[Attack Discovery][Scheduling] Attack Discovery scheduling rule management (#12003) #216656
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e40pud
added
release_note:skip
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
e40pud
commented
Apr 1, 2025
| @@ -35,6 +43,10 @@ export const getAttackDiscoveryBaseKibanaFeature = (): BaseKibanaFeatureConfig = | |||
| all: [], | |||
| read: [], | |||
| }, | |||
| alerting: { | |||
There was a problem hiding this comment.
Same privileges as we have for the detection alerts https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts#L95
e40pud
commented
Apr 1, 2025
| expect(geoPointFieldStats.count).to.be(55); | ||
| expect(geoPointFieldStats.index_count).to.be(12); | ||
| expect(geoPointFieldStats.count).to.be(63); | ||
| expect(geoPointFieldStats.index_count).to.be(13); |
There was a problem hiding this comment.
Updated because we added a new attack discovery alerts aad index that maps the ecs fields. Similarly to this https://github.com/elastic/kibana/pull/194322/files#r1781620194 and this https://github.com/elastic/kibana/pull/184541/files#r1628183656.
nreese
approved these changes
Apr 1, 2025
x-pack/solutions/security/plugins/elastic_assistant/server/plugin.ts
Outdated
Show resolved
Hide resolved
...utions/security/plugins/elastic_assistant/server/routes/attack_discovery/schedules/enable.ts
Outdated
Show resolved
Hide resolved
...tions/security/plugins/elastic_assistant/server/routes/attack_discovery/schedules/disable.ts
Outdated
Show resolved
Hide resolved
...stant-common/impl/schemas/attack_discovery/crud_attack_discovery_schedules_route.schema.yaml
Outdated
Show resolved
Hide resolved
...ons/security/plugins/elastic_assistant/server/routes/attack_discovery/schedules/find.test.ts
Outdated
Show resolved
Hide resolved
...s/security/plugins/elastic_assistant/server/routes/attack_discovery/schedules/update.test.ts
Outdated
Show resolved
Hide resolved
andrew-goldstein
approved these changes
Apr 2, 2025
There was a problem hiding this comment.
Thanks @e40pud for the new scheduling APIs!
✅ Desk tested locally
LGTM 🚀
pmuellr
reviewed
Apr 7, 2025
| * License v3.0 only", or the "Server Side Public License, v 1". | ||
| */ | ||
| // ---------------------------------- WARNING ---------------------------------- | ||
| // this file was generated, and should not be edited by hand |
There was a problem hiding this comment.
Usually these files are generated from files with ES mappings, I believe mainly in the peer directory src/field_maps. Not seeing where it might have been generated for.
Which makes me wonder if we've defined mappings for these fields in the alerts documents. Perhaps this is done differently for security rules, or this is part of a feature branch where some of that work was already done.
In any case, we should make sure we have the ES mappings in place for these field, if we want them indexed.
There was a problem hiding this comment.
The mappings are defined in this file https://github.com/elastic/kibana/blob/main/x-pack/solutions/security/plugins/elastic_assistant/server/lib/attack_discovery/schedules/fields/field_map.ts.
I followed other solutions including security while adding these mappings and this new alert type. Similarly to o11y, ml, security, stack etc. the mappings are defined inside those solutions and the generated schemas then added via FTR test script inside the src/platform/packages/shared/kbn-alerts-as-data-utils/src/schemas/generated/.
Here is example of similarly defined mappings https://github.com/elastic/kibana/blob/main/x-pack/solutions/observability/plugins/apm/server/routes/alerts/register_apm_rule_types.ts
…f `SecurityAttackdiscoveryAlertRequired`
|
I'm curious why a rule is used here instead of a task manager task. Task manager tasks are generally more open-ended, but there's also a lot of built-in stuff with rules like metrics, APM, logging, etc. Not a problem, just curious. @mikecote Code looks good to me, but I noticed you added it to our board last week. The rule executor is empty at the moment, so presumably that'll come in the future :-). Was wondering if there was anything specific to look for here ... |
@pmuellr I think the PR scope might have changed since I added it. But I basically added it for a codeowners review. We should see a follow up PR soon for the rule type @e40pud ? |
@mikecote correct. There will be a follow up PR and I will add you both to it to review. With this PR I setup rules management APIs and introduced a new rule type. @pmuellr we decided to move with the alerting framework rules because of:
|
semd
reviewed
Apr 9, 2025
x-pack/solutions/security/packages/features/src/attack_discovery/kibana_features.ts
Outdated
Show resolved
Hide resolved
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]Module Count
Public APIs missing comments
Unknown metric groupsAPI count
History
cc @e40pud |
|
@e40pud thanks for the description of task vs rule. I was curious to see the wrapper over alerting client in The wrappers aren't doing much now, but in the future I imagine they will be doing some interesting things. Folks will be able to create a rule of this type outside of this wrapper, for example using the alerting HTTP APIs. As well as update, enable/disable, etc. I don't think we have a way of "hiding" rule types to prevent this sort of thing. Is that going to be ok? We added a capability to connectors to allow code to be run "around" some APIs - we only added what was needed at the time. And have talked about doing a similar sort of thing with rules. I can't find an issue to track that (so no plan to implement now), but am curious if something like that could essentially replace your existing wrapper. |
pmuellr
approved these changes
Apr 10, 2025
This wrapper is mostly to add some common utils in those wrappers and to align API differences:
|
|
Starting backport for target branches: 8.x |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
e40pud
added a commit
to e40pud/kibana
that referenced
this pull request
Apr 10, 2025
…ement (elastic#12003) (elastic#216656) ## Summary Main ticket ([Internal link](elastic/security-team#12003)) To allow users to schedule Attack Discovery generations, we will use either [Alerting Framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html). These changes add functionality to manage new alerts type - Attack Discovery Schedule. ### Introduced endpoints - **Create** AD scheduling rule route: `POST /internal/elastic_assistant/attack_discovery/schedules` - **Read/Get** AD scheduling rule by id route: `GET /internal/elastic_assistant/attack_discovery/schedules/{id}` - **Update** AD scheduling rule by id route: `PUT /internal/elastic_assistant/attack_discovery/schedules/{id}` - **Delete** AD scheduling rule by id route: `DELETE /internal/elastic_assistant/attack_discovery/schedules/{id}` - **Enable** AD scheduling rule by id route: `POST /internal/elastic_assistant/attack_discovery/schedules/{id}/_enable` - **Disable** AD scheduling rule by id route: `POST /internal/elastic_assistant/attack_discovery/schedules/{id}/_disable` - **Find** all existing AD scheduling rules route: `GET /internal/elastic_assistant/attack_discovery/schedules/_find` ## NOTES The feature is hidden behind the feature flag: > xpack.securitySolution.enableExperimental: ['assistantAttackDiscoverySchedulingEnabled'] ## cURL examples <details> <summary>Create AD scheduling rule route</summary> ```curl curl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules' \ --header 'kbn-xsrf: true' \ --header 'elastic-api-version: 1' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'Content-Type: application/json' \ --data '{ "name": "Test Schedule", "schedule": { "interval": "10m" }, "params": { "alertsIndexPattern": ".alerts-security.alerts-default", "apiConfig": { "connectorId": "gpt-4o", "actionTypeId": ".gen-ai" }, "end": "now", "size": 100, "start": "now-24h" } }' ``` </details> <details> <summary>Read/Get AD scheduling rule by id route</summary> ```curl curl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \ --header 'kbn-xsrf: true' \ --header 'elastic-api-version: 1' \ --header 'x-elastic-internal-origin: security-solution' ``` </details> <details> <summary>Update AD scheduling rule by id route</summary> ```curl curl --location --request PUT 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \ --header 'kbn-xsrf: true' \ --header 'elastic-api-version: 1' \ --header 'x-elastic-internal-origin: security-solution' \ --header 'Content-Type: application/json' \ --data '{ "name": "Test Schedule - Updated", "schedule": { "interval": "123m" }, "params": { "alertsIndexPattern": ".alerts-security.alerts-default", "apiConfig": { "connectorId": "gpt-4o", "actionTypeId": ".gen-ai" }, "end": "now", "size": 35, "start": "now-24h" }, "actions": [] }' ``` </details> <details> <summary>Delete AD scheduling rule by id route</summary> ```curl curl --location --request DELETE 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \ --header 'kbn-xsrf: true' \ --header 'elastic-api-version: 1' \ --header 'x-elastic-internal-origin: security-solution' ``` </details> <details> <summary>Enable AD scheduling rule by id route</summary> ```curl curl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable' \ --header 'kbn-xsrf: true' \ --header 'elastic-api-version: 1' \ --header 'x-elastic-internal-origin: security-solution' ``` </details> <details> <summary>Disable AD scheduling rule by id route</summary> ```curl curl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable' \ --header 'kbn-xsrf: true' \ --header 'elastic-api-version: 1' \ --header 'x-elastic-internal-origin: security-solution' ``` </details> <details> <summary>Find all existing AD scheduling rules route</summary> ```curl curl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/_find' \ --header 'kbn-xsrf: true' \ --header 'elastic-api-version: 1' \ --header 'x-elastic-internal-origin: security-solution' ``` </details> --------- Co-authored-by: kibanamachine <[email protected]> (cherry picked from commit fc11ca9) # Conflicts: # x-pack/solutions/security/plugins/elastic_assistant/server/types.ts
e40pud
added a commit
that referenced
this pull request
Apr 10, 2025
… management (#12003) (#216656) (#217794) # Backport This will backport the following commits from `main` to `8.x`: - [[Attack Discovery][Scheduling] Attack Discovery scheduling rule management (#12003) (#216656)](#216656) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Ievgen Sorokopud","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-04-10T09:03:04Z","message":"[Attack Discovery][Scheduling] Attack Discovery scheduling rule management (#12003) (#216656)\n\n## Summary\n\nMain ticket ([Internal\nlink](https://github.com/elastic/security-team/issues/12003))\n\nTo allow users to schedule Attack Discovery generations, we will use\neither [Alerting\nFramework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html).\nThese changes add functionality to manage new alerts type - Attack\nDiscovery Schedule.\n\n### Introduced endpoints\n\n- **Create** AD scheduling rule route: `POST\n/internal/elastic_assistant/attack_discovery/schedules`\n- **Read/Get** AD scheduling rule by id route: `GET\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Update** AD scheduling rule by id route: `PUT\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Delete** AD scheduling rule by id route: `DELETE\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Enable** AD scheduling rule by id route: `POST\n/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable`\n- **Disable** AD scheduling rule by id route: `POST\n/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable`\n- **Find** all existing AD scheduling rules route: `GET\n/internal/elastic_assistant/attack_discovery/schedules/_find`\n\n## NOTES\n\nThe feature is hidden behind the feature flag:\n\n> xpack.securitySolution.enableExperimental:\n['assistantAttackDiscoverySchedulingEnabled']\n\n## cURL examples\n\n<details>\n <summary>Create AD scheduling rule route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"name\": \"Test Schedule\",\n \"schedule\": {\n \"interval\": \"10m\"\n },\n \"params\": {\n \"alertsIndexPattern\": \".alerts-security.alerts-default\",\n \"apiConfig\": {\n \"connectorId\": \"gpt-4o\",\n \"actionTypeId\": \".gen-ai\"\n },\n \"end\": \"now\",\n \"size\": 100,\n \"start\": \"now-24h\"\n }\n}'\n```\n\n</details>\n\n<details>\n <summary>Read/Get AD scheduling rule by id route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Update AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request PUT 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"name\": \"Test Schedule - Updated\",\n \"schedule\": {\n \"interval\": \"123m\"\n },\n \"params\": {\n \"alertsIndexPattern\": \".alerts-security.alerts-default\",\n \"apiConfig\": {\n \"connectorId\": \"gpt-4o\",\n \"actionTypeId\": \".gen-ai\"\n },\n \"end\": \"now\",\n \"size\": 35,\n \"start\": \"now-24h\"\n },\n \"actions\": []\n}'\n```\n\n</details>\n\n<details>\n <summary>Delete AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request DELETE 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Enable AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Disable AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Find all existing AD scheduling rules route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/_find' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"fc11ca94f58c62a9accfa47019b539826c9afa1b","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","Team: SecuritySolution","Team:Security Generative AI","backport:version","v9.1.0","v8.19.0"],"title":"[Attack Discovery][Scheduling] Attack Discovery scheduling rule management (#12003)","number":216656,"url":"https://github.com/elastic/kibana/pull/216656","mergeCommit":{"message":"[Attack Discovery][Scheduling] Attack Discovery scheduling rule management (#12003) (#216656)\n\n## Summary\n\nMain ticket ([Internal\nlink](https://github.com/elastic/security-team/issues/12003))\n\nTo allow users to schedule Attack Discovery generations, we will use\neither [Alerting\nFramework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html).\nThese changes add functionality to manage new alerts type - Attack\nDiscovery Schedule.\n\n### Introduced endpoints\n\n- **Create** AD scheduling rule route: `POST\n/internal/elastic_assistant/attack_discovery/schedules`\n- **Read/Get** AD scheduling rule by id route: `GET\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Update** AD scheduling rule by id route: `PUT\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Delete** AD scheduling rule by id route: `DELETE\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Enable** AD scheduling rule by id route: `POST\n/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable`\n- **Disable** AD scheduling rule by id route: `POST\n/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable`\n- **Find** all existing AD scheduling rules route: `GET\n/internal/elastic_assistant/attack_discovery/schedules/_find`\n\n## NOTES\n\nThe feature is hidden behind the feature flag:\n\n> xpack.securitySolution.enableExperimental:\n['assistantAttackDiscoverySchedulingEnabled']\n\n## cURL examples\n\n<details>\n <summary>Create AD scheduling rule route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"name\": \"Test Schedule\",\n \"schedule\": {\n \"interval\": \"10m\"\n },\n \"params\": {\n \"alertsIndexPattern\": \".alerts-security.alerts-default\",\n \"apiConfig\": {\n \"connectorId\": \"gpt-4o\",\n \"actionTypeId\": \".gen-ai\"\n },\n \"end\": \"now\",\n \"size\": 100,\n \"start\": \"now-24h\"\n }\n}'\n```\n\n</details>\n\n<details>\n <summary>Read/Get AD scheduling rule by id route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Update AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request PUT 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"name\": \"Test Schedule - Updated\",\n \"schedule\": {\n \"interval\": \"123m\"\n },\n \"params\": {\n \"alertsIndexPattern\": \".alerts-security.alerts-default\",\n \"apiConfig\": {\n \"connectorId\": \"gpt-4o\",\n \"actionTypeId\": \".gen-ai\"\n },\n \"end\": \"now\",\n \"size\": 35,\n \"start\": \"now-24h\"\n },\n \"actions\": []\n}'\n```\n\n</details>\n\n<details>\n <summary>Delete AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request DELETE 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Enable AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Disable AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Find all existing AD scheduling rules route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/_find' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"fc11ca94f58c62a9accfa47019b539826c9afa1b"}},"sourceBranch":"main","suggestedTargetBranches":["8.x"],"targetPullRequestStates":[{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/216656","number":216656,"mergeCommit":{"message":"[Attack Discovery][Scheduling] Attack Discovery scheduling rule management (#12003) (#216656)\n\n## Summary\n\nMain ticket ([Internal\nlink](https://github.com/elastic/security-team/issues/12003))\n\nTo allow users to schedule Attack Discovery generations, we will use\neither [Alerting\nFramework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html).\nThese changes add functionality to manage new alerts type - Attack\nDiscovery Schedule.\n\n### Introduced endpoints\n\n- **Create** AD scheduling rule route: `POST\n/internal/elastic_assistant/attack_discovery/schedules`\n- **Read/Get** AD scheduling rule by id route: `GET\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Update** AD scheduling rule by id route: `PUT\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Delete** AD scheduling rule by id route: `DELETE\n/internal/elastic_assistant/attack_discovery/schedules/{id}`\n- **Enable** AD scheduling rule by id route: `POST\n/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable`\n- **Disable** AD scheduling rule by id route: `POST\n/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable`\n- **Find** all existing AD scheduling rules route: `GET\n/internal/elastic_assistant/attack_discovery/schedules/_find`\n\n## NOTES\n\nThe feature is hidden behind the feature flag:\n\n> xpack.securitySolution.enableExperimental:\n['assistantAttackDiscoverySchedulingEnabled']\n\n## cURL examples\n\n<details>\n <summary>Create AD scheduling rule route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"name\": \"Test Schedule\",\n \"schedule\": {\n \"interval\": \"10m\"\n },\n \"params\": {\n \"alertsIndexPattern\": \".alerts-security.alerts-default\",\n \"apiConfig\": {\n \"connectorId\": \"gpt-4o\",\n \"actionTypeId\": \".gen-ai\"\n },\n \"end\": \"now\",\n \"size\": 100,\n \"start\": \"now-24h\"\n }\n}'\n```\n\n</details>\n\n<details>\n <summary>Read/Get AD scheduling rule by id route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Update AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request PUT 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution' \\\n--header 'Content-Type: application/json' \\\n--data '{\n \"name\": \"Test Schedule - Updated\",\n \"schedule\": {\n \"interval\": \"123m\"\n },\n \"params\": {\n \"alertsIndexPattern\": \".alerts-security.alerts-default\",\n \"apiConfig\": {\n \"connectorId\": \"gpt-4o\",\n \"actionTypeId\": \".gen-ai\"\n },\n \"end\": \"now\",\n \"size\": 35,\n \"start\": \"now-24h\"\n },\n \"actions\": []\n}'\n```\n\n</details>\n\n<details>\n <summary>Delete AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request DELETE 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Enable AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_enable' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Disable AD scheduling rule by id route</summary>\n\n```curl\ncurl --location --request POST 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/{id}/_disable' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n<details>\n <summary>Find all existing AD scheduling rules route</summary>\n\n```curl\ncurl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/schedules/_find' \\\n--header 'kbn-xsrf: true' \\\n--header 'elastic-api-version: 1' \\\n--header 'x-elastic-internal-origin: security-solution'\n```\n\n</details>\n\n---------\n\nCo-authored-by: kibanamachine <[email protected]>","sha":"fc11ca94f58c62a9accfa47019b539826c9afa1b"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Main ticket (Internal link)
To allow users to schedule Attack Discovery generations, we will use either Alerting Framework. These changes add functionality to manage new alerts type - Attack Discovery Schedule.
Introduced endpoints
POST /internal/elastic_assistant/attack_discovery/schedulesGET /internal/elastic_assistant/attack_discovery/schedules/{id}PUT /internal/elastic_assistant/attack_discovery/schedules/{id}DELETE /internal/elastic_assistant/attack_discovery/schedules/{id}POST /internal/elastic_assistant/attack_discovery/schedules/{id}/_enablePOST /internal/elastic_assistant/attack_discovery/schedules/{id}/_disableGET /internal/elastic_assistant/attack_discovery/schedules/_findNOTES
The feature is hidden behind the feature flag:
cURL examples
Create AD scheduling rule route
Read/Get AD scheduling rule by id route
Update AD scheduling rule by id route
Delete AD scheduling rule by id route
Enable AD scheduling rule by id route
Disable AD scheduling rule by id route
Find all existing AD scheduling rules route