[New Rules] External Promotion Alerts

[Mikaayenson]

Pull Request

Issue link(s):

• Closes https://github.com/elastic/security-team/issues/12173
• Closes [FR] Update schema validation to use data_stream.dataset #4929

Summary - What I changed

• Added new external alert promotion rules with tags specifically for AI4DSOC
• Added validation support for data_stream.dataset per integration team guidance
• Small optimization tweak to unit test

How To Test

• Some initial testing occurred by shipping a beta package to test the new incoming features.
• Double check the requirements referenced in the issue (otherwise unit tests should pass)
  • index
  • overrides
  • query
  • severity mappings

Stack Testing

Note: Didn't have test data for:

• event.kind: alert and data_stream.dataset: google_secops.alert
• event.kind: alert and data_stream.dataset: splunk.alert

Testing should be coming the week the last week of July.

Testing Data

• Crowdstrike Data

• Microsoft Sentinel Data

• S1 Data

• Elastic

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Schema Related Checks

• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Link to the relevant Kibana PR or issue provided
• Test export/import flow:
  • Exported detection rule(s) from Kibana to showcase the feature(s)
  • Converted the exported ndjson file(s) to toml in the detection-rules repo
  • Re-exported the toml rule(s) to ndjson and re-imported into Kibana
• Updated necessary unit tests to accommodate the feature
• Incorporated a comprehensive test rule in unit tests for full schema coverage
• Applied min_compat restrictions to limit the feature to a specified minimum stack version
• Executed all unit tests locally with a test toml rule to confirm passing
• Included Kibana PR implementer as an optional reviewer for insights on the feature
• Implemented requisite downgrade functionality
• Cross-referenced the feature with product documentation for consistency
• Confirm that the proper version label is applied to the PR patch, minor, major.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[approksiu]

LGTM, If we use tag "Promotion: External Alerts" tag, let's also update the "External Alerts" rule tag.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[Mikaayenson]

LGTM, If we use tag "Promotion: External Alerts" tag, let's also update the "External Alerts" rule tag.

@peluja1012 will this cause confusion upstream?

[peluja1012]

LGTM, If we use tag "Promotion: External Alerts" tag, let's also update the "External Alerts" rule tag.

@peluja1012 will this cause confusion upstream?

Hey @Mikaayenson, which rules have the "External alerts" tag currently? We wouldn't want AI4DSOC users to have promotion rule automatically installed that are not relevant for the AI4DSOC use case. Looking at the code, it looks like we are checking for both the presence of the tag AND for a related_integration reference before we automatically install the rule. So if a customer has the Crowdstrike integration installed in AI4DSOC, for example, and there is more than one rule with the tag "Promotion: External alerts" that references the Crowdstrike integration via the related_integrations field, then we would automatically install all of those rules. This would not be ideal.

[Mikaayenson]

LGTM, If we use tag "Promotion: External Alerts" tag, let's also update the "External Alerts" rule tag.

@peluja1012 will this cause confusion upstream?

Hey @Mikaayenson, which rules have the "External alerts" tag currently? We wouldn't want AI4DSOC users to have promotion rule automatically installed that are not relevant for the AI4DSOC use case. Looking at the code, it looks like we are checking for both the presence of the tag AND for a related_integration reference before we automatically install the rule. So if a customer has the Crowdstrike integration installed in AI4DSOC, for example, and there is more than one rule with the tag "Promotion: External alerts" that references the Crowdstrike integration via the related_integrations field, then we would automatically install all of those rules. This would not be ideal.

Based on our discussion, if we accidentally add the tag to another rule that meets similar criteria it will cause issues with the AI4DSOC, so we will not add the tag to other rules. cc. @approksiu

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[eric-forte-elastic]

Should these updated dates be in the future? It seems like this is incorrect unless I am missing something.

[Mikaayenson]

place holder until we're ready to merge

[Aegrah]

LGTM!

[Aegrah]

Any specific reason we set this to 1000?

[Mikaayenson]

consistency with #4556

[Aegrah]

Are these mappings of 1, 2 and 3 a sentinal_one thing?

[Mikaayenson]

that's correct, per https://github.com/elastic/security-team/issues/12173#issuecomment-2863155356

[eric-forte-elastic]

Once placeholder dates are updated this looks good to merge (ref). Data checks look good too 👍

[Mikaayenson]

Just waiting to test the remaining rules and then we can merge.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Google SecOps External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Elastic Security External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Microsoft Sentinel External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SentinelOne External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ CrowdStrike External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Splunk External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta