Elastic Security: Bulk Detection Rule Modification via Detection API — JIRA Connector

Requirements Depending on the taste of your Linux

JQ

  • jq 1.5 is in the official Debian and Ubuntu repositories. Install using sudo apt-get install jq.
  • jq 1.5 is in the official Fedora repository. Install using sudo dnf install jq.
  • jq 1.4 is in the official openSUSE repository. Install using sudo zypper install jq.
  • jq 1.5 is in the official Arch repository. Install using sudo pacman -S jq.

Bulk Detection Rule Modification Encode elastic username and password

You will need to create a user with superuser rights and encode it with base64 username:password

And you can go to https://www.base64encode.org to do this. Result dXNlcm5hbWU6cGFzc3dvcmQ=

Encoded Base64 Output ‘Authorization: Basic (Encoded Base64)’

curl -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions — header ‘kbn-xsrf: kibana’ — header ‘Content-Type: multipart/form-data’ — header ‘Authorization: Basic (Encoded Base64)’

Example ‘Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=’

Load Elastic Action ID’s

curl -XGET https://(System Generated ID).eastus2.azure.elastic-cloud.com:9243/api/actions — header ‘kbn-xsrf: kibana’ — header ‘Content-Type: multipart/form-data’ — header ‘Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=’

Output

[ { “id”: “(Action ID)”, “actionTypeId”: “.jira”, “name”: “JIRA”, “config”: { “apiUrl”: “https://(JIRA Instance).atlassian.net”, “projectKey”: “SOC”, “incidentConfiguration”: null, “isCaseOwned”: null }, “isPreconfigured”: false, “referencedByCount”: 266 }, { “id”: “(Action ID)”, “actionTypeId”: “.server-log”, “name”: “Monitoring: Write to Kibana log”, “config”: {}, “isPreconfigured”: false, “referencedByCount”: 10 }, { “id”: “(Action ID)”, “actionTypeId”: “.jira”, “name”: “Security Operations Center”, “config”: { “apiUrl”: “https://(JIRA Instance).atlassian.net”, “projectKey”: “ES”, “incidentConfiguration”: { “mapping”: [ { “actionType”: “overwrite”, “source”: “title”, “target”: “summary” }, { “actionType”: “overwrite”, “source”: “description”, “target”: “description” }, { “actionType”: “append”, “source”: “comments”, “target”: “comments” } ] } }, “isPreconfigured”: false, “referencedByCount”: 0 } ]

You will need take the Action ID

I will use the following Action ID for this JIRA Action.

“id”: “(Action ID)”, “actionTypeId”: “.jira”, “name”: “JIRA”, “config”: { “apiUrl”: “https://(JIRA Instance).atlassian.net”, “projectKey”: “SOC”, “incidentConfiguration”: null, “isCaseOwned”: null

per_page=X you place the number of all of the active rules you have, where X is where you will place the number and for this example I will put 250

for i in $(curl — silent — location — request GET ‘https://.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules/_find?per_page=250&filter=alert.attributes.enabled:true' — header ‘kbn-xsrf: kibana’ — header ‘Content-Type: multipart/form-data’ — header ‘Authorization: Basic <dXNlcm5hbWU6cGFzc3dvcmQ=’ | jq .data[].id); do

echo “Updating Rule ID $i”

curl — silent — location — request PATCH ‘https://.eastus2.azure.elastic-cloud.com:9243/api/detection_engine/rules' — header ‘kbn-xsrf: kibana’ — header ‘Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=’ — header ‘Content-Type: application/json’ — data-raw ‘{ “id”:’$i’, “throttle”: “rule”, “actions”:[ { “action_type_id”: “.jira”, “id”: “”, “params”: { “subActionParams”: { “comments”: [], “incident”: { “issueType”: “”, “summary”: “”, “description”: “h3. View Detection:\n\n[View Detection Alert|]\n\nh4. Source\n\n\n\nSource IP Address: \n\nSource Port: \n\n\n\n\nh4. Destination\n\n\n\nDestination IP Address: \n\nDestination Port: \n\n\n\n{code:json}\n\n{code}” } }, “subAction”: “pushToService” }, “group”: “default” } ] }’ | jq .

echo “Rule ID $i has been updated.” done

Real Example Example of Script Here [https://raw.githubusercontent.com/austinsonger/Elastic-Security-Tricks/main/bulk-detection-rule-changer.sh]

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store