Elastic Kibana 7 - Security

70 min

elastic kibana v7 this connector is for elastic security, both on premises and elastic cloud versions starting with 7 9 0 the primary focus is on the elastic security feature of kibana, but this uses additional apis for kibana prerequisites this connector has only been tested using elasticsearch & kibana on premises & elastic cloud 7 16 depending on how your organization has setup elasticsearch/kibana/etc , you need to make sure that the following requirements have been met create or know which kibana space they will primarily use create a signal index this index needs to be in the following format siem signals \<kibana space name> using the default kibana space this would be siem signals default create detection rule(s) or load elastic's pre packaged detection rules asset setup connecting to elastic cloud in order to use this connector with elastic cloud you must provide the following inputs in the configured asset host port api key if you generated a apikey from within the elastic cloud portal you may have need run the following commands to generate the correct apikey echo "qnq3bdbic0jqr3d1awxkmvbzd0m6cl9wqul6anhrww1vlvazdg5jzkuzuq==" | base64 d which will result in a value similar to the following bt7l0hsbjgwuild1pywc\ r vaizjxqymo p3tnife3q% then take this value and decode it again echo n "bt7l0hsbjgwuild1pywc\ r vaizjxqymo p3tnife3q%" | base64 this will result in the correct apikey connecting to on premises in order to use this connector with an on premises elasticsearch and kibana, you must provide the following inputs in the configured asset host port username password common issues within the asset if you receive an error about the host, please remove any trailing slashes from the host string notes for more information, see the https //www elastic co/guide/en/security/7 16/security apis html this connector was last tested against product version elastic kibana 7 16 3 configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required authorization api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions find cases retrieves a paginated subset of cases endpoint url api/cases/ find method get input argument name type required description parameters page number optional parameters for the find cases action parameters perpage number optional parameters for the find cases action parameters sortfield string optional parameters for the find cases action parameters sortorder string optional parameters for the find cases action parameters tags string optional parameters for the find cases action parameters owner string optional parameters for the find cases action parameters status string optional parameters for the find cases action parameters reporters string optional parameters for the find cases action input example {"parameters" {"page" 1,"perpage" 5,"sortfield" "updatedat","sortorder" "asc","tags" "phishing","owner" "owner","status" "open","reporters" "username"}} output parameter type description status code number http status code of the response reason string response reason phrase page number output field page per page number output field per page total number output field total cases array output field cases cases id string unique identifier cases version string output field cases version cases comments array output field cases comments cases comments file name string name of the resource cases comments file string output field cases comments file cases totalcomment number output field cases totalcomment cases closed at object output field cases closed at cases closed by object output field cases closed by cases created at string output field cases created at cases created by object output field cases created by cases created by email string output field cases created by email cases created by full name string name of the resource cases created by username string name of the resource cases external service object output field cases external service cases updated at string output field cases updated at cases updated by object output field cases updated by cases updated by full name string name of the resource cases updated by email string output field cases updated by email cases updated by username string name of the resource output example {"status code" 200,"response headers" {"date" "mon, 23 jan 2023 20 12 56 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","x srv trace" "v=1;t=d6ea1d0735c74352","x srv span" "v=1;s=5a6153fa9cd5d837","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674493629","etag" "w/\\"a4 7ho0t/xlq3tufvitu2zvqqdiy+a\\"","vary" "accept encoding","content encoding" "gzip"},"reason" "ok","json get case returns the specified case endpoint url api/cases/{{case id}} method get input argument name type required description path parameters case id string required parameters for the get case action parameters includecomments boolean optional parameters for the get case action input example {"parameters" {"includecomments"\ true},"path parameters" {"case id" "a18b38a0 71b0 11ea a0b2 c51ea50a58e2"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file totalcomment number output field totalcomment closed at object output field closed at closed by object output field closed by created at string output field created at created by object output field created by created by email string output field created by email created by full name string name of the resource created by username string name of the resource external service object output field external service updated at string output field updated at updated by object output field updated by updated by full name string name of the resource updated by email string output field updated by email updated by username string name of the resource description string output field description title string output field title status string status value connector object output field connector output example {"status code" 200,"response headers" {"date" "tue, 24 jan 2023 17 24 36 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","x srv trace" "v=1;t=142245b81cc02af4","x srv span" "v=1;s=6778cda89a9eedb4","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674580310","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding","content encoding" "gzip"},"reason" "ok","json get all case activity returns all user activity for the specified case endpoint url api/cases/{{case id}}/user actions method get input argument name type required description path parameters case id string required parameters for the get all case activity action input example {"path parameters" {"case id" "a18b38a0 71b0 11ea a0b2 c51ea50a58e2"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "tue, 24 jan 2023 16 58 55 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","x srv trace" "v=1;t=456e25c3138d982b","x srv span" "v=1;s=fb97ac49aee7fcdb","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674578940","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding","content encoding" "gzip"},"reason" "ok","json get case configuration retrieves external connection details, such as the closure type and default connector for cases endpoint url /api/cases/configure method get input argument name type required description parameters owner string optional parameters for the get case configuration action input example {"parameters" {"owner" "cases"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "tue, 24 jan 2023 19 27 57 gmt","content type" "application/json; charset=utf 8","content length" "884","connection" "keep alive","x srv trace" "v=1;t=bfa2495db98bca57","x srv span" "v=1;s=273ea6f05af07f02","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674588466","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding"},"reason" "ok","json body" \[{"closure type" "close by find connectors retrieves information about connectors endpoint url api/cases/configure/connectors/ find method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "tue, 24 jan 2023 17 07 23 gmt","content type" "application/json; charset=utf 8","content length" "292","connection" "keep alive","x srv trace" "v=1;t=4ca005b418610af6","x srv span" "v=1;s=7ffbe0153fe58eb3","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674579860","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding"},"reason" "ok","json body" \[{"id" "61787f53 4eee 4741 find exception containers retrieves a paginated subset of exception containers endpoint url api/exception lists/ find method get input argument name type required description parameters page number optional parameters for the find exception containers action parameters per page number optional parameters for the find exception containers action parameters sort field string optional parameters for the find exception containers action parameters sort order string optional parameters for the find exception containers action parameters cursor string optional parameters for the find exception containers action parameters namespace type string optional parameters for the find exception containers action parameters filter string optional parameters for the find exception containers action input example {"parameters" {"page" 1,"per page" 2,"sort field" "name","sort order" "desc","cursor" "cursor","namespace type" "space","filter" "name\ name"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data tags array response data data tags file name string response data data tags file string response data data created at string response data data created by string response data data description string response data data id string response data data list id string response data data name string response data data namespace type string response data data tags array response data data tie breaker id string response data data type string response data data updated at string response data data updated by string response data page number output field page per page number output field per page total number output field total output example {"status code" 200,"response headers" {"date" "mon, 23 jan 2023 20 40 42 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","x srv trace" "v=1;t=c420c1994848cd92","x srv span" "v=1;s=78883294484d23fb","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674506400","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding","content encoding" "gzip"},"reason" "ok","json find exception items retrieves a paginated subset of exception items in the specified container endpoint url api/exception lists/items/ find method get input argument name type required description parameters list id string required parameters for the find exception items action parameters page number optional parameters for the find exception items action parameters per page number optional parameters for the find exception items action parameters sort field string optional parameters for the find exception items action parameters sort order string optional parameters for the find exception items action parameters cursor string optional parameters for the find exception items action input example {"parameters" {"list id" "allowed processes","page" 1,"per page" 2,"sort field" "name","sort order" "desc","cursor" "cursor"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data tags array response data data tags file name string response data data tags file string response data data comments array response data data comments comment string response data data comments created at string response data data comments created by string response data data created at string response data data created by string response data data description string response data data entries array response data data entries field string response data data entries operator string response data data entries type string response data data entries value array response data data id string response data data item id string response data data list id string response data data name string response data data namespace type string response data data tags array response data data tie breaker id string response data output example {"status code" 200,"response headers" {"date" "mon, 23 jan 2023 21 25 15 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","x srv trace" "v=1;t=11782e3fc888d672","x srv span" "v=1;s=26a26302ea05a85c","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674509073","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding","content encoding" "gzip"},"reason" "ok","json find list containers retrieves a paginated subset of list containers endpoint url api/lists/ find method get input argument name type required description parameters page number optional parameters for the find list containers action parameters per page number optional parameters for the find list containers action parameters sort field string optional parameters for the find list containers action parameters sort order string optional parameters for the find list containers action parameters cursor string optional parameters for the find list containers action parameters filter string optional parameters for the find list containers action input example {"parameters" {"page" 1,"per page" 2,"sort field" "name","sort order" "desc","cursor" "cursor","filter" "name\ name"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor data array response data data version string response data data id string response data data created at string response data data created by string response data data description string response data data immutable boolean response data data name string response data data tie breaker id string response data data type string response data data updated at string response data data updated by string response data data version number response data page number output field page per page number output field per page total number output field total output example {"status code" 200,"response headers" {"date" "mon, 23 jan 2023 21 40 00 gmt","content type" "application/json; charset=utf 8","content length" "660","connection" "keep alive","x srv trace" "v=1;t=db8f3736ef937fc5","x srv span" "v=1;s=386f87daef9dcf10","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674509983","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding"},"reason" "ok","json body" {"cursor" "wziwlfsimtk1zju find list items retrieves a paginated subset of list items in the specified container endpoint url /api/lists/items/ find method get input argument name type required description parameters list id string required parameters for the find list items action parameters page number optional parameters for the find list items action parameters per page number optional parameters for the find list items action parameters sort field string optional parameters for the find list items action parameters sort order string optional parameters for the find list items action parameters cursor string optional parameters for the find list items action input example {"parameters" {"list id" "allowed processes","page" 1,"per page" 2,"sort field" "name","sort order" "desc","cursor" "cursor"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor data array response data data version string response data data created at string response data data created by string response data data id string response data data list id string response data data tie breaker id string response data data type string response data data updated at string response data data updated by string response data data value string response data page number output field page per page number output field per page total number output field total output example {"status code" 200,"response headers" {"date" "mon, 23 jan 2023 21 54 12 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","x srv trace" "v=1;t=1425971a5b41ab27","x srv span" "v=1;s=8dc3927dc8cb45ce","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674510789","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding","content encoding" "gzip"},"reason" "ok","json export rules exports rules to an ndjson file endpoint url api/detection engine/rules/ export method post input argument name type required description parameters exclude export details boolean optional parameters for the export rules action parameters file name string optional parameters for the export rules action objects array optional parameter for export rules objects rule id string optional unique identifier input example {"parameters" {"exclude export details"\ false,"file name" "testfilename ndjson"},"json body" {"objects" \[{"rule id" "94052990 9c26 11ed b17c e7b302621d5b"}]}} output parameter type description status code number http status code of the response reason string response reason phrase exported count number count value exported rules count number count value missing rules array output field missing rules missing rules rule id string unique identifier missing rules count number count value exported exception list count number count value exported exception list item count number count value missing exception list item count number count value missing exception list items array output field missing exception list items missing exception list items file name string name of the resource missing exception list items file string output field missing exception list items file missing exception lists array output field missing exception lists missing exception lists file name string name of the resource missing exception lists file string output field missing exception lists file missing exception lists count number count value output example {"status code" 200,"response headers" {"server" "nginx/1 18 0 (ubuntu)","date" "tue, 24 jan 2023 20 48 44 gmt","content type" "application/ndjson","content length" "347","connection" "keep alive","content disposition" "attachment; filename=\\"testfilename ndjson\\"","x content type options" "nosniff","referrer policy" "no referrer when downgrade","content security policy" "script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inli ","kbn name" "ubu2204template","kbn license find rules retrieves a paginated subset of signal detection rules endpoint url api/detection engine/rules/ find method get input argument name type required description parameters page number optional parameters for the find rules action parameters per page number optional parameters for the find rules action parameters sort field string optional parameters for the find rules action parameters sort order string optional parameters for the find rules action parameters filter string optional parameters for the find rules action input example {"parameters" {"page" 1,"per page" 5,"sort field" "enabled","sort order" "asc","filter" "alert attributes name\ windows"}} output parameter type description status code number http status code of the response reason string response reason phrase page number output field page perpage number output field perpage total number output field total data array response data data created at string response data data updated at string response data data created by string response data data description string response data data enabled boolean response data data false positives array response data data false positives file name string response data data false positives file string response data data from string response data data id string response data data immutable boolean response data data index array response data data interval string response data data rule id string response data data language string response data data output index string response data data max signals number response data data risk score number response data data name string response data output example {"status code" 200,"response headers" {"date" "mon, 23 jan 2023 20 22 33 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","x srv trace" "v=1;t=055814721165fd01","x srv span" "v=1;s=d0abef80426f43dd","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674505413","etag" "w/\\"6b2 ualfqwmofsayivg98we59oy3qby\\"","vary" "accept encoding","content encoding" "gzip"},"reason" "ok","jso get rules retrieves a single rule using the rule id or id field endpoint url api/detection engine/rules method get input argument name type required description parameters id string optional parameters for the get rules action parameters rule id string optional parameters for the get rules action input example {"parameters" {"id" "c41d170b 8ba6 4de6 b8ec 76440a35ace3","rule id" "c41d170b 8ba6 4de6 b8ec 76440a35ace3"}} output parameter type description status code number http status code of the response reason string response reason phrase created at string output field created at updated at string output field updated at created by string output field created by description string output field description enabled boolean output field enabled false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file filters array output field filters filters query object output field filters query filters query match object output field filters query match filters query match event action object output field filters query match event action filters query match event action query string output field filters query match event action query filters query match event action type string type of the resource from string output field from id string unique identifier immutable boolean output field immutable interval string output field interval rule id string unique identifier language string output field language output index string output field output index max signals number output field max signals risk score number score value output example {"status code" 200,"response headers" {"date" "tue, 24 jan 2023 19 36 39 gmt","content type" "application/json; charset=utf 8","transfer encoding" "chunked","connection" "keep alive","x srv trace" "v=1;t=40dfdc4d61706ab6","x srv span" "v=1;s=a573e9e875c58d77","access control allow origin" " ","x ratelimit limit" "120","x ratelimit remaining" "119","x ratelimit reset" "1674588944","etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"","vary" "accept encoding","content encoding" "gzip"},"reason" "ok","json search signals the signals endpoint is for retrieving, aggregating, and updating detection alerts endpoint url api/detection engine/signals/search method post input argument name type required description aggs object optional parameter for search signals aggs latest object optional parameter for search signals aggs latest max object optional parameter for search signals aggs latest max field string optional parameter for search signals aggs oldest object optional parameter for search signals aggs oldest min object optional parameter for search signals aggs oldest min field string optional parameter for search signals query object optional parameter for search signals query bool object optional parameter for search signals query bool filter array optional parameter for search signals query bool filter match object optional parameter for search signals query bool filter match signal status string optional status value query bool filter range object optional parameter for search signals query bool filter range signal rule risk score object optional score value input example {"json body" {"aggs" {"latest" {"max" {"field" "@timestamp"}},"oldest" {"min" {"field" "@timestamp"}}},"query" {"bool" {"filter" \[{"match" {"signal status" "open"}},{"range" {"signal rule risk score" {"gte" 70}}}]}}}} output parameter type description status code number http status code of the response reason string response reason phrase took number output field took timed out boolean output field timed out shards object output field shards shards total number output field shards total shards successful number whether the operation was successful shards skipped number output field shards skipped shards failed number output field shards failed hits object output field hits hits total object output field hits total hits total value number value for the parameter hits total relation string output field hits total relation hits max score object score value hits hits array output field hits hits hits hits file name string name of the resource hits hits file string output field hits hits file aggregations object output field aggregations aggregations oldest object output field aggregations oldest aggregations oldest value number value for the parameter aggregations oldest value as string string value for the parameter aggregations latest object output field aggregations latest aggregations latest value number value for the parameter aggregations latest value as string string value for the parameter output example {"status code" 200,"response headers" {"server" "nginx/1 18 0 (ubuntu)","date" "wed, 25 jan 2023 14 57 26 gmt","content type" "application/json; charset=utf 8","content length" "225","connection" "keep alive","x content type options" "nosniff","referrer policy" "no referrer when downgrade","content security policy" "script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inli ","kbn name" "ubu2204template","kbn license sig" "41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11e get all kibana spaces retrieve all kibana spaces endpoint url api/spaces/space method get input argument name type required description parameters purpose string optional parameters for the get all kibana spaces action parameters include authorized purposes boolean optional parameters for the get all kibana spaces action input example {"parameters" {"purpose" "any","include authorized purposes"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx/1 18 0 (ubuntu)","date" "tue, 24 jan 2023 19 45 33 gmt","content type" "application/json; charset=utf 8","content length" "136","connection" "keep alive","x content type options" "nosniff","referrer policy" "no referrer when downgrade","content security policy" "script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inli ","kbn name" "ubu2204template","kbn license sig" "41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11e get tags aggregates and returns all rule tags endpoint url api/detection engine/tags method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx/1 18 0 (ubuntu)","date" "tue, 24 jan 2023 20 10 27 gmt","content type" "application/json; charset=utf 8","content length" "749","connection" "keep alive","x content type options" "nosniff","referrer policy" "no referrer when downgrade","content security policy" "script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inli ","kbn name" "ubu2204template","kbn license sig" "41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11e response headers header description example accept ranges http response header accept ranges bytes access control allow origin http response header access control allow origin cache control directives for caching mechanisms private, no cache, no store, must revalidate connection http response header connection keep alive content disposition http response header content disposition attachment; filename="testfilename ndjson" content encoding http response header content encoding gzip content length the length of the response body in bytes 292 content security policy http response header content security policy script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inline' 'self' content type the media type of the resource application/json; charset=utf 8 date the date and time at which the message was originated tue, 24 jan 2023 20 10 27 gmt etag an identifier for a specific version of a resource w/"a4 7ho0t/xlq3tufvitu2zvqqdiy+a" kbn license sig http response header kbn license sig 41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11efde7c9b78e7a281 kbn name http response header kbn name ubu2204template referrer policy http response header referrer policy no referrer when downgrade server information about the software used by the origin server nginx/1 18 0 (ubuntu) transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x ratelimit limit the number of requests allowed in the current rate limit window 120 x ratelimit remaining the number of requests remaining in the current rate limit window 119 x ratelimit reset the time at which the current rate limit window resets 1674509073 x srv span http response header x srv span v=1;s=273ea6f05af07f02 x srv trace http response header x srv trace v=1;t=142245b81cc02af4