Skip to content

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes#10

Merged
dhurley14 merged 5 commits intoyctercero:rac_rbac_pocfrom
dhurley14:rac-create-owners
Apr 30, 2021
Merged

Conversation

@dhurley14
Copy link
Copy Markdown
Collaborator

@dhurley14 dhurley14 commented Apr 29, 2021
edited
Loading

adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes

Summary

Pull down this branch and run ES locally using the following steps..

Running ES locally

  1. Edit gradle/run.gradle and add setting 'xpack.security.authc.api_key.enabled', 'true' after line 24
  2. ./gradlew run # this runs with a trial license
  3. Execute below curl script to post kibana_elastic user
curl -u elastic:password -X POST "http://127.0.01:9200/_security/user/kibana_elastic?pretty" -H 'Content-Type: application/json' -d '{"password":"changeme","roles":["superuser"],"full_name":"kibana","email":"jacknich@example.com"}'
  1. Set kibana.dev.yml to use kibana_elastic as the user
elasticsearch:
  username: 'kibana_elastic'
  password: 'changeme'
  hosts: 'http://127.0.0.1:9200'

Start up kibana

You should now be able to create a rule which generates alerts and then "find" those alerts (using the kibana system user) using the scripts located in x-pack/plugins/rule_registry/server/scripts/get_security_solution_alert.sh

Test data 
POST myfakeindex-1/_doc
{
  "message": "hello world 1"
}

POST myfakeindex-2/_doc
{
  "message": "hello world 2",
  "event": {
    "ingested": "2021-04-30T15:23:03.520Z" <replace with current ISO date>
  }
}

POST myfakeindex-3/_doc
{
  "message": "hello world 3",
  "@timestamp": "2021-04-30T15:23:03.520Z" <replace with current ISO date>
}

Create a rule to query myfa* and it should generate an alert in the security solution

To get the alert, change directory into x-pack/plugins/rule_registry/server/scripts and execute

term$ ./get_security_solution_alert.sh

This script will post the security role and observer role and execute a find using the new alerts as data client. To test the authz functionality execute the below, expecting a 403 response.

term$ ./get_security_solution_alert.sh observer
term$ {
  "statusCode": 401,
  "error": "Unauthorized",
  "message": "Unauthorized to get \"rac:8.0.0:siem/get\" alert\""
}

@dhurley14 dhurley14 merged commit cd62a2f into yctercero:rac_rbac_poc Apr 30, 2021
@dhurley14 dhurley14 deleted the rac-create-owners branch April 30, 2021 18:42
yctercero pushed a commit that referenced this pull request May 5, 2021
@dhurley14 @yctercero
adds an 'owner' field to the siem-signals mapping, working authz get …
8c07c0f 
…for security solution, need to work through rule registry changes (#10)

* adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes

* minor cleanup

* undo owner change in rule registry, will come in different pr

* enhances user experience of test scripts

* response error
dhurley14 added a commit that referenced this pull request May 12, 2021
@dhurley14
adds an 'owner' field to the siem-signals mapping, working authz get …
ee9aae9 
…for security solution, need to work through rule registry changes (#10)

* adds an 'owner' field to the siem-signals mapping, working authz get for security solution, need to work through rule registry changes

* minor cleanup

* undo owner change in rule registry, will come in different pr

* enhances user experience of test scripts

* response error
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dhurley14