Skip to content

Commit

Permalink
[8.14] [Telemetry][Security Solution] Use the proper index to query b…
Browse files Browse the repository at this point in the history
…uiltin alerts (elastic#187859) (elastic#188235)

# Backport

This will backport the following commits from `main` to `8.14`:
- [[Telemetry][Security Solution] Use the proper index to query builtin
alerts (elastic#187859)](elastic#187859)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Sebastián
Zaffarano","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-07-12T13:17:43Z","message":"[Telemetry][Security
Solution] Use the proper index to query builtin alerts (elastic#187859)\n\n##
Summary\r\n\r\nhttps://github.com/elastic/pull/177263 changed the
way\r\n`telemetry-prebuilt-rule-alerts` get data from elastic, but it
changed\r\nthe index used to run the queries. This PR fixes it using the
proper\r\nindex.","sha":"a120c510b9738aab0fb5f9296515a82f6f0792a6","branchLabelMapping":{"^v8.16.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team:
SecuritySolution","v8.14.0","v8.15.0","v8.16.0"],"title":"[Telemetry][Security
Solution] Use the proper index to query builtin
alerts","number":187859,"url":"https://github.com/elastic/kibana/pull/187859","mergeCommit":{"message":"[Telemetry][Security
Solution] Use the proper index to query builtin alerts (elastic#187859)\n\n##
Summary\r\n\r\nhttps://github.com/elastic/pull/177263 changed the
way\r\n`telemetry-prebuilt-rule-alerts` get data from elastic, but it
changed\r\nthe index used to run the queries. This PR fixes it using the
proper\r\nindex.","sha":"a120c510b9738aab0fb5f9296515a82f6f0792a6"}},"sourceBranch":"main","suggestedTargetBranches":["8.14","8.15"],"targetPullRequestStates":[{"branch":"8.14","label":"v8.14.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.15","label":"v8.15.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.16.0","branchLabelMappingKey":"^v8.16.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/187859","number":187859,"mergeCommit":{"message":"[Telemetry][Security
Solution] Use the proper index to query builtin alerts (elastic#187859)\n\n##
Summary\r\n\r\nhttps://github.com/elastic/pull/177263 changed the
way\r\n`telemetry-prebuilt-rule-alerts` get data from elastic, but it
changed\r\nthe index used to run the queries. This PR fixes it using the
proper\r\nindex.","sha":"a120c510b9738aab0fb5f9296515a82f6f0792a6"}}]}]
BACKPORT-->

Co-authored-by: Elastic Machine <[email protected]>
  • Loading branch information
szaffarano and elasticmachine authored Jul 15, 2024
1 parent a24ff97 commit 655f25e
Show file tree
Hide file tree
Showing 6 changed files with 1,023 additions and 4 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,185 @@
{
"@timestamp": "2024-07-09T12:07:22.061Z",
"kibana.alert.ancestors": [
{
"id": "yEVhkpABheYIwp45uyhA",
"type": "event",
"index": ".ds-logs-endpoint.alerts-default-2024.07.08-000001",
"depth": 0
}
],
"kibana.alert.depth": 1,
"kibana.alert.original_event.action": "rule_detection",
"kibana.alert.original_event.category": "behavior",
"kibana.alert.original_event.dataset": "endpoint.diagnostic.collection",
"kibana.alert.original_event.kind": "alert",
"kibana.alert.original_event.module": "endpoint",
"kibana.alert.original_event.type": "info",
"kibana.alert.original_time": "2024-07-08T12:46:42.856Z",
"kibana.alert.risk_score": 47,
"kibana.alert.rule.actions": [],
"kibana.alert.rule.category": "Custom Query Rule",
"kibana.alert.rule.consumer": "siem",
"kibana.alert.rule.created_at": "2024-07-08T12:00:22.100Z",
"kibana.alert.rule.enabled": true,
"kibana.alert.rule.exceptions_list": [
{
"id": "endpoint_list",
"list_id": "endpoint_list",
"type": "endpoint",
"namespace_type": "agnostic"
}
],
"kibana.alert.rule.execution.uuid": "740f5acd-6dfa-4b71-878a-2dcbf615f0d2",
"kibana.alert.rule.false_positives": [],
"kibana.alert.rule.from": "now-10m",
"kibana.alert.rule.immutable": true,
"kibana.alert.rule.interval": "5m",
"kibana.alert.rule.name": "Endpoint Security",
"kibana.alert.rule.producer": "siem",
"kibana.alert.rule.references": [],
"kibana.alert.rule.risk_score_mapping": [
{
"field": "event.risk_score",
"operator": "equals",
"value": ""
}
],
"kibana.alert.rule.rule_id": "9a1a2dae-0b5f-4c3d-8305-a268d404c306",
"kibana.alert.rule.rule_type_id": "siem.queryRule",
"kibana.alert.rule.severity": "medium",
"kibana.alert.rule.severity_mapping": [
{
"field": "event.severity",
"operator": "equals",
"severity": "low",
"value": "21"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "medium",
"value": "47"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "high",
"value": "73"
},
{
"field": "event.severity",
"operator": "equals",
"severity": "critical",
"value": "99"
}
],
"kibana.alert.rule.tags": ["Data Source: Elastic Defend"],
"kibana.alert.rule.threat": [],
"kibana.alert.rule.timestamp_override": "event.ingested",
"kibana.alert.rule.type": "query",
"kibana.alert.rule.updated_at": "2024-07-08T12:00:22.100Z",
"kibana.alert.rule.uuid": "5623aff4-d3f2-41c8-9542-ef7e6515ce40",
"kibana.alert.rule.version": 103,
"kibana.alert.severity": "medium",
"kibana.alert.status": "active",
"kibana.alert.uuid": "76713cff0f7c8e81bd7462f94c5fc6df4d3b52d9737ccc35a38c5efa42f47c26",
"kibana.alert.workflow_status": "open",
"kibana.space_ids": ["default"],
"kibana.version": "8.14.2",
"event.ingested": "2024-07-08T12:46:36Z",
"event.kind": "signal",
"event.action": "rule_detection",
"event.id": "87f78f3b-5f84-434a-ac37-6c9e414c4df9",
"event.type": "info",
"event.category": "behavior",
"event.dataset": "endpoint.diagnostic.collection",
"event.module": "endpoint",
"agent": {
"id": "9e6f8f6a-6913-47a1-8a38-2a9ba87f8894"
},
"destination": {
"port": 443,
"ip": "10.102.118.219"
},
"dll": [
{
"code_signature": {
"subject_name": "Cybereason Inc",
"trusted": true
},
"path": "",
"hash": {
"sha256": "8ad40c90a611d36eb8f9eb24fa04f7dbca713db383ff55a03aa0f382e92061a2"
}
}
],
"host": {
"os": {
"Ext": {
"variant": "Windows Server Release 2"
},
"name": "Windows",
"family": "windows",
"version": "6.3",
"platform": "Windows",
"full": "Windows Server 2012R2"
}
},
"network": {
"transport": "tcp",
"type": "ipv4",
"direction": "outgoing"
},
"process": {
"code_signature": {
"status": "trusted",
"subject_name": "Microsoft Windows"
},
"entity_id": "5hdvz461o6",
"entry_leader": {
"name": "fake entry",
"pid": 376,
"entity_id": "jpd1z6lsu6"
},
"executable": "C:/fake_behavior/notepad.exe",
"Ext": {
"token": {
"integrity_level_name": "high"
}
},
"name": "notepad.exe",
"parent": {
"entity_id": "iv54turo1i",
"pid": 1
},
"pid": 2,
"session_leader": {
"name": "fake session",
"pid": 891,
"entity_id": "jpd1z6lsu6"
}
},
"registry": {
"data": {
"strings": "C:/fake_behavior/notepad.exe"
},
"path": "",
"value": "notepad.exe"
},
"source": {
"port": 59406,
"ip": "10.43.68.40"
},
"user": {
"domain": "qbf98z0au1"
},
"file": {
"name": "fake_behavior.exe",
"path": "C:/fake_behavior.exe"
},
"licence_id": "b7d16098-16fc-42fb-ab0f-40e2394c2375",
"cluster_uuid": "BldID7FMTb66oQgpvC5Uyg",
"cluster_name": "es-test-cluster",
"task_version": "1.2.0"
}
Loading

0 comments on commit 655f25e

Please sign in to comment.