Skip to content

Add fields connected to rules and alerts #355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 11 commits into from
Mar 28, 2023
Merged

Add fields connected to rules and alerts #355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1467f5c
Add fields connected to rules and alerts
tomsonpl Mar 20, 2023
c0c1222
Add changes to schema
tomsonpl Mar 20, 2023
4c72d1e
update schemas
patrykkopycinski Mar 20, 2023
27fdfb6
add index:false to rule_name
tomsonpl Mar 22, 2023
fbbfd93
Merge remote-tracking branch 'origin/alert-fields' into alert-fields
tomsonpl Mar 22, 2023
6fa6940
add index:false to rule_name
tomsonpl Mar 22, 2023
156e22a
add index:false to rule_name
tomsonpl Mar 22, 2023
fefc7c2
add index:false to rule_name
tomsonpl Mar 22, 2023
92f73cc
apply comments from Ash
tomsonpl Mar 27, 2023
f1a39de
rename alert_ids to alert_id
tomsonpl Mar 28, 2023
707eac3
remove alert it from responses
tomsonpl Mar 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 25 additions & 0 deletions custom_schemas/custom_base.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,14 @@
description: >
The action request information

- name: data.alert_id
type: alias
path: EndpointActions.data.alert_id
level: custom
short: EndpointActions.data.alert_id
description: >
List of alert ids that triggered the action

- name: data.command
type: alias
path: EndpointActions.data.command
Expand Down Expand Up @@ -101,6 +109,23 @@
description: >
The user id

- name: rule_id
type: alias
path: rule.id
level: custom
short: rule id
description: >
ID of the rule that triggered the action

- name: rule_name
type: alias
path: rule.name
level: custom
short: rule name
description: >
Name of the rule that triggered the action


# response alias fields
- name: completed_at
type: alias
Expand Down
7 changes: 7 additions & 0 deletions custom_schemas/custom_endpoint_actions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,13 @@
short: data
description: >
The action request information
- name: data.alert_id
type: keyword
level: custom
short: alert id
description: >
List of alert ids that triggered the action
Comment on lines +39 to +44
Copy link
Member

@ashokaditya ashokaditya Mar 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the changes. The fact that this is a keyword we can store an array of strings here s, so you can have multiple alert ids in the doc. Just that we should conform to ECS naming best practices.

- name: data.command
type: keyword
Expand Down
4 changes: 4 additions & 0 deletions custom_subsets/elastic_endpoint/actions/actions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,10 @@ fields:
agent:
fields:
id: {}
rule:
fields:
id: {}
name: {}
Comment on lines +26 to +29
Copy link
Member

@ashokaditya ashokaditya Mar 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Do we need these fields also in the response index? If yes then we need to add this to the action_responses/action_responses.yml file too.

error:
fields:
code: {}
Expand Down
11 changes: 11 additions & 0 deletions package/endpoint/data_stream/action_responses/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,11 @@
type: alias
description: Request completion timestamp when the response is done executing. Usually matches with @timestamp.
path: EndpointActions.completed_at
- name: data.alert_id
level: custom
type: alias
description: List of alert ids that triggered the action
path: EndpointActions.data.alert_id
- name: data.command
level: custom
type: alias
Expand Down Expand Up @@ -69,6 +74,12 @@
type: object
description: The action request information
default_field: false
- name: data.alert_id
level: custom
type: keyword
ignore_above: 1024
description: List of alert ids that triggered the action
default_field: false
- name: data.command
level: custom
type: keyword
Expand Down
34 changes: 34 additions & 0 deletions package/endpoint/data_stream/actions/fields/fields.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,11 @@
type: alias
description: 'Alias field that maps to {agent: {id}}'
path: agent.id
- name: data.alert_id
level: custom
type: alias
description: List of alert ids that triggered the action
path: EndpointActions.data.alert_id
- name: data.command
level: custom
type: alias
Expand Down Expand Up @@ -69,6 +74,12 @@
type: object
description: The action request information
default_field: false
- name: data.alert_id
level: custom
type: keyword
ignore_above: 1024
description: List of alert ids that triggered the action
default_field: false
- name: data.command
level: custom
type: keyword
Expand Down Expand Up @@ -285,6 +296,29 @@
`event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization.

This field is an array. This will allow proper categorization of some events that fall in multiple event types.'
- name: rule
title: Rule
group: 2
description: 'Rule fields are used to capture the specifics of any observer or agent rules that generate alerts or other notable events.

Examples of data sources that would populate the rule fields include: network admission control platforms, network or host IDS/IPS, network firewalls, web application firewalls, url filters, endpoint detection and response (EDR) systems, etc.'
type: group
default_field: true
fields:
- name: id
level: extended
type: keyword
ignore_above: 1024
description: A rule ID that is unique within the scope of an agent, observer, or other entity using the rule for detection of this event.
example: 101
default_field: false
- name: name
level: extended
type: keyword
ignore_above: 1024
description: The name of the rule or signature generating the event.
example: BLOCK_DNS_over_TLS
default_field: false
- name: user
title: User
group: 2
Expand Down
20 changes: 20 additions & 0 deletions schemas/v1/action_responses/action_responses.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

43 changes: 43 additions & 0 deletions schemas/v1/actions/actions.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.