[Security Solution] Siem signals -> alerts as data field and index aliases

x-pack/plugins/rule_registry/server/rule_data_client/index.ts

@@ -96,10 +96,20 @@ export class RuleDataClient implements IRuleDataClient {
           if (response.body.errors) {
             if (
               response.body.items.length > 0 &&
-              response.body.items?.[0]?.index?.error?.type === 'index_not_found_exception'
+              (response.body.items.every(
+                (item) => item.index?.error?.type === 'index_not_found_exception'
+              ) ||
+                response.body.items.every(
+                  (item) => item.index?.error?.type === 'illegal_argument_exception'
+                ))
             ) {
               return this.createWriteTargetIfNeeded({ namespace }).then(() => {
-                return clusterClient.bulk(requestWithDefaultParameters);
+                return clusterClient.bulk(requestWithDefaultParameters).then((retryResponse) => {
+                  if (retryResponse.body.errors) {
+                    throw new ResponseError(retryResponse);
+                  }
+                  return retryResponse;
+                });
               });
             }
             const error = new ResponseError(response);
@@ -116,13 +126,14 @@ export class RuleDataClient implements IRuleDataClient {
 
     const clusterClient = await this.getClusterClient();
 
-    const { body: aliasExists } = await clusterClient.indices.existsAlias({
-      name: alias,
+    const { body: indicesExist } = await clusterClient.indices.exists({
+      index: `${alias}-*`,
+      allow_no_indices: false,
     });
 
     const concreteIndexName = `${alias}-000001`;
 
-    if (!aliasExists) {
+    if (!indicesExist) {
       try {
         await clusterClient.indices.create({
           index: concreteIndexName,
@@ -135,11 +146,37 @@ export class RuleDataClient implements IRuleDataClient {
           },
         });
       } catch (err) {
-        // something might have created the index already, that sounds OK
-        if (err?.meta?.body?.error?.type !== 'resource_already_exists_exception') {
+        // If the index already exists and it's the write index for the alias,
+        // something else created it so suppress the error. If it's not the write
+        // index, that's bad, throw an error.
+        if (err?.meta?.body?.error?.type === 'resource_already_exists_exception') {
+          const { body: existingIndices } = await clusterClient.indices.get({
+            index: concreteIndexName,
+          });
+          if (!existingIndices[concreteIndexName]?.aliases?.[alias]?.is_write_index) {
+            throw Error(
+              `Attempted to create index: ${concreteIndexName} as the write index for alias: ${alias}, but the index already exists and is not the write index for the alias`
+            );
+          }
+        } else {
           throw err;
         }
       }
+    } else {
+      // If we find indices matching the pattern, then we expect one of them to be the write index for the alias.
+      // Throw an error if none of them are the write index.
+      const { body: aliasesResponse } = await clusterClient.indices.getAlias({
+        index: `${alias}-*`,
+      });
+      if (
+        !Object.entries(aliasesResponse).some(
+          ([_, aliasesObject]) => aliasesObject.aliases[alias]?.is_write_index
+        )
+      ) {
+        throw Error(
+          `Indices matching pattern ${alias}-* exist but none are set as the write index for alias ${alias}`
+        );
+      }
     }
   }
 }

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/create_index_route.ts

@@ -26,8 +26,10 @@ import signalsPolicy from './signals_policy.json';
 import { templateNeedsUpdate } from './check_template_version';
 import { getIndexVersion } from './get_index_version';
 import { isOutdated } from '../../migrations/helpers';
+import { parseExperimentalConfigValue } from '../../../../../common/experimental_features';
+import { ConfigType } from '../../../../config';
 
-export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
+export const createIndexRoute = (router: SecuritySolutionPluginRouter, config: ConfigType) => {
   router.post(
     {
       path: DETECTION_ENGINE_INDEX_URL,
@@ -37,6 +39,10 @@ export const createIndexRoute = (router: SecuritySolutionPluginRouter) => {
       },
     },
     async (context, request, response) => {
+      const { ruleRegistryEnabled } = parseExperimentalConfigValue(config.enableExperimental);
+      if (ruleRegistryEnabled) {
+        return response.ok({ body: { acknowledged: true } });
+      }
       const siemResponse = buildSiemResponse(response);
 
       try {

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts

@@ -8,6 +8,7 @@
 import signalsMapping from './signals_mapping.json';
 import ecsMapping from './ecs_mapping.json';
 import otherMapping from './other_mappings.json';
+import aadFieldConversion from './signal_aad_mapping.json';
 
 /**
   @constant
@@ -69,3 +70,97 @@ export const getSignalsTemplate = (index: string) => {
   };
   return template;
 };
+
+export const createSignalsFieldAliases = () => {
+  const fieldAliases: Record<string, unknown> = {};
+  Object.entries(aadFieldConversion).forEach(([key, value]) => {
+    fieldAliases[value] = {
+      type: 'alias',
+      path: key,
+    };
+  });
+  return fieldAliases;
+};
+
+export const getRbacRequiredFields = (spaceId: string) => {
+  return {
+    'kibana.space_ids': {
+      type: 'constant_keyword',
+      value: spaceId,
+    },
+    'kibana.consumers': {
+      type: 'constant_keyword',
+      value: 'siem',
+    },
+    'kibana.producer': {
+      type: 'constant_keyword',
+      value: 'siem',
+    },
+    // TODO: discuss naming of this field and what the value will be for legacy signals.
+    // Can we leave it as 'siem.signals' or do we need a runtime field that will map signal.rule.type
+    // to the new ruleTypeId?
+    'kibana.alert.rule.rule_type_id': {
+      type: 'constant_keyword',
+      value: 'siem.signals',
+    },
+  };
+};
+
+export const getNewSignalsTemplate = (
+  index: string,
+  spaceId: string,
+  aadIndexAliasName: string
+) => {
+  const fieldAliases = createSignalsFieldAliases();
+  const template = {
+    index_patterns: [`${index}-*`],
+    template: {
+      aliases: {
+        [aadIndexAliasName]: {
+          is_write_index: false,
+        },
+      },
+      settings: {
+        index: {
+          lifecycle: {
+            name: index,
+            rollover_alias: index,
+          },
+        },
+        mapping: {
+          total_fields: {
+            limit: 10000,
+          },
+        },
+      },
+      mappings: {
+        dynamic: false,
+        properties: {
+          ...ecsMapping.mappings.properties,
+          ...otherMapping.mappings.properties,
+          ...fieldAliases,
+          ...getRbacRequiredFields(spaceId),
+          signal: signalsMapping.mappings.properties.signal,
+          threat: {
+            ...ecsMapping.mappings.properties.threat,
+            properties: {
+              ...ecsMapping.mappings.properties.threat.properties,
+              indicator: {
+                ...otherMapping.mappings.properties.threat.properties.indicator,
+                properties: {
+                  ...otherMapping.mappings.properties.threat.properties.indicator.properties,
+                  event: ecsMapping.mappings.properties.event,
+                },
+              },
+            },
+          },
+        },
+        _meta: {
+          version: SIGNALS_TEMPLATE_VERSION,
+        },
+      },
+    },
+    version: SIGNALS_TEMPLATE_VERSION,
+  };
+  return template;
+};

x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/signal_aad_mapping.json

@@ -0,0 +1,93 @@
+{
+  "signal.ancestors.depth": "kibana.alert.ancestors.depth",
+  "signal.ancestors.id": "kibana.alert.ancestors.id",
+  "signal.ancestors.index": "kibana.alert.ancestors.index",
+  "signal.ancestors.type": "kibana.alert.ancestors.type",
+  "signal.depth": "kibana.alert.depth",
+  "signal.original_event.action": "kibana.alert.original_event.action",
+  "signal.original_event.category": "kibana.alert.original_event.category",
+  "signal.original_event.code": "kibana.alert.original_event.code",
+  "signal.original_event.created": "kibana.alert.original_event.created",
+  "signal.original_event.dataset": "kibana.alert.original_event.dataset",
+  "signal.original_event.duration": "kibana.alert.original_event.duration",
+  "signal.original_event.end": "kibana.alert.original_event.end",
+  "signal.original_event.hash": "kibana.alert.original_event.hash",
+  "signal.original_event.id": "kibana.alert.original_event.id",
+  "signal.original_event.kind": "kibana.alert.original_event.kind",
+  "signal.original_event.module": "kibana.alert.original_event.module",
+  "signal.original_event.outcome": "kibana.alert.original_event.outcome",
+  "signal.original_event.provider": "kibana.alert.original_event.provider",
+  "signal.original_event.risk_score": "kibana.alert.original_event.risk_score",
+  "signal.original_event.risk_score_norm": "kibana.alert.original_event.risk_score_norm",
+  "signal.original_event.sequence": "kibana.alert.original_event.sequence",
+  "signal.original_event.severity": "kibana.alert.original_event.severity",
+  "signal.original_event.start": "kibana.alert.original_event.start",
+  "signal.original_event.timezone": "kibana.alert.original_event.timezone",
+  "signal.original_event.type": "kibana.alert.original_event.type",
+  "signal.original_time": "kibana.alert.original_time",
+  "signal.rule.author": "kibana.alert.rule.author",
+  "signal.rule.building_block_type": "kibana.alert.rule.building_block_type",
+  "signal.rule.created_at": "kibana.alert.rule.created_at",
+  "signal.rule.created_by": "kibana.alert.rule.created_by",
+  "signal.rule.description": "kibana.alert.rule.description",
+  "signal.rule.enabled": "kibana.alert.rule.enabled",
+  "signal.rule.false_positives": "kibana.alert.rule.false_positives",
+  "signal.rule.from": "kibana.alert.rule.from",
+  "signal.rule.id": "kibana.alert.rule.id",
+  "signal.rule.immutable": "kibana.alert.rule.immutable",
+  "signal.rule.index": "kibana.alert.rule.index",
+  "signal.rule.interval": "kibana.alert.rule.interval",
+  "signal.rule.language": "kibana.alert.rule.language",
+  "signal.rule.license": "kibana.alert.rule.license",
+  "signal.rule.max_signals": "kibana.alert.rule.max_signals",
+  "signal.rule.name": "kibana.alert.rule.name",
+  "signal.rule.note": "kibana.alert.rule.note",
+  "signal.rule.query": "kibana.alert.rule.query",
+  "signal.rule.references": "kibana.alert.rule.references",
+  "signal.rule.risk_score": "kibana.alert.risk_score",
+  "signal.rule.risk_score_mapping.field": "kibana.alert.rule.risk_score_mapping.field",
+  "signal.rule.risk_score_mapping.operator": "kibana.alert.rule.risk_score_mapping.operator",
+  "signal.rule.risk_score_mapping.value": "kibana.alert.rule.risk_score_mapping.value",
+  "signal.rule.rule_id": "kibana.alert.rule.rule_id",
+  "signal.rule.rule_name_override": "kibana.alert.rule.rule_name_override",
+  "signal.rule.saved_id": "kibana.alert.rule.saved_id",
+  "signal.rule.severity": "kibana.alert.severity",
+  "signal.rule.severity_mapping.field": "kibana.alert.rule.severity_mapping.field",
+  "signal.rule.severity_mapping.operator": "kibana.alert.rule.severity_mapping.operator",
+  "signal.rule.severity_mapping.value": "kibana.alert.rule.severity_mapping.value",
+  "signal.rule.severity_mapping.severity": "kibana.alert.rule.severity_mapping.severity",
+  "signal.rule.tags": "kibana.alert.rule.tags",
+  "signal.rule.threat.framework": "kibana.alert.rule.threat.framework",
+  "signal.rule.threat.tactic.id": "kibana.alert.rule.threat.tactic.id",
+  "signal.rule.threat.tactic.name": "kibana.alert.rule.threat.tactic.name",
+  "signal.rule.threat.tactic.reference": "kibana.alert.rule.threat.tactic.reference",
+  "signal.rule.threat.technique.id": "kibana.alert.rule.threat.technique.id",
+  "signal.rule.threat.technique.name": "kibana.alert.rule.threat.technique.name",
+  "signal.rule.threat.technique.reference": "kibana.alert.rule.threat.technique.reference",
+  "signal.rule.threat.technique.subtechnique.id": "kibana.alert.rule.threat.technique.subtechnique.id",
+  "signal.rule.threat.technique.subtechnique.name": "kibana.alert.rule.threat.technique.subtechnique.name",
+  "signal.rule.threat.technique.subtechnique.reference": "kibana.alert.rule.threat.technique.subtechnique.reference",
+  "signal.rule.threat_index": "kibana.alert.rule.threat_index",
+  "signal.rule.threat_indicator_path": "kibana.alert.rule.threat_indicator_path",
+  "signal.rule.threat_language": "kibana.alert.rule.threat_language",
+  "signal.rule.threat_mapping.entries.field": "kibana.alert.rule.threat_mapping.entries.field",
+  "signal.rule.threat_mapping.entries.value": "kibana.alert.rule.threat_mapping.entries.value",
+  "signal.rule.threat_mapping.entries.type": "kibana.alert.rule.threat_mapping.entries.type",
+  "signal.rule.threat_query": "kibana.alert.rule.threat_query",
+  "signal.rule.threshold.field": "kibana.alert.rule.threshold.field",
+  "signal.rule.threshold.value": "kibana.alert.rule.threshold.value",
+  "signal.rule.timeline_id": "kibana.alert.rule.timeline_id",
+  "signal.rule.timeline_title": "kibana.alert.rule.timeline_title",
+  "signal.rule.to": "kibana.alert.rule.to",
+  "signal.rule.type": "kibana.alert.rule.type",
+  "signal.rule.updated_at": "kibana.alert.rule.updated_at",
+  "signal.rule.updated_by": "kibana.alert.rule.updated_by",
+  "signal.rule.version": "kibana.alert.rule.version",
+  "signal.status": "kibana.alert.workflow_status",
+  "signal.threshold_result.from": "kibana.alert.threshold_result.from",
+  "signal.threshold_result.terms.field": "kibana.alert.threshold_result.terms.field",
+  "signal.threshold_result.terms.value": "kibana.alert.threshold_result.terms.value",
+  "signal.threshold_result.cardinality.field": "kibana.alert.threshold_result.cardinality.field",
+  "signal.threshold_result.cardinality.value": "kibana.alert.threshold_result.cardinality.value",
+  "signal.threshold_result.count": "kibana.alert.threshold_result.count"
+}