adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes #10

dhurley14 · 2021-04-29T13:34:41Z

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes

Summary

Pull down this branch and run ES locally using the following steps..

Running ES locally

Edit gradle/run.gradle and add setting 'xpack.security.authc.api_key.enabled', 'true' after line 24
./gradlew run # this runs with a trial license
Execute below curl script to post kibana_elastic user

curl -u elastic:password -X POST "http://127.0.01:9200/_security/user/kibana_elastic?pretty" -H 'Content-Type: application/json' -d '{"password":"changeme","roles":["superuser"],"full_name":"kibana","email":"jacknich@example.com"}'

Set kibana.dev.yml to use kibana_elastic as the user

elasticsearch:
  username: 'kibana_elastic'
  password: 'changeme'
  hosts: 'http://127.0.0.1:9200'

Start up kibana

You should now be able to create a rule which generates alerts and then "find" those alerts (using the kibana system user) using the scripts located in x-pack/plugins/rule_registry/server/scripts/get_security_solution_alert.sh

Test data

POST myfakeindex-1/_doc
{
  "message": "hello world 1"
}

POST myfakeindex-2/_doc
{
  "message": "hello world 2",
  "event": {
    "ingested": "2021-04-30T15:23:03.520Z" <replace with current ISO date>
  }
}

POST myfakeindex-3/_doc
{
  "message": "hello world 3",
  "@timestamp": "2021-04-30T15:23:03.520Z" <replace with current ISO date>
}

Create a rule to query myfa* and it should generate an alert in the security solution

To get the alert, change directory into x-pack/plugins/rule_registry/server/scripts and execute

term$ ./get_security_solution_alert.sh

This script will post the security role and observer role and execute a find using the new alerts as data client. To test the authz functionality execute the below, expecting a 403 response.

term$ ./get_security_solution_alert.sh observer
term$ {
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Unauthorized to get \"rac:8.0.0:siem/get\" alert\""
}

…for security solution, need to work through rule registry changes

…for security solution, need to work through rule registry changes (#10) * adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes * minor cleanup * undo owner change in rule registry, will come in different pr * enhances user experience of test scripts * response error

dhurley14 added 5 commits April 27, 2021 17:33

adds an 'owner' field to the siem-signals mapping, working authz get …

ed6df2a

…for security solution, need to work through rule registry changes

minor cleanup

9d1d1e5

undo owner change in rule registry, will come in different pr

f31c8dd

enhances user experience of test scripts

fc7a2f5

response error

5338d3a

dhurley14 merged commit cd62a2f into yctercero:rac_rbac_poc Apr 30, 2021

dhurley14 deleted the rac-create-owners branch April 30, 2021 18:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes #10

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes #10

dhurley14 commented Apr 29, 2021 •

edited

Loading

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes #10

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes #10

Conversation

dhurley14 commented Apr 29, 2021 • edited Loading

Summary

dhurley14 commented Apr 29, 2021 •

edited

Loading