Elastic Security: Bulk Detection Rule Modification via Detection API - JIRA Connector
Thanks to James Spiteri at Elastic.
Requirements
Depending on the taste of your Linux
JQ
- jq 1.5 is in the official Debian and Ubuntu repositories. Install using
sudo apt-get install jq. - jq 1.5 is in the official Fedora repository. Install using
sudo dnf install jq. - jq 1.4 is in the official openSUSE repository. Install using
sudo zypper install jq. - jq 1.5 is in the official Arch repository. Install using
sudo pacman -S jq.
Bulk Detection Rule Modification
Encode elastic username and password
You will need to create a user with superuser rights and encode it with base64
username:password
And you can go to https://www.base64encode.org to do this.
Result
dXNlcm5hbWU6cGFzc3dvcmQ=
Encoded Base64 Output
'Authorization: Basic (Encoded Base64)'
curl -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic (Encoded Base64)'
Example
'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ='
Load Elastic Action ID's
curl -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ='
Output
[
{
"id": "(Action ID)",
"actionTypeId": ".jira",
"name": "JIRA",
"config": {
"apiUrl": "https://(JIRA Instance).atlassian.net",
"projectKey": "SOC",
"incidentConfiguration": null,
"isCaseOwned": null
},
"isPreconfigured": false,
"referencedByCount": 266
},
{
"id": "(Action ID)",
"actionTypeId": ".server-log",
"name": "Monitoring: Write to Kibana log",
"config": {},
"isPreconfigured": false,
"referencedByCount": 10
},
{
"id": "(Action ID)",
"actionTypeId": ".jira",
"name": "Security Operations Center",
"config": {
"apiUrl": "https://(JIRA Instance).atlassian.net",
"projectKey": "ES",
"incidentConfiguration": {
"mapping": [
{
"actionType": "overwrite",
"source": "title",
"target": "summary"
},
{
"actionType": "overwrite",
"source": "description",
"target": "description"
},
{
"actionType": "append",
"source": "comments",
"target": "comments"
}
]
}
},
"isPreconfigured": false,
"referencedByCount": 0
}
]
You will need take the Action ID
I will use the following Action ID for this JIRA Action.
"id": "(Action ID)",
"actionTypeId": ".jira",
"name": "JIRA",
"config": {
"apiUrl": "https://(JIRA Instance).atlassian.net",
"projectKey": "SOC",
"incidentConfiguration": null,
"isCaseOwned": nullper_page=X you place the number of all of the active rules you have, where X is where you will place the number and for this example I will put 250
for i in $(curl --silent --location --request GET 'https://<System Generated ID>.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules/_find?per_page=250&filter=alert.attributes.enabled:true' --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic <dXNlcm5hbWU6cGFzc3dvcmQ=' | jq .data[].id); do
echo "Updating Rule ID $i"
curl --silent --location --request PATCH 'https://<System Generated ID>.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules' --header 'kbn-xsrf: kibana' --header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' --header 'Content-Type: application/json' --data-raw '{
"id":'$i',
"throttle": "rule",
"actions":[
{
"action_type_id": ".jira",
"id": "<Action ID>",
"params": {
"subActionParams": {
"comments": [],
"incident": {
"issueType": "<Issue Type Number>",
"summary": "{{alertName}}",
"description": "h3. View Detection:\\n\\n[View Detection Alert|{{{context.results_link}}}]\\n\\nh4. Source\\n\\n{{#context.alerts}} \\n\\nSource IP Address: {{source.ip}}\\n\\nSource Port: {{source.port}}\\n\\n{{/context.alerts}}\\n\\n\\nh4. Destination\\n\\n{{#context.alerts}} \\n\\nDestination IP Address: {{destination.ip}}\\n\\nDestination Port: {{destination.port}}\\n\\n{{/context.alerts}}\\n\\n{code:json}\n{{#context.alerts}}{{{.}}}{{/context.alerts}}\n{code}"
}
},
"subAction": "pushToService"
},
"group": "default"
}
]
}' | jq .
echo "Rule ID $i has been updated."
done
Real Example
Example of Script Here
