[New Rule] Elastic Endpoint and External Alerts

[spong]

Issues

Resolves #41

Summary

In support of elastic/kibana#65942 to create two new pre-packaged rules that will enable Elastic Endpoint Alerts and External Alerts to be used in investigations.

This also includes updates to schema.py for the new fields added to the rules_schema as part of elastic/kibana#70288. These new fields include:

export interface TheseAreTheNewFields {
  author: string[];
  building_block_type: string; // 'default'
  license: string;
  risk_score_mapping: Array<
    {
      field: string;
      operator: string; // 'equals'
      value: string;
    }
  >;
  rule_name_override: string;
  severity_mapping: Array<
    {
      field: string;
      operator: string; // 'equals'
      value: string;
      severity: string; // 'low' | 'medium' | 'high' | 'critical'
    }
  >;
  timestamp_override: string;
}

Note: risk_score_mapping and severity_mapping are subject to change depending on the desired implementation.

Contributor checklist

• Have you signed the contributor license agreement? Yes!
• Have you followed the contributor guidelines? Yes!?

[spong]

I don't think we want to override the timestamp here since event.ingested might not be filled in for most external alerts?

[brokensound77]

when a timestamp override is defined and missing, does it default back to @timestamp?

[spong]

Yes, will need to add to signal metadata so the user knows this happened.

[rw-access]

For the folder layout, I think we can rename the endpoint folder to promotions and put all promotion rules in there. Endgame, Endpoint, External Alerts, etc.

[spong]

Add max_signals = unbounded (and support for unbounded 😉 )

[brokensound77]

LGTM 👍

[rw-access]

LGTM if we can make logs-* more precise

[spong]

We may want to use event.risk_score_norm here, but I'm not quite sure the endpoint is populate that field as well. Will verify during testing.

[spong]

LGTM if we can make logs-* more precise

I've asked internally for what we could refine this further to. Will leave the comment above unresolved for reference/tracking.