Elastic Security: Bulk Detection Rule Modification via Detection API - JIRA Connector

3 min read
Elastic Security: Bulk Detection Rule Modification via Detection API - JIRA Connector

Thanks to James Spiteri at Elastic.

Requirements

Depending on the taste of your Linux

JQ

  • jq 1.5 is in the official Debian and Ubuntu repositories. Install using sudo apt-get install jq.
  • jq 1.5 is in the official Fedora repository. Install using sudo dnf install jq.
  • jq 1.4 is in the official openSUSE repository. Install using sudo zypper install jq.
  • jq 1.5 is in the official Arch repository. Install using sudo pacman -S jq.

Bulk Detection Rule Modification

Encode elastic username and password

You will need to create a user with superuser rights and encode it with base64

username:password

And you can go to https://www.base64encode.org to do this.

Result

dXNlcm5hbWU6cGFzc3dvcmQ=

Encoded Base64 Output

'Authorization: Basic (Encoded Base64)'

curl  -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic (Encoded Base64)'

Example

'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ='

Load Elastic Action ID's

curl  -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ='

Output

[
   {
      "id": "(Action ID)",
      "actionTypeId": ".jira",
      "name": "JIRA",
      "config": {
         "apiUrl": "https://(JIRA Instance).atlassian.net",
         "projectKey": "SOC",
         "incidentConfiguration": null,
         "isCaseOwned": null
      },
      "isPreconfigured": false,
      "referencedByCount": 266
   },
   {
      "id": "(Action ID)",
      "actionTypeId": ".server-log",
      "name": "Monitoring: Write to Kibana log",
      "config": {},
      "isPreconfigured": false,
      "referencedByCount": 10
   },
   {
      "id": "(Action ID)",
      "actionTypeId": ".jira",
      "name": "Security Operations Center",
      "config": {
         "apiUrl": "https://(JIRA Instance).atlassian.net",
         "projectKey": "ES",
         "incidentConfiguration": {
            "mapping": [
               {
                  "actionType": "overwrite",
                  "source": "title",
                  "target": "summary"
               },
               {
                  "actionType": "overwrite",
                  "source": "description",
                  "target": "description"
               },
               {
                  "actionType": "append",
                  "source": "comments",
                  "target": "comments"
               }
            ]
         }
      },
      "isPreconfigured": false,
      "referencedByCount": 0
   }
]

You will need take the Action ID

I will use the following Action ID for this JIRA Action.

   "id": "(Action ID)",
      "actionTypeId": ".jira",
      "name": "JIRA",
      "config": {
         "apiUrl": "https://(JIRA Instance).atlassian.net",
         "projectKey": "SOC",
         "incidentConfiguration": null,
         "isCaseOwned": null

per_page=X you place the number of all of the active rules you have, where X is where you will place the number and for this example I will put 250

for i in $(curl --silent --location --request GET 'https://<System Generated ID>.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules/_find?per_page=250&filter=alert.attributes.enabled:true' --header 'kbn-xsrf: kibana' --header 'Content-Type: multipart/form-data' --header 'Authorization: Basic <dXNlcm5hbWU6cGFzc3dvcmQ=' | jq .data[].id); do

echo "Updating Rule ID $i"

curl --silent --location --request PATCH 'https://<System Generated ID>.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules' --header 'kbn-xsrf: kibana' --header 'Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=' --header 'Content-Type: application/json' --data-raw '{
    "id":'$i',
    "throttle": "rule", 
    "actions":[
        {
            "action_type_id": ".jira",
            "id": "<Action ID>",
            "params": {
                "subActionParams": {
                    "comments": [],
                    "incident": {
                        "issueType": "<Issue Type Number>",
                        "summary": "{{alertName}}",
                        "description": "h3. View Detection:\\n\\n[View Detection Alert|{{{context.results_link}}}]\\n\\nh4. Source\\n\\n{{#context.alerts}} \\n\\nSource IP Address: {{source.ip}}\\n\\nSource Port: {{source.port}}\\n\\n{{/context.alerts}}\\n\\n\\nh4. Destination\\n\\n{{#context.alerts}} \\n\\nDestination IP Address: {{destination.ip}}\\n\\nDestination Port: {{destination.port}}\\n\\n{{/context.alerts}}\\n\\n{code:json}\n{{#context.alerts}}{{{.}}}{{/context.alerts}}\n{code}"
                    }
                },
                "subAction": "pushToService"
            },
            "group": "default"
          }
        ]
}' | jq .

echo "Rule ID $i has been updated."
done

Real Example

Example of Script Here