Elastic Security: Bulk Detection Rule Modification via Detection API — JIRA Connector

Requirements Depending on the taste of your Linux

JQ

  • jq 1.5 is in the official Debian and Ubuntu repositories. Install using sudo apt-get install jq.
  • jq 1.5 is in the official Fedora repository. Install using sudo dnf install jq.
  • jq 1.4 is in the official openSUSE repository. Install using sudo zypper install jq.
  • jq 1.5 is in the official Arch repository. Install using sudo pacman -S jq.

Bulk Detection Rule Modification Encode elastic username and password

You will need to create a user with superuser rights and encode it with base64 username:password

And you can go to https://www.base64encode.org to do this. Result dXNlcm5hbWU6cGFzc3dvcmQ=

Encoded Base64 Output ‘Authorization: Basic (Encoded Base64)’

curl -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions — header ‘kbn-xsrf: kibana’ — header ‘Content-Type: multipart/form-data’ — header ‘Authorization: Basic (Encoded Base64)’

Example ‘Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=’

Load Elastic Action ID’s

curl -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions — header ‘kbn-xsrf: kibana’ — header ‘Content-Type: multipart/form-data’ — header ‘Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=’

Output

[ { “id”: “(Action ID)”, “actionTypeId”: “.jira”, “name”: “JIRA”, “config”: { “apiUrl”: “https://(JIRA Instance).atlassian.net”, “projectKey”: “SOC”, “incidentConfiguration”: null, “isCaseOwned”: null }, “isPreconfigured”: false, “referencedByCount”: 266 }, { “id”: “(Action ID)”, “actionTypeId”: “.server-log”, “name”: “Monitoring: Write to Kibana log”, “config”: {}, “isPreconfigured”: false, “referencedByCount”: 10 }, { “id”: “(Action ID)”, “actionTypeId”: “.jira”, “name”: “Security Operations Center”, “config”: { “apiUrl”: “https://(JIRA Instance).atlassian.net”, “projectKey”: “ES”, “incidentConfiguration”: { “mapping”: [ { “actionType”: “overwrite”, “source”: “title”, “target”: “summary” }, { “actionType”: “overwrite”, “source”: “description”, “target”: “description” }, { “actionType”: “append”, “source”: “comments”, “target”: “comments” } ] } }, “isPreconfigured”: false, “referencedByCount”: 0 } ]

You will need take the Action ID

I will use the following Action ID for this JIRA Action.

“id”: “(Action ID)”, “actionTypeId”: “.jira”, “name”: “JIRA”, “config”: { “apiUrl”: “https://(JIRA Instance).atlassian.net”, “projectKey”: “SOC”, “incidentConfiguration”: null, “isCaseOwned”: null

per_page=X you place the number of all of the active rules you have, where X is where you will place the number and for this example I will put 250

for i in $(curl — silent — location — request GET ‘https://.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules/_find?per_page=250&filter=alert.attributes.enabled:true' — header ‘kbn-xsrf: kibana’ — header ‘Content-Type: multipart/form-data’ — header ‘Authorization: Basic <dXNlcm5hbWU6cGFzc3dvcmQ=’ | jq .data[].id); do

echo “Updating Rule ID $i”

curl — silent — location — request PATCH ‘https://.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules' — header ‘kbn-xsrf: kibana’ — header ‘Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=’ — header ‘Content-Type: application/json’ — data-raw ‘{ “id”:’$i’, “throttle”: “rule”, “actions”:[ { “action_type_id”: “.jira”, “id”: “”, “params”: { “subActionParams”: { “comments”: [], “incident”: { “issueType”: “”, “summary”: “”, “description”: “h3. View Detection:\n\n[View Detection Alert|]\n\nh4. Source\n\n\n\nSource IP Address: \n\nSource Port: \n\n\n\n\nh4. Destination\n\n\n\nDestination IP Address: \n\nDestination Port: \n\n\n\n{code:json}\n\n{code}” } }, “subAction”: “pushToService” }, “group”: “default” } ] }’ | jq .

echo “Rule ID $i has been updated.” done

Real Example Example of Script Here [https://raw.githubusercontent.com/austinsonger/Elastic-Security-Tricks/main/bulk-detection-rule-changer.sh]

--

--

--

Trusted Veteran | Compassionate. Aspiring. Resourceful.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Install JBoss Wildfly on Ubuntu 18.04

The Human Side of IT Monitoring

Linux Triggers for In Meeting Indicator

Programming with Functions #2: Functions as Data

Iteration C3: Using a Helper to Fo rmat the Price

images/e_2_prices_fixed.png

The Best Way to Host MySQL on Azure Cloud

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Austin Songer

Austin Songer

Trusted Veteran | Compassionate. Aspiring. Resourceful.

More from Medium

Dockerize Your Selenium Grid Setup

Why We Use Django At Vafion

Setting up CI/CD Pipeline from scratch using GitHub Actions.

Understanding APIs using JSONplaceholder