[Security Solution][Siem Migrations] PoC prebuilt rule matching API

x-pack/plugins/security_solution/common/api/quickstart_client.gen.ts

@@ -292,6 +292,10 @@ import type {
   PreviewRiskScoreRequestBodyInput,
   PreviewRiskScoreResponse,
 } from './entity_analytics/risk_engine/preview_route.gen';
+import type {
+  SplunkRuleMigrationMatchPrebuiltRuleRequestBodyInput,
+  SplunkRuleMigrationMatchPrebuiltRuleResponse,
+} from './siem_migrations/splunk/rules/match_prebuilt_rule.gen';
 import type {
   CleanDraftTimelinesRequestBodyInput,
   CleanDraftTimelinesResponse,
@@ -1899,6 +1903,22 @@ detection engine rules.
       })
       .catch(catchAxiosErrorFormatAndThrow);
   }
+  /**
+   * Perform Elastic prebuilt rule matching from Splunk Security rule
+   */
+  async splunkRuleMigrationMatchPrebuiltRule(props: SplunkRuleMigrationMatchPrebuiltRuleProps) {
+    this.log.info(`${new Date().toISOString()} Calling API SplunkRuleMigrationMatchPrebuiltRule`);
+    return this.kbnClient
+      .request<SplunkRuleMigrationMatchPrebuiltRuleResponse>({
+        path: '/internal/migrations/splunk/rules/match_prebuilt_rule',
+        headers: {
+          [ELASTIC_HTTP_VERSION_HEADER]: '1',
+        },
+        method: 'POST',
+        body: props.body,
+      })
+      .catch(catchAxiosErrorFormatAndThrow);
+  }
   async startEntityEngine(props: StartEntityEngineProps) {
     this.log.info(`${new Date().toISOString()} Calling API StartEntityEngine`);
     return this.kbnClient
@@ -2229,6 +2249,9 @@ export interface SetAlertsStatusProps {
 export interface SetAlertTagsProps {
   body: SetAlertTagsRequestBodyInput;
 }
+export interface SplunkRuleMigrationMatchPrebuiltRuleProps {
+  body: SplunkRuleMigrationMatchPrebuiltRuleRequestBodyInput;
+}
 export interface StartEntityEngineProps {
   params: StartEntityEngineRequestParamsInput;
 }

x-pack/plugins/security_solution/common/api/siem_migrations/common.gen.ts

@@ -0,0 +1,38 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Common SIEM Migrations Attributes
+ *   version: not applicable
+ */
+
+import { z } from '@kbn/zod';
+
+/**
+ * The GenAI connector id to use.
+ */
+export type ConnectorId = z.infer<typeof ConnectorId>;
+export const ConnectorId = z.string();
+
+/**
+ * The LangSmith options object.
+ */
+export type LangSmithOptions = z.infer<typeof LangSmithOptions>;
+export const LangSmithOptions = z.object({
+  /**
+   * The project name.
+   */
+  projectName: z.string(),
+  /**
+   * The apiKey to use for tracing.
+   */
+  apiKey: z.string(),
+});

x-pack/plugins/security_solution/common/api/siem_migrations/common.schema.yaml

@@ -0,0 +1,24 @@
+openapi: 3.0.3
+info:
+  title: Common SIEM Migrations Attributes
+  version: 'not applicable'
+paths: {}
+components:
+  x-codegen-enabled: true
+  schemas:
+    ConnectorId:
+      type: string
+      description: The GenAI connector id to use.
+    LangSmithOptions:
+      type: object
+      description: The LangSmith options object.
+      required:
+        - projectName
+        - apiKey
+      properties:
+        projectName:
+          type: string
+          description: The project name.
+        apiKey:
+          type: string
+          description: The apiKey to use for tracing.

x-pack/plugins/security_solution/common/api/siem_migrations/constants.ts

@@ -0,0 +1,8 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+export const INTERNAL_SIEM_MIGRATIONS_PATH = '/internal/siem_migrations' as const;

x-pack/plugins/security_solution/common/api/siem_migrations/splunk/constants.ts

@@ -0,0 +1,10 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { INTERNAL_SIEM_MIGRATIONS_PATH } from '../constants';
+
+export const SPLUNK_MIGRATIONS_PATH = `${INTERNAL_SIEM_MIGRATIONS_PATH}/splunk` as const;

x-pack/plugins/security_solution/common/api/siem_migrations/splunk/rules/constants.ts

@@ -0,0 +1,13 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { SPLUNK_MIGRATIONS_PATH } from '../constants';
+
+const SPLUNK_RULE_MIGRATIONS_PATH = `${SPLUNK_MIGRATIONS_PATH}/rules` as const;
+
+export const SPLUNK_MATCH_PREBUILT_RULE_PATH =
+  `${SPLUNK_RULE_MIGRATIONS_PATH}/match_prebuilt_rule` as const;

x-pack/plugins/security_solution/common/api/siem_migrations/splunk/rules/match_prebuilt_rule.gen.ts

@@ -0,0 +1,46 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Splunk Migration Match Prebuilt Rule API endpoint
+ *   version: 1
+ */
+
+import { z } from '@kbn/zod';
+
+import { SplunkRule } from './splunk_rule.gen';
+import { ConnectorId, LangSmithOptions } from '../../common.gen';
+
+export type SplunkRuleMigrationMatchPrebuiltRuleRequestBody = z.infer<
+  typeof SplunkRuleMigrationMatchPrebuiltRuleRequestBody
+>;
+export const SplunkRuleMigrationMatchPrebuiltRuleRequestBody = z.object({
+  splunkRule: SplunkRule,
+  connectorId: ConnectorId,
+  langSmithOptions: LangSmithOptions.optional(),
+});
+export type SplunkRuleMigrationMatchPrebuiltRuleRequestBodyInput = z.input<
+  typeof SplunkRuleMigrationMatchPrebuiltRuleRequestBody
+>;
+
+export type SplunkRuleMigrationMatchPrebuiltRuleResponse = z.infer<
+  typeof SplunkRuleMigrationMatchPrebuiltRuleResponse
+>;
+export const SplunkRuleMigrationMatchPrebuiltRuleResponse = z.object({
+  /**
+   * The Elastic prebuilt rule information.
+   */
+  rule: z.object({}),
+  /**
+   * Flag indicating if the rule is already installed.
+   */
+  isInstalled: z.boolean(),
+});

x-pack/plugins/security_solution/common/api/siem_migrations/splunk/rules/match_prebuilt_rule.schema.yaml

@@ -0,0 +1,48 @@
+openapi: 3.0.3
+info:
+  title: Splunk Migration Match Prebuilt Rule API endpoint
+  version: '1'
+paths:
+  /internal/migrations/splunk/rules/match_prebuilt_rule:
+    post:
+      summary: Matches Splunk Security rules to Elastic prebuilt detection rules
+      operationId: SplunkRuleMigrationMatchPrebuiltRule
+      x-codegen-enabled: true
+      description: Perform Elastic prebuilt rule matching from Splunk Security rule
+      tags:
+        - Splunk Rule Migration API
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - splunkRule
+                - connectorId
+              properties:
+                splunkRule: 
+                  $ref: './splunk_rule.schema.yaml#/components/schemas/SplunkRule'
+                connectorId:
+                  $ref: '../../common.schema.yaml#/components/schemas/ConnectorId'
+                langSmithOptions:
+                  $ref: '../../common.schema.yaml#/components/schemas/LangSmithOptions'
+      responses:
+        200:
+          description: Indicates a successful match with a prebuilt rule.
+          content:
+            application/json:
+              schema:
+                type: object
+                required:
+                  - rule
+                  - isInstalled
+                properties:
+                  rule:
+                    type: object
+                    description: The Elastic prebuilt rule information.
+                  isInstalled: 
+                    type: boolean
+                    description: Flag indicating if the rule is already installed.
+        204:
+          description: Indicates no prebuilt rule was matched.

x-pack/plugins/security_solution/common/api/siem_migrations/splunk/rules/splunk_rule.gen.ts

@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+/*
+ * NOTICE: Do not edit this file manually.
+ * This file is automatically generated by the OpenAPI Generator, @kbn/openapi-generator.
+ *
+ * info:
+ *   title: Common Splunk Rules Attributes
+ *   version: not applicable
+ */
+
+import { z } from '@kbn/zod';
+
+export type SplunkRule = z.infer<typeof SplunkRule>;
+export const SplunkRule = z.object({
+  /**
+   * The Splunk rule name.
+   */
+  title: z.string().min(1),
+  /**
+   * The Splunk rule search query.
+   */
+  search: z.string().min(1),
+  /**
+   * The Splunk rule description.
+   */
+  description: z.string().min(1),
+  /**
+   * String array containing the rule Mitre Attack technique IDs.
+   */
+  mitreAttackIds: z.array(z.string()).optional(),
+});

x-pack/plugins/security_solution/common/api/siem_migrations/splunk/rules/splunk_rule.schema.yaml

@@ -0,0 +1,32 @@
+openapi: 3.0.3
+info:
+  title: Common Splunk Rules Attributes
+  version: 'not applicable'
+paths: {}
+components:
+  x-codegen-enabled: true
+  schemas:
+    SplunkRule:
+      type: object
+      required:
+        - title
+        - description
+        - search
+      properties:
+        title:
+          type: string
+          minLength: 1
+          description: The Splunk rule name.
+        search:
+          type: string
+          minLength: 1
+          description: The Splunk rule search query.
+        description:
+          type: string
+          minLength: 1
+          description: The Splunk rule description.
+        mitreAttackIds:
+          type: array
+          items:
+            type: string
+          description: String array containing the rule Mitre Attack technique IDs.

x-pack/plugins/security_solution/common/experimental_features.ts

@@ -259,6 +259,11 @@ export const allowedExperimentalValues = Object.freeze({
    * Enables the new Entity Store engine routes
    */
   entityStoreEnabled: false,
+
+  /**
+   * Enables the siem migrations feature
+   */
+  siemMigrationsEnabled: false,
 });
 
 type ExperimentalConfigKeys = Array<keyof ExperimentalFeatures>;