Elastic Security: Bulk Detection Rule Modification via Detection API - JIRA Connector

Elastic Security: Bulk Detection Rule Modification via Detection API - JIRA Connector

Thanks to James Spiteri at Elastic.

Requirements

Depending on the taste of your Linux

JQ

  • jq 1.5 is in the official Debian and Ubuntu repositories. Install using sudo apt-get install jq.
  • jq 1.5 is in the official Fedora repository. Install using sudo dnf install jq.
  • jq 1.4 is in the official openSUSE repository. Install using sudo zypper install jq.
  • jq 1.5 is in the official Arch repository. Install using sudo pacman -S jq.

Bulk Detection Rule Modification

Encode elastic username and password

You will need to create a user with superuser rights and encode it with base64

username:password

And you can go to https://www.base64encode.org to do this.

Result

dXNlcm5hbWU6cGFzc3dvcmQ=

Encoded Base64 Output

'Authorization: Basic (Encoded Base64)'

curl  -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic (Encoded Base64)'

Example

'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ='

Load Elastic Action ID's

curl  -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ='

Output

[
   {
      "id": "(Action ID)",
      "actionTypeId": ".jira",
      "name": "JIRA",
      "config": {
         "apiUrl": "https://(JIRA Instance).atlassian.net",
         "projectKey": "SOC",
         "incidentConfiguration": null,
         "isCaseOwned": null
      },
      "isPreconfigured": false,
      "referencedByCount": 266
   },
   {
      "id": "(Action ID)",
      "actionTypeId": ".server-log",
      "name": "Monitoring: Write to Kibana log",
      "config": {},
      "isPreconfigured": false,
      "referencedByCount": 10
   },
   {
      "id": "(Action ID)",
      "actionTypeId": ".jira",
      "name": "Security Operations Center",
      "config": {
         "apiUrl": "https://(JIRA Instance).atlassian.net",
         "projectKey": "ES",
         "incidentConfiguration": {
            "mapping": [
               {
                  "actionType": "overwrite",
                  "source": "title",
                  "target": "summary"
               },
               {
                  "actionType": "overwrite",
                  "source": "description",
                  "target": "description"
               },
               {
                  "actionType": "append",
                  "source": "comments",
                  "target": "comments"
               }
            ]
         }
      },
      "isPreconfigured": false,
      "referencedByCount": 0
   }
]

You will need take the Action ID

I will use the following Action ID for this JIRA Action.

   "id": "(Action ID)",
      "actionTypeId": ".jira",
      "name": "JIRA",
      "config": {
         "apiUrl": "https://(JIRA Instance).atlassian.net",
         "projectKey": "SOC",
         "incidentConfiguration": null,
         "isCaseOwned": null

per_page=X you place the number of all of the active rules you have, where X is where you will place the number and for this example I will put 250

for i in $(curl --silent --location --request GET 'https://<System Generated ID>.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules/_find?per_page=250&filter=alert.attributes.enabled:true' --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic <dXNlcm5hbWU6cGFzc3dvcmQ=' | jq .data[].id); do

echo "Updating Rule ID $i"

curl --silent --location --request PATCH 'https://<System Generated ID>.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules' --header 'kbn-xsrf: kibana' --header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' --header 'Content-Type: application/json' --data-raw '{
    "id":'$i',
    "throttle": "rule", 
    "actions":[
        {
            "action_type_id": ".jira",
            "id": "<Action ID>",
            "params": {
                "subActionParams": {
                    "comments": [],
                    "incident": {
                        "issueType": "<Issue Type Number>",
                        "summary": "{{alertName}}",
                        "description": "h3. View Detection:\\n\\n[View Detection Alert|{{{context.results_link}}}]\\n\\nh4. Source\\n\\n{{#context.alerts}} \\n\\nSource IP Address: {{source.ip}}\\n\\nSource Port: {{source.port}}\\n\\n{{/context.alerts}}\\n\\n\\nh4. Destination\\n\\n{{#context.alerts}} \\n\\nDestination IP Address: {{destination.ip}}\\n\\nDestination Port: {{destination.port}}\\n\\n{{/context.alerts}}\\n\\n{code:json}\n{{#context.alerts}}{{{.}}}{{/context.alerts}}\n{code}"
                    }
                },
                "subAction": "pushToService"
            },
            "group": "default"
          }
        ]
}' | jq .

echo "Rule ID $i has been updated."
done

Real Example

Example of Script Here


Share Tweet Send
0 Comments
Loading...
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.