Index/API end point to edit detection rules?

aidanoc15 · March 8, 2021, 3:53am

Hi, we are currently in the process of migrating off of our old SIEM and into elastic siem. We have created a bunch of detection rules already in Elastic but we still need to move over all the exceptions for those rules from our old SIEM and into Elastic. Over the years we've created a large amount of exceptions in our legacy SIEM and we want to avoid having to enter them all in manually. We're looking to try to write a script that will transfer all the exceptions from our old SIEM and into our Elastic SIEM, but I can't seem to find the index where the detections are stored in elastic.

My assumption is that elastic has some index that stores all the detections and within each detection entry there's a section that lists all the exceptions for that detection. Ideally I would like to be able to test adding an exception to an existing detection rule using just a simple POST or PUT request in Kibana's Dev Tools and if I can get that working then I could use the API to edit the detections in bulk. The only issue is I can't seem to find any documentation online regarding what index or API end point I would need to edit in order to add an exception to an existing detection rule.

If anyone has done something similar in the past and can tell me which index stores detection rule configs or can maybe point me to the documentation where I could find such a thing I would greatly appreciate it. This is all assuming that I am correct in guessing that these detections are stored in an index and could be edited with an API call - if that assumption is incorrect I would also appreciate knowing that!

Thanks in advance!

Aidan

Mike_Paquette · March 8, 2021, 12:12pm

Hi @aidanoc15, thanks for the post!

Glad to see you are migrating your exceptions from your previous SIEM.

There are a couple of SIEM/Security App API's that should be able to help you out.

Detections API
Exceptions API

(Note: if you are using an older version of the Elastic Stack, you can replace current with your version in the URL, or just go to the Elastic Security API doc page - for example, for the 7.10 release, you would go to: Elastic Security APIs | Elastic Security Solution [7.10] | Elastic)

Depending on how your current exceptions are organized, you may be able to take advantage of the SIEM/Security solutions's Value Lists to help with your migration, since exceptions can optionally use value lists. For example, if you have a list of IP Addresses that you'd like to apply as exceptions to multiple rules, you could upload this list to a Value List, and then specify that value list in the exception for the affected rules. There is a separate lists API for this purpose.

Lists API

Here's a diagram that you'll find in the API documents listed above that illustrates the relationship between rules, exceptions, and value lists.

We've been brainstorming ideas on how to better help users migrate their rules and exceptions from their existing SIEM's. Would it be possible for you to share a couple generic examples of rules and exceptions that you're trying to migrate? Are they in an intermediate file format, such as text, CSV, JSON, or XML? Or are you attempting to run scripts via API's that migrate them directly from the legacy SIEM platform?

Hope this helps! Please let us know how you progress!

system · April 5, 2021, 12:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.