title": "Linux Auditd Add User Account Type", "integration_ids": [ "system_audit", "endpoint", "auditd" ] }, "_id": "8eKDTpMBwtRPKDL_CLKW" }, { "migration_id": "3d4cae35-eb8d-49fe-960a-2ef17bc026c6", "original_rule": { "id": "7b87c556-0ca4-47e0-b84c-6cd62a0a3e90", "vendor": "splunk", "title": "Linux Auditd Change File Owner To Root", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "query": "`linux_auditd` `linux_auditd_normalized_proctitle_process`\r\n| rename host as dest \r\n| where LIKE (process_exec, \"%chown %root%\") \r\n| stats count min(_time) as firstTime max(_time) as lastTime by process_exec proctitle normalized_proctitle_delimiter dest \r\n| `security_content_ctime(firstTime)` \r\n| `security_content_ctime(lastTime)`\r\n| `linux_auditd_change_file_owner_to_root_filter`", "query_language": "spl", "mitre_attack_ids": [ "T1222" ] }, "@timestamp": "2024-11-21T11:37:10.548Z", "status": "completed", "created_by": "elastic", "updated_at": "2024-11-21T11:38:04.527Z", "updated_by": "elastic", "comments": [ "## Migration Summary\n\n1. Source selection:\n - The original SPL query used `linux_auditd` and `linux_auditd_normalized_proctitle_process` macros. In ES|QL, we're using the recommended index patterns for Elastic Endpoint Security events.\n\n2. Field mapping:\n - `host` was renamed to `dest` in the original query. In ECS, we use `host.name`.\n - `process_exec` is mapped to `process.executable` in ECS.\n - `proctitle` and `normalized_proctitle_delimiter` are combined into `process.command_line` in ECS.\n - `_time` is replaced with `@timestamp` in ECS.\n\n3. Filtering:\n - The `LIKE` function is used in ES|QL, which is equivalent to the SPL `LIKE` function.\n - We're checking for \"chown\" in the process executable and \"root\" in the process arguments.\n\n4. Statistics:\n - The `STATS` command in ES|QL is similar to SPL's `stats` command.\n - We use `COUNT(*)`, `MIN(@timestamp)`, and `MAX(@timestamp)` for the count, firstTime, and lastTime respectively.\n - The `BY` clause groups the results by the relevant fields.\n\n5. Sorting:\n - Added a `SORT` command to order the results by count in descending order, which wasn't in the original query but is useful for identifying the most frequent occurrences.\n\n6. Removed:\n - The `security_content_ctime` function calls were removed as they are specific to Splunk. ES|QL uses the native datetime format.\n - The `linux_auditd_change_file_owner_to_root_filter` macro was not included as we don't have an equivalent in ES|QL. If there are specific filters in this macro, they would need to be added explicitly to the query.\n\nThis ES|QL query will detect the use of the 'chown' command to change a file owner to 'root' on a Linux system, using Elastic Endpoint Security events. It groups the results by the process details and host name, providing a count of occurrences and the first and last times the event was observed." ], "translation_result": "full", "elastic_rule": { "severity": "low", "query": "FROM logs-endpoint.events.api-* logs-endpoint.events.file-* logs-endpoint.events.library-* logs-endpoint.events.network-* logs-endpoint.events.process-* logs-endpoint.events.registry-* logs-endpoint.events.security-*\n| WHERE process.executable LIKE \"%chown%\" AND process.args LIKE \"%root%\"\n| STATS count = COUNT(*), firstTime = MIN(@timestamp), lastTime = MAX(@timestamp) BY process.executable, \n process.command_line, \n process.args, \n host.name\n| SORT count DESC", "description": "The following analytic detects the use of the 'chown' command to change a file owner to 'root' on a Linux system. It leverages Linux Auditd telemetry, specifically monitoring command-line executions and process details. This activity is significant as it may indicate an attempt to escalate privileges by adversaries, malware, or red teamers. If confirmed malicious, this action could allow an attacker to gain root-level access, leading to full control over the compromised host and potential persistence within the environment.", "index_patterns": [ "logs-endpoint.events.api-*", "logs-endpoint.events.file-*", "logs-endpoint.events.library-*", "logs-endpoint.events.network-*", "logs-endpoint.events.process-*", "logs-endpoint.events.registry-*", "logs-endpoint.events.security-*" ], "query_language": "esql", "title": "Linux Auditd Change File Owner To Root", "integration_ids": [ "endpoint" ] }, "_id": "8uKDTpMBwtRPKDL_CLKW" } ]Testing locally
Enable the flag
Create the rule migration, add relevant macro resources and initiate the task.
cURL request examples:
Rules migration `create` POST request
Add resources to migration ID
azureOpenAiGPT4ois already created in the local environment.migration_id}} from the first POST request responseRules migration `start` task request
azureOpenAiGPT4ois already created in the local environment.migration_id}} from the first POST request response