[Security Solution][Actions] - Actions are not consistently migrating on rule disable/enable post 8.0 upgrade

[yctercero]

Summary

Detection rule actions are migrated on rule touch or enable. Because detections requires users to disable their rules prior to 8.0 migration, we theorized that upon enableing rules post migration, the rule's actions would be migrated. That means that we should see 0 enabled rules with legacy actions. However, thanks to Frank's work with telemetry, we saw that this is not the case. Still unclear of the culprit.

Telemetry actions dashboard

Steps to reproduce

• Create a rules in 7.15 with an action or multiple actions associated with it (starting 7.16 new rules use the new actions so would have to go back to 7.15 to create a legacy action)
• In dev tools use the following query to ensure you see your legacy action:

  
  ## Gets the alerting rule type created for the legacy action
  GET .kibana/_search
  {
  "query": {
  "term": {
    "alert.alertTypeId": "siem.notifications"
  }
  }
  }

Gets the siem sidecar actions

GET .kibana/_search { "query": { "term": { "type": { "value": "siem-detection-engine-rule-actions" } } } }

Gets the rules pre 8.0

For legacy actions with an interval other than on every rule run, the actions array is empty and

throttle : null, and notifyWhen : onActiveAlert.

GET .kibana/_search { "query": { "term": { "alert.alertTypeId": "siem.signals" } } }

Gets the query rules post 8.0

For NON legacy actions that have successfully migrated actions, the actions array is filled out on the rule,

the throttle corresponds to the selected interval and notifyWhen: onThrottleInterval

GET .kibana/_search { "query": { "term": { "alert.alertTypeId": "siem.queryRule" } } }

- Upgrade to 8.0 - if you don’t manually disable your rules, we programmatically disable them for you
- Before enabling your rules in 8.0, check again to see if the legacy actions are there (they should be since migration should occur on enable)
- Enable your rules and run the queries again in dev tools. You should now see 0 result

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[yctercero]

Updates after some testing --

Steps taken:

• Create 7.15.3 on cloud
• Create 4 rules, each with an action at a different interval
• Query dev tools for rules and sidecar actions (just to check)
  Dev Tools Rules Search

{
  "took" : 2,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 4,
      "relation" : "eq"
    },
    "max_score" : 0.41443375,
    "hits" : [
      {
        "_index" : ".kibana_7.15.3_001",
        "_type" : "_doc",
        "_id" : "alert:d1588970-a949-11ec-81a1-1d8de8a0946c",
        "_score" : 0.41443375,
        "_source" : {
          "alert" : {
            "name" : "Test w/ legacy action 2",
            "tags" : [
              "__internal_rule_id:aad7ca41-345e-4252-b6ae-ccfb09db2cc9",
              "__internal_immutable:false"
            ],
            "alertTypeId" : "siem.signals",
            "consumer" : "siem",
            "params" : {
              "author" : [ ],
              "description" : "a",
              "falsePositives" : [ ],
              "from" : "now-360s",
              "license" : "",
              "outputIndex" : ".siem-signals-default",
              "meta" : {
                "from" : "1m",
                "kibana_siem_app_url" : "https://13c1c06d62384661bb6a63ab8e44ed02.us-central1.gcp.foundit.no:9243/app/security"
              },
              "maxSignals" : 100,
              "riskScore" : 21,
              "riskScoreMapping" : [ ],
              "severity" : "low",
              "severityMapping" : [ ],
              "threat" : [ ],
              "to" : "now",
              "references" : [ ],
              "version" : 2,
              "exceptionsList" : [ ],
              "ruleId" : "aad7ca41-345e-4252-b6ae-ccfb09db2cc9",
              "immutable" : false,
              "query" : "*:*",
              "language" : "kuery",
              "filters" : [ ],
              "index" : [
                "apm-*-transaction*",
                "traces-apm*",
                "auditbeat-*",
                "endgame-*",
                "filebeat-*",
                "logs-*",
                "packetbeat-*",
                "winlogbeat-*"
              ],
              "type" : "query"
            },
            "schedule" : {
              "interval" : "5m"
            },
            "enabled" : true,
            "actions" : [ ],
            "throttle" : null,
            "notifyWhen" : "onActiveAlert",
            "apiKeyOwner" : "1311967740",
            "apiKey" : "85VAXNHt2yGRVpFxDIlJVeqtRmNyFhEyRkXcVLCjFcYThavsOkNQdz1nQPArrgFP4qINhbmvrEHBbb2cMR6qOtIYcMq0XtODal+f9vACOHlAxHAZ4YF+FXCf7Ar+hxn6E6iVsRvHIzpo7LjLv+8I9ucczd52bCPtFOgRLAKQ0ecURKgps100JRyHIfVhcDQCRxEHGYIVo8nucg==",
            "createdBy" : "1311967740",
            "updatedBy" : "1311967740",
            "createdAt" : "2022-03-21T19:05:05.168Z",
            "updatedAt" : "2022-03-21T19:05:36.829Z",
            "muteAll" : false,
            "mutedInstanceIds" : [ ],
            "executionStatus" : {
              "status" : "ok",
              "lastExecutionDate" : "2022-03-21T19:05:40.549Z",
              "error" : null
            },
            "meta" : {
              "versionApiKeyLastmodified" : "7.15.3-SNAPSHOT"
            },
            "scheduledTaskId" : "e4a9e910-a949-11ec-81a1-1d8de8a0946c"
          },
          "type" : "alert",
          "references" : [ ],
          "migrationVersion" : {
            "alert" : "7.15.0"
          },
          "coreMigrationVersion" : "7.15.3",
          "updated_at" : "2022-03-21T19:05:43.648Z"
        }
      },
      {
        "_index" : ".kibana_7.15.3_001",
        "_type" : "_doc",
        "_id" : "alert:ebf9b4c0-a949-11ec-81a1-1d8de8a0946c",
        "_score" : 0.41443375,
        "_source" : {
          "alert" : {
            "name" : "Test w/ legacy action 3",
            "tags" : [
              "__internal_rule_id:c0521582-6b86-498d-89c2-a01001284340",
              "__internal_immutable:false"
            ],
            "alertTypeId" : "siem.signals",
            "consumer" : "siem",
            "params" : {
              "author" : [ ],
              "description" : "a",
              "falsePositives" : [ ],
              "from" : "now-360s",
              "license" : "",
              "outputIndex" : ".siem-signals-default",
              "meta" : {
                "from" : "1m",
                "kibana_siem_app_url" : "https://13c1c06d62384661bb6a63ab8e44ed02.us-central1.gcp.foundit.no:9243/app/security"
              },
              "maxSignals" : 100,
              "riskScore" : 21,
              "riskScoreMapping" : [ ],
              "severity" : "low",
              "severityMapping" : [ ],
              "threat" : [ ],
              "to" : "now",
              "references" : [ ],
              "version" : 2,
              "exceptionsList" : [ ],
              "ruleId" : "c0521582-6b86-498d-89c2-a01001284340",
              "immutable" : false,
              "query" : "*:*",
              "language" : "kuery",
              "filters" : [ ],
              "index" : [
                "apm-*-transaction*",
                "traces-apm*",
                "auditbeat-*",
                "endgame-*",
                "filebeat-*",
                "logs-*",
                "packetbeat-*",
                "winlogbeat-*"
              ],
              "type" : "query"
            },
            "schedule" : {
              "interval" : "5m"
            },
            "enabled" : true,
            "actions" : [ ],
            "throttle" : null,
            "notifyWhen" : "onActiveAlert",
            "apiKeyOwner" : "1311967740",
            "apiKey" : "PwhVOu4/yy231AQTxKt8WA+KMwPWAJu78KA3n63RnvpUm1OrjAa+62/39pGYrGvV/4N8cCaE6MuW3jMv1UrNgBelAgbxuRgWi+UNrA9nbYdfZN7BT6aDFOLfLnO8xSliOUPlqjZNB4onDRoDAorvWUmhnEbz+al9pYLdhxhMXEN8b9SLSyyDV888b4LaCu93wNlIlzlBfJkysQ==",
            "createdBy" : "1311967740",
            "updatedBy" : "1311967740",
            "createdAt" : "2022-03-21T19:05:49.846Z",
            "updatedAt" : "2022-03-21T19:06:24.772Z",
            "muteAll" : false,
            "mutedInstanceIds" : [ ],
            "executionStatus" : {
              "status" : "ok",
              "lastExecutionDate" : "2022-03-21T19:06:28.564Z",
              "error" : null
            },
            "meta" : {
              "versionApiKeyLastmodified" : "7.15.3-SNAPSHOT"
            },
            "scheduledTaskId" : "0162a9c0-a94a-11ec-81a1-1d8de8a0946c"
          },
          "type" : "alert",
          "references" : [ ],
          "migrationVersion" : {
            "alert" : "7.15.0"
          },
          "coreMigrationVersion" : "7.15.3",
          "updated_at" : "2022-03-21T19:06:31.508Z"
        }
      },
      {
        "_index" : ".kibana_7.15.3_001",
        "_type" : "_doc",
        "_id" : "alert:ebf9b4c1-a949-11ec-81a1-1d8de8a0946c",
        "_score" : 0.41443375,
        "_source" : {
          "alert" : {
            "name" : "Test w/ legacy action 4",
            "tags" : [
              "__internal_rule_id:628f1b7f-dc04-45ad-914f-63de9c0c8cad",
              "__internal_immutable:false"
            ],
            "alertTypeId" : "siem.signals",
            "consumer" : "siem",
            "params" : {
              "author" : [ ],
              "description" : "a",
              "ruleId" : "628f1b7f-dc04-45ad-914f-63de9c0c8cad",
              "falsePositives" : [ ],
              "from" : "now-360s",
              "immutable" : false,
              "license" : "",
              "outputIndex" : ".siem-signals-default",
              "meta" : {
                "from" : "1m",
                "kibana_siem_app_url" : "https://13c1c06d62384661bb6a63ab8e44ed02.us-central1.gcp.foundit.no:9243/app/security"
              },
              "maxSignals" : 100,
              "riskScore" : 21,
              "riskScoreMapping" : [ ],
              "severity" : "low",
              "severityMapping" : [ ],
              "threat" : [ ],
              "to" : "now",
              "references" : [ ],
              "version" : 3,
              "exceptionsList" : [ ],
              "type" : "query",
              "language" : "kuery",
              "index" : [
                "apm-*-transaction*",
                "traces-apm*",
                "auditbeat-*",
                "endgame-*",
                "filebeat-*",
                "logs-*",
                "packetbeat-*",
                "winlogbeat-*"
              ],
              "query" : "*:*",
              "filters" : [ ]
            },
            "schedule" : {
              "interval" : "5m"
            },
            "enabled" : false,
            "actions" : [ ],
            "throttle" : null,
            "notifyWhen" : "onActiveAlert",
            "apiKeyOwner" : null,
            "apiKey" : null,
            "createdBy" : "1311967740",
            "updatedBy" : "1311967740",
            "createdAt" : "2022-03-21T19:05:49.849Z",
            "updatedAt" : "2022-03-21T19:06:42.899Z",
            "muteAll" : false,
            "mutedInstanceIds" : [ ],
            "executionStatus" : {
              "status" : "pending",
              "lastExecutionDate" : "2022-03-21T19:05:49.849Z",
              "error" : null
            },
            "meta" : {
              "versionApiKeyLastmodified" : "7.15.3-SNAPSHOT"
            }
          },
          "type" : "alert",
          "references" : [ ],
          "migrationVersion" : {
            "alert" : "7.15.0"
          },
          "coreMigrationVersion" : "7.15.3",
          "updated_at" : "2022-03-21T19:06:42.899Z"
        }
      },
      {
        "_index" : ".kibana_7.15.3_001",
        "_type" : "_doc",
        "_id" : "alert:c718f0d0-a949-11ec-81a1-1d8de8a0946c",
        "_score" : 0.41443375,
        "_source" : {
          "alert" : {
            "name" : "Test w/ legacy action",
            "tags" : [
              "__internal_rule_id:41701350-e09e-4baa-a71f-7d6f1be22a96",
              "__internal_immutable:false"
            ],
            "alertTypeId" : "siem.signals",
            "consumer" : "siem",
            "params" : {
              "author" : [ ],
              "description" : "a",
              "ruleId" : "41701350-e09e-4baa-a71f-7d6f1be22a96",
              "falsePositives" : [ ],
              "from" : "now-360s",
              "immutable" : false,
              "license" : "",
              "outputIndex" : ".siem-signals-default",
              "meta" : {
                "from" : "1m",
                "kibana_siem_app_url" : "https://13c1c06d62384661bb6a63ab8e44ed02.us-central1.gcp.foundit.no:9243/app/security"
              },
              "maxSignals" : 100,
              "riskScore" : 21,
              "riskScoreMapping" : [ ],
              "severity" : "low",
              "severityMapping" : [ ],
              "threat" : [ ],
              "to" : "now",
              "references" : [ ],
              "version" : 1,
              "exceptionsList" : [ ],
              "type" : "query",
              "language" : "kuery",
              "index" : [
                "apm-*-transaction*",
                "traces-apm*",
                "auditbeat-*",
                "endgame-*",
                "filebeat-*",
                "logs-*",
                "packetbeat-*",
                "winlogbeat-*"
              ],
              "query" : "*:*",
              "filters" : [ ]
            },
            "schedule" : {
              "interval" : "5m"
            },
            "enabled" : true,
            "actions" : [ ],
            "throttle" : null,
            "notifyWhen" : "onActiveAlert",
            "apiKeyOwner" : "1311967740",
            "apiKey" : "iQ9OUTir2k5ForgmwQU5ri/5dbM2FgkgxuMZt1E6kI3DaeNdqw4yGidjOFW7ovXct/SXq0pS1tiDhLoXk0L25L8dyo7HFTiEjl+/gatfKq9mdpKKl6hYCMK5dPcU2UvvCbGEcAMUaj0JRJGvmPUIqhvUpb9Y0yM/F7J6G/I5FKkGQL4PV1HtF4v5YDUWhB1ITFhWfTsdqVAs4g==",
            "createdBy" : "1311967740",
            "updatedBy" : "1311967740",
            "createdAt" : "2022-03-21T19:04:48.775Z",
            "updatedAt" : "2022-03-21T19:04:48.775Z",
            "muteAll" : false,
            "mutedInstanceIds" : [ ],
            "executionStatus" : {
              "status" : "ok",
              "lastExecutionDate" : "2022-03-21T19:09:52.558Z",
              "error" : null
            },
            "meta" : {
              "versionApiKeyLastmodified" : "7.15.3-SNAPSHOT"
            },
            "scheduledTaskId" : "c7ecbb90-a949-11ec-81a1-1d8de8a0946c"
          },
          "type" : "alert",
          "references" : [ ],
          "migrationVersion" : {
            "alert" : "7.15.0"
          },
          "coreMigrationVersion" : "7.15.3",
          "updated_at" : "2022-03-21T19:09:54.680Z"
        }
      }
    ]
  }
}

Dev Tools Actions Sidecars Search

``` { "took" : 1, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 4, "relation" : "eq" }, "max_score" : 5.3501105, "hits" : [ { "_index" : ".kibana_7.15.3_001", "_type" : "_doc", "_id" : "siem-detection-engine-rule-actions:c889e5f0-a949-11ec-81a1-1d8de8a0946c", "_score" : 5.3501105, "_source" : { "siem-detection-engine-rule-actions" : { "ruleAlertId" : "c718f0d0-a949-11ec-81a1-1d8de8a0946c", "actions" : [ { "group" : "default", "id" : "c3e9a9e0-a949-11ec-81a1-1d8de8a0946c", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts", "to" : [ "test@test.com" ], "subject" : "Test Actions" }, "action_type_id" : ".email" } ], "ruleThrottle" : "1h", "alertThrottle" : "1h" }, "type" : "siem-detection-engine-rule-actions", "references" : [ ], "migrationVersion" : { "siem-detection-engine-rule-actions" : "7.11.2" }, "coreMigrationVersion" : "7.15.3", "updated_at" : "2022-03-21T19:04:50.397Z" } }, { "_index" : ".kibana_7.15.3_001", "_type" : "_doc", "_id" : "siem-detection-engine-rule-actions:d1e58730-a949-11ec-81a1-1d8de8a0946c", "_score" : 5.3501105, "_source" : { "siem-detection-engine-rule-actions" : { "ruleAlertId" : "d1588970-a949-11ec-81a1-1d8de8a0946c", "actions" : [ { "action_type_id" : ".email", "id" : "c3e9a9e0-a949-11ec-81a1-1d8de8a0946c", "params" : { "subject" : "Test Actions", "to" : [ "test@test.com" ], "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "group" : "default" } ], "ruleThrottle" : "1d", "alertThrottle" : "1d" }, "type" : "siem-detection-engine-rule-actions", "references" : [ ], "migrationVersion" : { "siem-detection-engine-rule-actions" : "7.11.2" }, "coreMigrationVersion" : "7.15.3", "updated_at" : "2022-03-21T19:05:38.609Z" } }, { "_index" : ".kibana_7.15.3_001", "_type" : "_doc", "_id" : "siem-detection-engine-rule-actions:ec785aa0-a949-11ec-81a1-1d8de8a0946c", "_score" : 5.3501105, "_source" : { "siem-detection-engine-rule-actions" : { "ruleAlertId" : "ebf9b4c0-a949-11ec-81a1-1d8de8a0946c", "actions" : [ { "action_type_id" : ".email", "id" : "c3e9a9e0-a949-11ec-81a1-1d8de8a0946c", "params" : { "subject" : "Test Actions", "to" : [ "test@test.com" ], "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "group" : "default" } ], "ruleThrottle" : "7d", "alertThrottle" : "7d" }, "type" : "siem-detection-engine-rule-actions", "references" : [ ], "migrationVersion" : { "siem-detection-engine-rule-actions" : "7.11.2" }, "coreMigrationVersion" : "7.15.3", "updated_at" : "2022-03-21T19:06:26.794Z" } }, { "_index" : ".kibana_7.15.3_001", "_type" : "_doc", "_id" : "siem-detection-engine-rule-actions:ec78a8c0-a949-11ec-81a1-1d8de8a0946c", "_score" : 5.3501105, "_source" : { "siem-detection-engine-rule-actions" : { "ruleAlertId" : "ebf9b4c1-a949-11ec-81a1-1d8de8a0946c", "actions" : [ ], "ruleThrottle" : "no_actions", "alertThrottle" : null }, "type" : "siem-detection-engine-rule-actions", "references" : [ ], "migrationVersion" : { "siem-detection-engine-rule-actions" : "7.11.2" }, "coreMigrationVersion" : "7.15.3", "updated_at" : "2022-03-21T19:06:43.868Z" } } ] } } ```

• Upgrade to 8.0.0 on cloud
• Notice all rules are now disabled
• Conducted same rule and actions query to see that legacy actions still exist
• Enabled one rule manually (by just hitting the rule's enable/disable toggle)
  • The action was properly migrated, and upon querying actions, there was one less sidecar
• Enabled one rule using the Bulk actions dropdown on the rules page
  • The action was properly migrated, and upon querying actions, there was one less sidecar
• Exported remaining 2 rules, deleted all rules, imported 2 rules
  • Both rule's actions were migrated upon import, no sidecars created
  • There may be a bug I need to reproduce in bulk deleting there was a dangling sidecar

TLDR

• Was unable to reproduce non-migration issue when upgrading to 8.0.0 and enabling manually
• Was unable to reproduce non-migration issue when upgrading to 8.0.0 and enabling using bulk actions dropdown

Todos

• Did notice in this round of testing that the new bulk actions routes don't hit the actions migration code - will need to add that in. cc: @banderror

[yctercero]

This PR addresses the to do from the first round of testing. It updates the 8.1 bulk routes to include the action migration logic.

https://github.com/elastic/kibana/pull/128518

[banderror]

When testing https://github.com/elastic/kibana/pull/128518 I noticed that it seems like there's some cleanup logic missing in the legacyMigrate function, because it leaves siem-detection-engine-rule-actions sidecar saved objects in the index in some cases.

More details in https://github.com/elastic/kibana/pull/128518#issuecomment-1082230439

[yctercero]

Fix is in this PR - https://github.com/elastic/kibana/pull/130511

[yctercero]

@MadameSheema ready for 8.3 QA check - instructions on testing can be found in PR description. Thanks so much!

[ghost]

Hi Team,

We have validated above issue on 8.3.0 BC3 and it's not fixed. 🔴

Build Details

VERSION: 8.3.0 BC3
BUILD: 53272
COMMIT:  7a0df2bca36ced2a898420cbb193a9dba0782a7a

Screenshots:

Thanks !

[yctercero]

@karanverma-qasource - can you give a bit more details as to what steps you took and what the screenshots are showing? Like what actions are those rules supposed to have?

[ghost]

Hi @yctercero,

I have followed the steps mentioned in this PR, as per the steps after upgrade to 8.3.0 and running below query

GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.queryRule"
    }
  }
}

We should get the throttle corresponds to the selected interval and notifyWhen: onThrottleInterval but here we are getting throttle as Null and notifyWhen as onActiveAlert . Actions I have used "None, Rule Run, Hourly, Daily, Weekly".

Please let us know we are missing something.

Thanks!

[MadameSheema]

@yctercero @karanverma-qasource any update on this?

[ghost]

@MadameSheema No update received till now.

[yctercero]

Sorry, lost this a bit after PTO. I'll take a look today.

[yctercero]

@karanverma-qasource sorry, but can you give more details as to how you re-enabled the rules in 8.3. Was it via bulk actions? Just editing the rule? Or one by one? I'm still not able to reproduce this. If you could share the following information similar to below, that would help. These are the results I got.

After migrating, they appear to have the expected fields.

Actions	Post migrated rule
Rule run	- siem-detection-engine-rule-actions DELETED - actions continue to live on rule params - throttle is null - notifyWhen is onActiveAlert
Hourly	- siem-detection-engine-rule-actions DELETED - siem.notifications DELETED - actions moved to live on rule params - throttle is 1h - notifyWhen is onThrottleInterval
Daily	- siem-detection-engine-rule-actions DELETED - siem.notifications DELETED - actions moved to live on rule params - throttle is 1d - notifyWhen is onThrottleInterval
Weekly	- siem-detection-engine-rule-actions DELETED - siem.notifications DELETED - actions moved to live on rule params - throttle is 7d - notifyWhen is onThrottleInterval

7.15.3

## Gets the alerting rule type created for the legacy action
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.notifications"
    }
  }
}

Query results

```json { "took" : 2, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 3, "relation" : "eq" }, "max_score" : 1.2321435, "hits" : [ { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "alert:3d7ee400-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 1.2321435, "_source" : { "alert" : { "name" : "Hourly", "tags" : [ "__internal_rule_alert_id:3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c" ], "alertTypeId" : "siem.notifications", "consumer" : "siem", "params" : { "ruleAlertId" : "3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c" }, "schedule" : { "interval" : "1h" }, "enabled" : true, "actions" : [ { "group" : "default", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId" : ".slack", "actionRef" : "action_0" } ], "throttle" : null, "notifyWhen" : "onActiveAlert", "apiKeyOwner" : "1311967740", "apiKey" : "WzmQ+MCa5EZ4XU5o1E+NrwzVs8SjilCfJ293ZhEV3iznOrUMq6idX1Eh7kEXqJgssR5Lz4OW9LoTU7Wodp2unkPReF2w9Xtvcacpcfmuoiq7mY+D7PXAPoTSPWa7sDlKMWahLUN56szIxKNYicR+i5il3rb25N+k2FIwa7JM/AEb+jG47y/FijBdPV0N3NuO4iBDps1jy6mfNA==", "createdBy" : "1311967740", "updatedBy" : "1311967740", "createdAt" : "2022-06-30T22:23:18.532Z", "updatedAt" : "2022-06-30T22:23:18.532Z", "muteAll" : false, "mutedInstanceIds" : [ ], "executionStatus" : { "status" : "ok", "lastExecutionDate" : "2022-06-30T22:23:21.809Z", "error" : null }, "meta" : { "versionApiKeyLastmodified" : "7.15.2" }, "scheduledTaskId" : "3eaa44a0-f8c3-11ec-b16f-93bfaa093d8c", "legacyId" : "3d7ee400-f8c3-11ec-b16f-93bfaa093d8c" }, "type" : "alert", "references" : [ { "id" : "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "name" : "action_0", "type" : "action" }, { "id" : "3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c", "name" : "param:alert_0", "type" : "alert" } ], "migrationVersion" : { "alert" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:23:21.890Z" } }, { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "alert:526eb160-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 1.2321435, "_source" : { "alert" : { "name" : "Daily", "tags" : [ "__internal_rule_alert_id:50342ab0-f8c3-11ec-b16f-93bfaa093d8c" ], "alertTypeId" : "siem.notifications", "consumer" : "siem", "params" : { "ruleAlertId" : "50342ab0-f8c3-11ec-b16f-93bfaa093d8c" }, "schedule" : { "interval" : "1d" }, "enabled" : true, "actions" : [ { "group" : "default", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId" : ".slack", "actionRef" : "action_0" } ], "throttle" : null, "notifyWhen" : "onActiveAlert", "apiKeyOwner" : "1311967740", "apiKey" : "cGd1S2lb0IsOt1uSbxEMJU2+yhdN6oJ4g4DqDUKoM3Rfw02UrvKWfl49bRC8EV9rgfvdSrwyGojbTrHV+tz9AEJv6b0o0grqNkZERshyNT4+jj2y2bHHCfgw7YwlKU5tsxF6CGNSWJ2ted3nAizQkpFvEO+Vytmh8t70auagn8Z6qs+KIvPkt9moGy1eZmqvAYiq7fnOxa//0w==", "createdBy" : "1311967740", "updatedBy" : "1311967740", "createdAt" : "2022-06-30T22:23:53.668Z", "updatedAt" : "2022-06-30T22:23:53.668Z", "muteAll" : false, "mutedInstanceIds" : [ ], "executionStatus" : { "status" : "ok", "lastExecutionDate" : "2022-06-30T22:23:57.808Z", "error" : null }, "meta" : { "versionApiKeyLastmodified" : "7.15.2" }, "scheduledTaskId" : "539cf830-f8c3-11ec-b16f-93bfaa093d8c", "legacyId" : "526eb160-f8c3-11ec-b16f-93bfaa093d8c" }, "type" : "alert", "references" : [ { "id" : "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "name" : "action_0", "type" : "action" }, { "id" : "50342ab0-f8c3-11ec-b16f-93bfaa093d8c", "name" : "param:alert_0", "type" : "alert" } ], "migrationVersion" : { "alert" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:23:57.877Z" } }, { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "alert:748a3ad0-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 1.2321435, "_source" : { "alert" : { "name" : "Weekly", "tags" : [ "__internal_rule_alert_id:726f2300-f8c3-11ec-b16f-93bfaa093d8c" ], "alertTypeId" : "siem.notifications", "consumer" : "siem", "params" : { "ruleAlertId" : "726f2300-f8c3-11ec-b16f-93bfaa093d8c" }, "schedule" : { "interval" : "7d" }, "enabled" : true, "actions" : [ { "group" : "default", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId" : ".slack", "actionRef" : "action_0" } ], "throttle" : null, "notifyWhen" : "onActiveAlert", "apiKeyOwner" : "1311967740", "apiKey" : "zMedgufN3lhw35QeJUYNRgRISHOEdtoQbw19tdxJnTL1aYQqJKagEaqDNIQkpm3vjZRUXVu04VfWac4PQCQ0guRuUCQjfTS7URRGF0QMF2eK1P5I3lYC+5oG/ZDGyuQOxbWbTmiUpiGWRB0FoL/d3dc5sqWtR98J7Eod8+wqMGYFLttRfWAosTYnzeb3dNodxEUhUGbYMFh4ig==", "createdBy" : "1311967740", "updatedBy" : "1311967740", "createdAt" : "2022-06-30T22:24:50.879Z", "updatedAt" : "2022-06-30T22:24:50.879Z", "muteAll" : false, "mutedInstanceIds" : [ ], "executionStatus" : { "status" : "ok", "lastExecutionDate" : "2022-06-30T22:24:54.895Z", "error" : null }, "meta" : { "versionApiKeyLastmodified" : "7.15.2" }, "scheduledTaskId" : "75b610a0-f8c3-11ec-b16f-93bfaa093d8c", "legacyId" : "748a3ad0-f8c3-11ec-b16f-93bfaa093d8c" }, "type" : "alert", "references" : [ { "id" : "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "name" : "action_0", "type" : "action" }, { "id" : "726f2300-f8c3-11ec-b16f-93bfaa093d8c", "name" : "param:alert_0", "type" : "alert" } ], "migrationVersion" : { "alert" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:24:54.983Z" } } ] } } ```

## Gets the siem sidecar actions
GET .kibana/_search
{
  "query": {
    "term": {
      "type": {
        "value": "siem-detection-engine-rule-actions"
      }
    }
  }
}

Query results

```json { "took" : 2, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 4, "relation" : "eq" }, "max_score" : 6.3702807, "hits" : [ { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "siem-detection-engine-rule-actions:1738eac0-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 6.3702807, "_source" : { "siem-detection-engine-rule-actions" : { "actions" : [ { "actionRef" : "action_0", "group" : "default", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "action_type_id" : ".slack" } ], "ruleThrottle" : "rule", "alertThrottle" : null }, "type" : "siem-detection-engine-rule-actions", "references" : [ { "id" : "1568e5b0-f8c3-11ec-b16f-93bfaa093d8c", "type" : "alert", "name" : "alert_0" }, { "id" : "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "type" : "action", "name" : "action_0" } ], "migrationVersion" : { "siem-detection-engine-rule-actions" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:22:13.367Z" } }, { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "siem-detection-engine-rule-actions:3ce00bf0-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 6.3702807, "_source" : { "siem-detection-engine-rule-actions" : { "actions" : [ { "actionRef" : "action_0", "group" : "default", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "action_type_id" : ".slack" } ], "ruleThrottle" : "1h", "alertThrottle" : "1h" }, "type" : "siem-detection-engine-rule-actions", "references" : [ { "id" : "3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c", "type" : "alert", "name" : "alert_0" }, { "id" : "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "type" : "action", "name" : "action_0" } ], "migrationVersion" : { "siem-detection-engine-rule-actions" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:23:16.534Z" } }, { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "siem-detection-engine-rule-actions:51d02770-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 6.3702807, "_source" : { "siem-detection-engine-rule-actions" : { "actions" : [ { "actionRef" : "action_0", "group" : "default", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "action_type_id" : ".slack" } ], "ruleThrottle" : "1d", "alertThrottle" : "1d" }, "type" : "siem-detection-engine-rule-actions", "references" : [ { "id" : "50342ab0-f8c3-11ec-b16f-93bfaa093d8c", "type" : "alert", "name" : "alert_0" }, { "id" : "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "type" : "action", "name" : "action_0" } ], "migrationVersion" : { "siem-detection-engine-rule-actions" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:23:51.665Z" } }, { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "siem-detection-engine-rule-actions:73ec2610-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 6.3702807, "_source" : { "siem-detection-engine-rule-actions" : { "actions" : [ { "actionRef" : "action_0", "group" : "default", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "action_type_id" : ".slack" } ], "ruleThrottle" : "7d", "alertThrottle" : "7d" }, "type" : "siem-detection-engine-rule-actions", "references" : [ { "id" : "726f2300-f8c3-11ec-b16f-93bfaa093d8c", "type" : "alert", "name" : "alert_0" }, { "id" : "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "type" : "action", "name" : "action_0" } ], "migrationVersion" : { "siem-detection-engine-rule-actions" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:24:48.889Z" } } ] } } ```

## Get rules
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.signals"
    }
  }
}

Query results

```json { "took" : 2, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 4, "relation" : "eq" }, "max_score" : 0.3448405, "hits" : [ { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "alert:1568e5b0-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 0.3448405, "_source" : { "alert" : { "name" : "every run", "tags" : [ "__internal_rule_id:37aab1e4-2f6e-446f-ad6a-4e118ad329a9", "__internal_immutable:false" ], "alertTypeId" : "siem.signals", "consumer" : "siem", "params" : { "author" : [ ], "description" : "asdf", "ruleId" : "37aab1e4-2f6e-446f-ad6a-4e118ad329a9", "falsePositives" : [ ], "from" : "now-72000300s", "immutable" : false, "license" : "", "outputIndex" : ".siem-signals-default", "meta" : { "from" : "20000h", "kibana_siem_app_url" : "https://actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals" : 100, "riskScore" : 21, "riskScoreMapping" : [ ], "severity" : "low", "severityMapping" : [ ], "threat" : [ ], "to" : "now", "references" : [ ], "version" : 1, "exceptionsList" : [ ], "type" : "query", "language" : "kuery", "index" : [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query" : "*:*", "filters" : [ ] }, "schedule" : { "interval" : "5m" }, "enabled" : true, "actions" : [ { "group" : "default", "params" : { "message" : "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId" : ".slack", "actionRef" : "action_0" } ], "throttle" : null, "notifyWhen" : "onActiveAlert", "apiKeyOwner" : "1311967740", "apiKey" : "F1fUvtMT2U1eC6GDkg8oFeQvGZt4Wk29/pIiiyjhOdDMSinFxf1/y0gRYbXVb0MoYd4hdeeUSOYRsjDMUzOJUs1J520+x/e1vhKICUfTAoUeNYn1fA6ly8eIEVqVQQMvOLvNnZrt8089icNk+Y3XIMlnZbzPls88FsLJprEztU1E7mUhZAx42G8D1PHtUlWcFqUzDqijRMrEUQ==", "createdBy" : "1311967740", "updatedBy" : "1311967740", "createdAt" : "2022-06-30T22:22:11.339Z", "updatedAt" : "2022-06-30T22:22:11.339Z", "muteAll" : false, "mutedInstanceIds" : [ ], "executionStatus" : { "status" : "ok", "lastExecutionDate" : "2022-06-30T22:32:17.739Z", "error" : null, "lastDuration" : 2795 }, "meta" : { "versionApiKeyLastmodified" : "7.15.2" }, "scheduledTaskId" : "169b9950-f8c3-11ec-b16f-93bfaa093d8c", "legacyId" : "1568e5b0-f8c3-11ec-b16f-93bfaa093d8c" }, "type" : "alert", "references" : [ { "id" : "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "name" : "action_0", "type" : "action" } ], "migrationVersion" : { "alert" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:32:20.535Z" } }, { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "alert:3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 0.3448405, "_source" : { "alert" : { "name" : "Hourly", "tags" : [ "__internal_rule_id:55abdc19-648b-448c-aa8c-1ead1e6b14ef", "__internal_immutable:false" ], "alertTypeId" : "siem.signals", "consumer" : "siem", "params" : { "author" : [ ], "description" : "asdf", "ruleId" : "55abdc19-648b-448c-aa8c-1ead1e6b14ef", "falsePositives" : [ ], "from" : "now-120300s", "immutable" : false, "license" : "", "outputIndex" : ".siem-signals-default", "meta" : { "from" : "2000m", "kibana_siem_app_url" : "https://actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals" : 100, "riskScore" : 21, "riskScoreMapping" : [ ], "severity" : "low", "severityMapping" : [ ], "threat" : [ ], "to" : "now", "references" : [ ], "version" : 1, "exceptionsList" : [ ], "type" : "query", "language" : "kuery", "index" : [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query" : "*:*", "filters" : [ ] }, "schedule" : { "interval" : "5m" }, "enabled" : true, "actions" : [ ], "throttle" : null, "notifyWhen" : "onActiveAlert", "apiKeyOwner" : "1311967740", "apiKey" : "8gVurj6jbsZMTOfQhkPJYuscy3z860EpnnS+XZ5bZwqmW6+IM9CHWcvPDV+yja1qN5RjQaUsJ9dd6U1CLbf6YcFiIoAufHCqC9aXhlLa0jz4YamQztOpbzgowX59lHHY0iLkVWwmg7yA8tWjML1nfeV2tIRggmqAJAXlNjPbUZnvCenIgg7XPH6dqmR5t4p0WPtNmbE+6FI01Q==", "createdBy" : "1311967740", "updatedBy" : "1311967740", "createdAt" : "2022-06-30T22:23:14.494Z", "updatedAt" : "2022-06-30T22:23:14.494Z", "muteAll" : false, "mutedInstanceIds" : [ ], "executionStatus" : { "status" : "ok", "lastExecutionDate" : "2022-06-30T22:33:20.640Z", "error" : null, "lastDuration" : 2727 }, "meta" : { "versionApiKeyLastmodified" : "7.15.2" }, "scheduledTaskId" : "3c43f300-f8c3-11ec-b16f-93bfaa093d8c", "legacyId" : "3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c" }, "type" : "alert", "references" : [ ], "migrationVersion" : { "alert" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:33:23.368Z" } }, { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "alert:50342ab0-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 0.3448405, "_source" : { "alert" : { "name" : "Daily", "tags" : [ "__internal_rule_id:d9f5b928-bcda-4792-8046-2cba597fd62d", "__internal_immutable:false" ], "alertTypeId" : "siem.signals", "consumer" : "siem", "params" : { "author" : [ ], "description" : "sdf", "ruleId" : "d9f5b928-bcda-4792-8046-2cba597fd62d", "falsePositives" : [ ], "from" : "now-120300s", "immutable" : false, "license" : "", "outputIndex" : ".siem-signals-default", "meta" : { "from" : "2000m", "kibana_siem_app_url" : "https://actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals" : 100, "riskScore" : 21, "riskScoreMapping" : [ ], "severity" : "low", "severityMapping" : [ ], "threat" : [ ], "to" : "now", "references" : [ ], "version" : 1, "exceptionsList" : [ ], "type" : "query", "language" : "kuery", "index" : [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query" : "*:*", "filters" : [ ] }, "schedule" : { "interval" : "5m" }, "enabled" : true, "actions" : [ ], "throttle" : null, "notifyWhen" : "onActiveAlert", "apiKeyOwner" : "1311967740", "apiKey" : "EBpU36kNwQCrCkftdbbvJr8Da1rL0vzT60x4/0bAl2HB39EglcjnprluwF/SxfFovAKOsE6qF23rHc5sl+BJJ8+xqn8W/KNo5/PzAcC8P3JAOIgxJkvodyn5oWUHJIUjgOkqpfF5Rg4bIf1SkrLmo1nok6moBTxLd9UXe/5yyfbwQelczJCf4A7vj6Wts2hLGlBN29AVs4D4Cg==", "createdBy" : "1311967740", "updatedBy" : "1311967740", "createdAt" : "2022-06-30T22:23:49.625Z", "updatedAt" : "2022-06-30T22:23:49.625Z", "muteAll" : false, "mutedInstanceIds" : [ ], "executionStatus" : { "status" : "ok", "lastExecutionDate" : "2022-06-30T22:33:53.652Z", "error" : null, "lastDuration" : 2770 }, "meta" : { "versionApiKeyLastmodified" : "7.15.2" }, "scheduledTaskId" : "51343590-f8c3-11ec-b16f-93bfaa093d8c", "legacyId" : "50342ab0-f8c3-11ec-b16f-93bfaa093d8c" }, "type" : "alert", "references" : [ ], "migrationVersion" : { "alert" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:33:56.423Z" } }, { "_index" : ".kibana_7.17.5_001", "_type" : "_doc", "_id" : "alert:726f2300-f8c3-11ec-b16f-93bfaa093d8c", "_score" : 0.3448405, "_source" : { "alert" : { "name" : "Weekly", "tags" : [ "__internal_rule_id:6b98046d-2a94-4116-a470-b74c193d7fa3", "__internal_immutable:false" ], "alertTypeId" : "siem.signals", "consumer" : "siem", "params" : { "author" : [ ], "description" : "sdf", "ruleId" : "6b98046d-2a94-4116-a470-b74c193d7fa3", "falsePositives" : [ ], "from" : "now-120300s", "immutable" : false, "license" : "", "outputIndex" : ".siem-signals-default", "meta" : { "from" : "2000m", "kibana_siem_app_url" : "https://actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals" : 100, "riskScore" : 21, "riskScoreMapping" : [ ], "severity" : "low", "severityMapping" : [ ], "threat" : [ ], "to" : "now", "references" : [ ], "version" : 1, "exceptionsList" : [ ], "type" : "query", "language" : "kuery", "index" : [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query" : "*:*", "filters" : [ ] }, "schedule" : { "interval" : "5m" }, "enabled" : true, "actions" : [ ], "throttle" : null, "notifyWhen" : "onActiveAlert", "apiKeyOwner" : "1311967740", "apiKey" : "7Jl6L2wbs4PSPEb3IrEHWfVqpaOacUd1CovatOIk0yZaMtRywL5Rd0fFFFIOY3ZDCTkvTROlj6CjTX95HTyjrGPIapa9TA1zevl6m+JNYUtcRpT1aGScfdkaPUZ7YVdayXg55RLCBXlz13+2l0c/DUn4/ofB4W1xluxQtbnwtDI/afAExKV5Y27NrenP/CE8cfiH2FFHzIALsw==", "createdBy" : "1311967740", "updatedBy" : "1311967740", "createdAt" : "2022-06-30T22:24:46.837Z", "updatedAt" : "2022-06-30T22:24:46.837Z", "muteAll" : false, "mutedInstanceIds" : [ ], "executionStatus" : { "status" : "ok", "lastExecutionDate" : "2022-06-30T22:34:53.662Z", "error" : null, "lastDuration" : 2840 }, "meta" : { "versionApiKeyLastmodified" : "7.15.2" }, "scheduledTaskId" : "734e5f70-f8c3-11ec-b16f-93bfaa093d8c", "legacyId" : "726f2300-f8c3-11ec-b16f-93bfaa093d8c" }, "type" : "alert", "references" : [ ], "migrationVersion" : { "alert" : "7.16.0" }, "coreMigrationVersion" : "7.17.5", "updated_at" : "2022-06-30T22:34:56.502Z" } } ] } } ```

8.3.1

## Gets the alerting rule type created for the legacy action
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.notifications"
    }
  }
}

Query results

```json { "took": 1, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } } ```

## Gets the siem sidecar actions
GET .kibana/_search
{
  "query": {
    "term": {
      "type": {
        "value": "siem-detection-engine-rule-actions"
      }
    }
  }
}

Query results

```json { "took": 2, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } } ```

## Get rules
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.queryRule"
    }
  }
}

Query results

```json { "took": 1, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 4, "relation": "eq" }, "max_score": 0.16507976, "hits": [ { "_index": ".kibana_8.3.1_001", "_id": "alert:1568e5b0-f8c3-11ec-b16f-93bfaa093d8c", "_score": 0.16507976, "_source": { "alert": { "name": "every run", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "asdf", "ruleId": "37aab1e4-2f6e-446f-ad6a-4e118ad329a9", "falsePositives": [], "from": "now-72000300s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "20000h", "kibana_siem_app_url": "https://actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "TvJGUnNP0Y6c4Tmv777GlxsaaTSZPaDssRMYgV5YV2bN80DK9Sz3lfTP2eGRwSRGe6SrY5lD9RQC1FEfuK4uidU871HlstHYi98N6LhgN9C9e7/gWbRtglbhSXz3m4VvzIocGJL64Gh27bF1K8Jm0CZFqDW++GlZibcaCBY3twh4CLsiBKo6Ia05rSB/z8pc+k9Zj614wdO0uw==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-06-30T22:22:11.339Z", "updatedAt": "2022-06-30T22:54:59.974Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "active", "lastExecutionDate": "2022-06-30T22:55:01.863Z", "error": null, "lastDuration": 4161, "warning": null }, "meta": { "versionApiKeyLastmodified": "8.3.1" }, "scheduledTaskId": "1568e5b0-f8c3-11ec-b16f-93bfaa093d8c", "legacyId": "1568e5b0-f8c3-11ec-b16f-93bfaa093d8c", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 4161, "success": true, "timestamp": 1656629706026 } ], "calculated_metrics": { "p99": 4161, "success_ratio": 1, "p50": 4161, "p95": 4161 } } } }, "type": "alert", "references": [ { "id": "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-06-30T22:55:06.030Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c", "_score": 0.16507976, "_source": { "alert": { "name": "Hourly", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "asdf", "ruleId": "55abdc19-648b-448c-aa8c-1ead1e6b14ef", "falsePositives": [], "from": "now-120300s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "2000m", "kibana_siem_app_url": "https://actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "1h", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1311967740", "apiKey": "PqTWPpBs81B2X7w3go+LVlay0Xh258vCKU/F0Vy2cJQmidYMoDzHy3Kd0F60ci1AYq3sZ+cF3KQEGRuCHPZRvmxY59dQMXOjzOh0vdMp2VOKGvNdlSwwNg0Q7hNoyf1zRg4O2QzVxvLW7MgZ01unlQuEoXUiIYOAjMVYC8oQ0/ELoYOobi5260tZlWnAnb8U+TLSdKbU4a/H5Q==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-06-30T22:23:14.494Z", "updatedAt": "2022-06-30T22:55:05.004Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "active", "lastExecutionDate": "2022-06-30T22:55:07.948Z", "lastDuration": 3122, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.1" }, "scheduledTaskId": "3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c", "legacyId": "3b1e5ec0-f8c3-11ec-b16f-93bfaa093d8c", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 3122, "success": true, "timestamp": 1656629711073 } ], "calculated_metrics": { "p99": 3122, "success_ratio": 1, "p50": 3122, "p95": 3122 } } } }, "type": "alert", "references": [ { "id": "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-06-30T22:55:11.081Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:50342ab0-f8c3-11ec-b16f-93bfaa093d8c", "_score": 0.16507976, "_source": { "alert": { "name": "Daily", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "sdf", "ruleId": "d9f5b928-bcda-4792-8046-2cba597fd62d", "falsePositives": [], "from": "now-120300s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "2000m", "kibana_siem_app_url": "https://actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "1d", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1311967740", "apiKey": "59SjPkQOAhqIgWfPFrfpA7Q8qt7KmZcJZjRTe/XhmE2DzM2gKQFs4GWLXoVeXOQXkL0vGKjUtYmlXi6SzxEf1y/bKrjvhsZGChloHox7FN2Tp3Y3jZthbh7ZV7WImVIviKV6v8h1tm0LOxUtUQIR9MspajSanKp8Qj4s7nyHDVtMz+alK85z57+55zaIODSvNhNDOf7ItUeL8Q==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-06-30T22:23:49.625Z", "updatedAt": "2022-06-30T22:55:05.003Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "active", "lastExecutionDate": "2022-06-30T22:55:07.946Z", "lastDuration": 3130, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.1" }, "scheduledTaskId": "50342ab0-f8c3-11ec-b16f-93bfaa093d8c", "legacyId": "50342ab0-f8c3-11ec-b16f-93bfaa093d8c", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 3130, "success": true, "timestamp": 1656629711077 } ], "calculated_metrics": { "p99": 3130, "success_ratio": 1, "p50": 3130, "p95": 3130 } } } }, "type": "alert", "references": [ { "id": "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-06-30T22:55:11.082Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:726f2300-f8c3-11ec-b16f-93bfaa093d8c", "_score": 0.16507976, "_source": { "alert": { "name": "Weekly", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "sdf", "ruleId": "6b98046d-2a94-4116-a470-b74c193d7fa3", "falsePositives": [], "from": "now-120300s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "2000m", "kibana_siem_app_url": "https://actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "7d", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1311967740", "apiKey": "LMgImz2QA1tluo4iz91vGsbw/u9m88ueDYUU/bpGp7zx1MsDrVIid1oCv4E+69HzZfaujU9gv7yafXq5+S/Pb0LGJKBXbZ2JbLXxSGiai8FGDjpX8GA/dnG7wIBoYCtRU3pEFnH+jseyBpI/PQrsZ7THicEYw1giWiNBoacYKKYCEB15l4cIKNLJz5gbMS8+M6Uoa3zEDxsCBA==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-06-30T22:24:46.837Z", "updatedAt": "2022-06-30T22:55:05.002Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "active", "lastExecutionDate": "2022-06-30T22:55:07.947Z", "lastDuration": 3132, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.1" }, "scheduledTaskId": "726f2300-f8c3-11ec-b16f-93bfaa093d8c", "legacyId": "726f2300-f8c3-11ec-b16f-93bfaa093d8c", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 3132, "success": true, "timestamp": 1656629711080 } ], "calculated_metrics": { "p99": 3132, "success_ratio": 1, "p50": 3132, "p95": 3132 } } } }, "type": "alert", "references": [ { "id": "12fb1a00-f8c3-11ec-b16f-93bfaa093d8c", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-06-30T22:55:11.086Z" } } ] } } ```

[ghost]

Hi @yctercero,

Yes, I have bulk enabled the rules after upgrading to 8.3.1 and I am getting "throttle": null,"notifyWhen": "onActiveAlert" for every rule.

Build Details:

VERSION: 8.3.1
BUILD: 53549
COMMIT: a4f8dc60edb19553f16c166ea79c83c16572897a

8.3.1

GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.queryRule"
    }
  }
}

Query Results

``` { "took": 15, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 282, "relation": "eq" }, "max_score": 0.51025563, "hits": [ { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef58f63-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Modification of Safari Settings via Defaults Command", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Identifies changes to the Safari configuration using the built-in defaults command. Adversaries may attempt to enable or disable certain Safari settings, such as enabling JavaScript from Apple Events to ease in the hijacking of the users browser.", "ruleId": "6482255d-f468-45ea-a5b3-d3a7de1331ae", "falsePositives": [], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 47, "riskScoreMapping": [], "severity": "medium", "severityMapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestampOverride": "event.ingested", "to": "now", "references": [ "https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf" ], "version": 1, "exceptionsList": [], "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "query": """event.category:process and event.type:start and process.name:defaults and process.args: (com.apple.Safari and write and not ( UniversalSearchEnabled or SuppressSearchSuggestions or WebKitTabToLinksPreferenceKey or ShowFullURLInSmartSearchField or com.apple.Safari.ContentPageGroupIdentifier.WebKit2TabsToLinks ) ) """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.329Z", "updatedAt": "2022-07-04T06:41:19.329Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.329Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef58f63-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 47, "severity": "40-medium" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.329Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef58f64-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "SoftwareUpdate Preferences Modification", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Identifies changes to the SoftwareUpdate preferences using the built-in defaults command. Adversaries may abuse this in an attempt to disable security updates.", "ruleId": "f683dcdf-a018-4801-b066-193d4ae6c8e5", "falsePositives": [ "Authorized SoftwareUpdate Settings Changes" ], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 47, "riskScoreMapping": [], "severity": "medium", "severityMapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestampOverride": "event.ingested", "to": "now", "references": [ "https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/" ], "version": 1, "exceptionsList": [], "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "query": """event.category:process and event.type:(start or process_started) and process.name:defaults and process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true)) """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.332Z", "updatedAt": "2022-07-04T06:41:19.332Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.332Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef58f64-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 47, "severity": "40-medium" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.332Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef58f6a-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Bash Shell Profile Modification", "tags": [ "Elastic", "Host", "macOS", "Linux", "Threat Detection", "Persistence" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Both ~/.bash_profile and ~/.bashrc are files containing shell commands that are run when Bash is invoked. These files are executed in a user's context, either interactively or non-interactively, when a user logs in so that their environment is set correctly. Adversaries may abuse this to establish persistence by executing malicious content triggered by a user’s shell.", "ruleId": "e6c1a552-7776-44ad-ae0f-8746cc07773c", "falsePositives": [ "Changes to the Shell Profile tend to be noisy, a tuning per your environment will be required." ], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 47, "riskScoreMapping": [], "severity": "medium", "severityMapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1546", "name": "Event Triggered Execution", "reference": "https://attack.mitre.org/techniques/T1546/", "subtechnique": [ { "id": "T1546.004", "name": "Unix Shell Configuration Modification", "reference": "https://attack.mitre.org/techniques/T1546/004/" } ] } ] } ], "timestampOverride": "event.ingested", "to": "now", "references": [ "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat" ], "version": 2, "exceptionsList": [], "index": [ "logs-endpoint.events.*", "auditbeat-*" ], "query": """event.category:file and event.type:change and process.name:(* and not (sudo or vim or zsh or env or nano or bash or Terminal or xpcproxy or login or cat or cp or launchctl or java)) and not process.executable:(/Applications/* or /private/var/folders/* or /usr/local/*) and file.path:(/private/etc/rc.local or /etc/rc.local or /home/*/.profile or /home/*/.profile1 or /home/*/.bash_profile or /home/*/.bash_profile1 or /home/*/.bashrc or /Users/*/.bash_profile or /Users/*/.zshenv) """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.339Z", "updatedAt": "2022-07-04T06:41:19.339Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.339Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef58f6a-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 47, "severity": "40-medium" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.339Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef2f773-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Permission Theft - Detected - Elastic Endgame", "tags": [ "Elastic", "Elastic Endgame" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Elastic Endgame detected Permission Theft. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information.", "ruleId": "c3167e1b-f73c-41be-b60b-87f4df707fe3", "falsePositives": [], "from": "now-15m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 73, "riskScoreMapping": [], "severity": "high", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 6, "exceptionsList": [], "index": [ "endgame-*" ], "query": """event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) """, "language": "kuery", "type": "query" }, "schedule": { "interval": "10m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.288Z", "updatedAt": "2022-07-04T06:41:19.288Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.288Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef2f773-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 73, "severity": "60-high" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.288Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef58f74-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Potential Persistence via Atom Init Script Modification", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Persistence" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Identifies modifications to the Atom desktop text editor Init File. Adversaries may add malicious JavaScript code to the init.coffee file that will be executed upon the Atom application opening.", "ruleId": "b4449455-f986-4b5a-82ed-e36b129331f7", "falsePositives": [], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "timestampOverride": "event.ingested", "to": "now", "references": [ "https://github.com/D00MFist/PersistentJXA/blob/master/AtomPersist.js", "https://flight-manual.atom.io/hacking-atom/sections/the-init-file/" ], "version": 1, "exceptionsList": [], "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "query": """event.category:"file" and not event.type:"deletion" and file.path:/Users/*/.atom/init.coffee and not process.name:(Atom or xpcproxy) and not user.name:root """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.356Z", "updatedAt": "2022-07-04T06:41:19.356Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.356Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef58f74-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.356Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef58f79-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Potential Privilege Escalation via Sudoers File Modification", "tags": [ "Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "A sudoers file specifies the commands users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges.", "ruleId": "76152ca1-71d0-4003-9e37-0983e12832da", "falsePositives": [], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 73, "riskScoreMapping": [], "severity": "high", "severityMapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "reference": "https://attack.mitre.org/techniques/T1548/", "subtechnique": [ { "id": "T1548.003", "name": "Sudo and Sudo Caching", "reference": "https://attack.mitre.org/techniques/T1548/003/" } ] } ] } ], "timestampOverride": "event.ingested", "to": "now", "references": [], "version": 1, "exceptionsList": [], "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "query": """event.category:process and event.type:start and process.args:(echo and *NOPASSWD*ALL*) """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.363Z", "updatedAt": "2022-07-04T06:41:19.363Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.363Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef58f79-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 73, "severity": "60-high" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.364Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef5b670-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Modification of Dynamic Linker Preload Shared Object", "tags": [ "Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Identifies modification of the dynamic linker preload shared object (ld.so.preload). Adversaries may execute malicious payloads by hijacking the dynamic linker used to load libraries.", "ruleId": "717f82c2-7741-4f9b-85b8-d06aeb853f4f", "falsePositives": [], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 47, "riskScoreMapping": [], "severity": "medium", "severityMapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1574", "name": "Hijack Execution Flow", "reference": "https://attack.mitre.org/techniques/T1574/", "subtechnique": [ { "id": "T1574.006", "name": "Dynamic Linker Hijacking", "reference": "https://attack.mitre.org/techniques/T1574/006/" } ] } ] } ], "timestampOverride": "event.ingested", "to": "now", "references": [ "https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" ], "version": 2, "exceptionsList": [], "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "query": """event.category:file and not event.type:deletion and file.path:/etc/ld.so.preload """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.365Z", "updatedAt": "2022-07-04T06:41:19.365Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.365Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef5b670-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 47, "severity": "40-medium" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.365Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef5b671-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Privilege Escalation via Root Crontab File Modification", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Identifies modifications to the root crontab file. Adversaries may overwrite this file to gain code execution with root privileges by exploiting privileged file write or move related vulnerabilities.", "ruleId": "0ff84c42-873d-41a2-a4ed-08d74d352d01", "falsePositives": [], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 73, "riskScoreMapping": [], "severity": "high", "severityMapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1053", "name": "Scheduled Task/Job", "reference": "https://attack.mitre.org/techniques/T1053/", "subtechnique": [ { "id": "T1053.003", "name": "Cron", "reference": "https://attack.mitre.org/techniques/T1053/003/" } ] } ] } ], "timestampOverride": "event.ingested", "to": "now", "references": [ "https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc", "https://www.exploit-db.com/exploits/42146" ], "version": 1, "exceptionsList": [], "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "query": """event.category:file and not event.type:deletion and file.path:/private/var/at/tabs/root and not process.executable:/usr/bin/crontab """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.368Z", "updatedAt": "2022-07-04T06:41:19.368Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.368Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef5b671-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 73, "severity": "60-high" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.368Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef58f60-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Authorization Plugin Modification", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Persistence" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Authorization plugins are used to extend the authorization services API and implement mechanisms that are not natively supported by the OS, such as multi-factor authentication with third party software. Adversaries may abuse this feature to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.", "ruleId": "e6c98d38-633d-4b3e-9387-42112cd5ac10", "falsePositives": [], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 47, "riskScoreMapping": [], "severity": "medium", "severityMapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0003", "name": "Persistence", "reference": "https://attack.mitre.org/tactics/TA0003/" }, "technique": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "reference": "https://attack.mitre.org/techniques/T1547/", "subtechnique": [ { "id": "T1547.002", "name": "Authentication Package", "reference": "https://attack.mitre.org/techniques/T1547/002/" } ] } ] } ], "timestampOverride": "event.ingested", "to": "now", "references": [ "https://developer.apple.com/documentation/security/authorization_plug-ins", "https://www.xorrior.com/persistent-credential-theft/" ], "version": 1, "exceptionsList": [], "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "query": """event.category:file and not event.type:deletion and file.path:(/Library/Security/SecurityAgentPlugins/* and not /Library/Security/SecurityAgentPlugins/TeamViewerAuthPlugin.bundle/Contents/*) """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.324Z", "updatedAt": "2022-07-04T06:41:19.324Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.324Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef58f60-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 47, "severity": "40-medium" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.325Z" } }, { "_index": ".kibana_8.3.1_001", "_id": "alert:4ef58f6d-fb64-11ec-b0c7-71ba69dfcc1b", "_score": 0.51025563, "_source": { "alert": { "name": "Suspicious Child Process of Adobe Acrobat Reader Update Service", "tags": [ "Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [ "Elastic" ], "description": "Detects attempts to exploit privilege escalation vulnerabilities related to the Adobe Acrobat Reader PrivilegedHelperTool responsible for installing updates. For more information, refer to CVE-2020-9615, CVE-2020-9614 and CVE-2020-9613 and verify that the impacted system is patched.", "ruleId": "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7", "falsePositives": [ "Trusted system or Adobe Acrobat Related processes." ], "from": "now-9m", "immutable": true, "license": "Elastic License v2", "outputIndex": "", "maxSignals": 100, "riskScore": 73, "riskScoreMapping": [], "severity": "high", "severityMapping": [], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0004", "name": "Privilege Escalation", "reference": "https://attack.mitre.org/tactics/TA0004/" }, "technique": [ { "id": "T1068", "name": "Exploitation for Privilege Escalation", "reference": "https://attack.mitre.org/techniques/T1068/" } ] } ], "timestampOverride": "event.ingested", "to": "now", "references": [ "https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/" ], "version": 1, "exceptionsList": [], "index": [ "auditbeat-*", "logs-endpoint.events.*" ], "query": """event.category:process and event.type:(start or process_started) and process.parent.name:com.adobe.ARMDC.SMJobBlessHelper and user.name:root and not process.executable: (/Library/PrivilegedHelperTools/com.adobe.ARMDC.SMJobBlessHelper or /usr/bin/codesign or /private/var/folders/zz/*/T/download/ARMDCHammer or /usr/sbin/pkgutil or /usr/bin/shasum or /usr/bin/perl* or /usr/sbin/spctl or /usr/sbin/installer) """, "language": "kuery", "type": "query" }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": null, "apiKey": null, "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-04T06:41:19.344Z", "updatedAt": "2022-07-04T06:41:19.344Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "pending", "lastExecutionDate": "2022-07-04T06:41:19.344Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "legacyId": "4ef58f6d-fb64-11ec-b0c7-71ba69dfcc1b", "mapped_params": { "risk_score": 73, "severity": "60-high" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.1", "updated_at": "2022-07-04T06:41:19.344Z" } } ] } } ```

Please let us know if we are missing something.

Thanks !

[yctercero]

@karanverma-qasource are these all prepackaged rules you're testing?

[ghost]

Hi @yctercero ,

We are testing with custom rules as in above steps its mentioned Create 4 rules, each with an action at a different interval , please let us know if we have to test with prepackaged or elastic prebuilt rules.

Thanks !

[yctercero]

Hey @karanverma-qasource - I'm still not able to recreate even when I tested with bulk enabling. Could you video your entire testing process or set up a zoom meeting to go over it together? I'm still not sure how you're getting the rules in that state. So far, re-enabling rules after migration one by one or using bulk actions - both are migrating as expected.

8.3.2 Pre-migrating

## Gets the alerting rule type created for the legacy action
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.notifications"
    }
  }
}

Query results

```json { "took": 2, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 3, "relation": "eq" }, "max_score": 0.9444616, "hits": [ { "_index": ".kibana_8.3.2_001", "_id": "alert:5c075e10-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.9444616, "_source": { "alert": { "name": "Every hour", "tags": [ "__internal_rule_alert_id:59994440-01f7-11ed-86b8-3da887c8e8fa" ], "alertTypeId": "siem.notifications", "consumer": "siem", "params": { "ruleAlertId": "59994440-01f7-11ed-86b8-3da887c8e8fa" }, "schedule": { "interval": "1h" }, "enabled": true, "actions": [ { "group": "default", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId": ".slack", "actionRef": "action_0" } ], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "6wNFODL2NWuoQ7IYt8NTeF3zFe/ikGup5dNLn7rab7u0WIoO/hWklcDZ9CFfxDgWFCY32N7TdKrMx2bK4pmot6Tu3aoAtrkbyNyRd0JKQxPEn2eveW5sIg28hlJ7KLMNQGWBir3oNhVTmzM0PYinUp91V/pPsn6NUCnve3jXUSS9YLtdX8ak7NnxlpjAb/MeUyTF0n7yGc5ZhA==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:29:04.077Z", "updatedAt": "2022-07-12T15:29:04.077Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T15:29:07.390Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "scheduledTaskId": "5d338200-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "5c075e10-01f7-11ed-86b8-3da887c8e8fa", "snoozeSchedule": [] }, "type": "alert", "references": [ { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "name": "action_0", "type": "action" }, { "id": "59994440-01f7-11ed-86b8-3da887c8e8fa", "name": "param:alert_0", "type": "alert" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:29:07.476Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:73542e40-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.9444616, "_source": { "alert": { "name": "Every day", "tags": [ "__internal_rule_alert_id:70e7e930-01f7-11ed-86b8-3da887c8e8fa" ], "alertTypeId": "siem.notifications", "consumer": "siem", "params": { "ruleAlertId": "70e7e930-01f7-11ed-86b8-3da887c8e8fa" }, "schedule": { "interval": "1d" }, "enabled": true, "actions": [ { "group": "default", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId": ".slack", "actionRef": "action_0" } ], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "KwI6we6W+D7KehIE5MIfumlplImM0wiNaX0EZ9bipBOc3D18UPQ/fnCMUBROjt98aVygKOfMbiY3fFsdMxahxvBZ/UMSV3qRZhtqBkAg2OkrGPJLjddo42YhMlKnmwa49tAXQ39hLFaMlRE2+qBU7e0KuITNIaaDDzkDUGB4dvps2a9A+4pWxhzYKZWk0PiL1aKSo8JyTWG3cg==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:29:43.169Z", "updatedAt": "2022-07-12T15:29:43.169Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T15:29:46.328Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "scheduledTaskId": "74813c90-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "73542e40-01f7-11ed-86b8-3da887c8e8fa", "snoozeSchedule": [] }, "type": "alert", "references": [ { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "name": "action_0", "type": "action" }, { "id": "70e7e930-01f7-11ed-86b8-3da887c8e8fa", "name": "param:alert_0", "type": "alert" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:29:46.396Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:8aa36f70-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.9444616, "_source": { "alert": { "name": "Every week", "tags": [ "__internal_rule_alert_id:8899e3d0-01f7-11ed-86b8-3da887c8e8fa" ], "alertTypeId": "siem.notifications", "consumer": "siem", "params": { "ruleAlertId": "8899e3d0-01f7-11ed-86b8-3da887c8e8fa" }, "schedule": { "interval": "7d" }, "enabled": true, "actions": [ { "group": "default", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId": ".slack", "actionRef": "action_0" } ], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "R1813rANaWKnrsi3Jgi+8yMQd2FzcVf7HRuP2NCOL7gSmXJiKaefKMhzA/kiFIxtdYJUO/RIbUUQl1z8xRsxrfgY90u+AhxkbM77SzmZuDPRE6ofbnQPS3rJdXi7S0pDbmE1cuwKk9tYPrxH+AcC9YVmm9bA5EPe40c7LDifOkuyy48A4/E70EAq/zsKXebFBsxZ8lDwT5vRIA==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:30:22.294Z", "updatedAt": "2022-07-12T15:30:22.294Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T15:30:25.355Z", "error": null }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "scheduledTaskId": "8bcf9360-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "8aa36f70-01f7-11ed-86b8-3da887c8e8fa", "snoozeSchedule": [] }, "type": "alert", "references": [ { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "name": "action_0", "type": "action" }, { "id": "8899e3d0-01f7-11ed-86b8-3da887c8e8fa", "name": "param:alert_0", "type": "alert" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:30:25.430Z" } } ] } } ```

## Gets the siem sidecar actions
GET .kibana/_search
{
  "query": {
    "term": {
      "type": {
        "value": "siem-detection-engine-rule-actions"
      }
    }
  }
}

Query results

```json { "took": 1, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 5, "relation": "eq" }, "max_score": 6.1112657, "hits": [ { "_index": ".kibana_8.3.2_001", "_id": "siem-detection-engine-rule-actions:5b6837e0-01f7-11ed-86b8-3da887c8e8fa", "_score": 6.1112657, "_source": { "siem-detection-engine-rule-actions": { "actions": [ { "actionRef": "action_0", "group": "default", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "action_type_id": ".slack" } ], "ruleThrottle": "1h", "alertThrottle": "1h" }, "type": "siem-detection-engine-rule-actions", "references": [ { "id": "59994440-01f7-11ed-86b8-3da887c8e8fa", "type": "alert", "name": "alert_0" }, { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "type": "action", "name": "action_0" } ], "namespaces": [ "default" ], "migrationVersion": { "siem-detection-engine-rule-actions": "8.0.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:29:02.059Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "siem-detection-engine-rule-actions:72b64090-01f7-11ed-86b8-3da887c8e8fa", "_score": 6.1112657, "_source": { "siem-detection-engine-rule-actions": { "actions": [ { "actionRef": "action_0", "group": "default", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "action_type_id": ".slack" } ], "ruleThrottle": "1d", "alertThrottle": "1d" }, "type": "siem-detection-engine-rule-actions", "references": [ { "id": "70e7e930-01f7-11ed-86b8-3da887c8e8fa", "type": "alert", "name": "alert_0" }, { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "type": "action", "name": "action_0" } ], "namespaces": [ "default" ], "migrationVersion": { "siem-detection-engine-rule-actions": "8.0.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:29:41.155Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "siem-detection-engine-rule-actions:8a0581c0-01f7-11ed-86b8-3da887c8e8fa", "_score": 6.1112657, "_source": { "siem-detection-engine-rule-actions": { "actions": [ { "actionRef": "action_0", "group": "default", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "action_type_id": ".slack" } ], "ruleThrottle": "7d", "alertThrottle": "7d" }, "type": "siem-detection-engine-rule-actions", "references": [ { "id": "8899e3d0-01f7-11ed-86b8-3da887c8e8fa", "type": "alert", "name": "alert_0" }, { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "type": "action", "name": "action_0" } ], "namespaces": [ "default" ], "migrationVersion": { "siem-detection-engine-rule-actions": "8.0.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:30:20.259Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "siem-detection-engine-rule-actions:a0262e00-01f7-11ed-86b8-3da887c8e8fa", "_score": 6.1112657, "_source": { "siem-detection-engine-rule-actions": { "actions": [ { "actionRef": "action_0", "group": "default", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "action_type_id": ".slack" } ], "ruleThrottle": "rule", "alertThrottle": null }, "type": "siem-detection-engine-rule-actions", "references": [ { "id": "9ea6e100-01f7-11ed-86b8-3da887c8e8fa", "type": "alert", "name": "alert_0" }, { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "type": "action", "name": "action_0" } ], "namespaces": [ "default" ], "migrationVersion": { "siem-detection-engine-rule-actions": "8.0.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:30:57.383Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "siem-detection-engine-rule-actions:d90c3840-01f7-11ed-86b8-3da887c8e8fa", "_score": 6.1112657, "_source": { "siem-detection-engine-rule-actions": { "actions": [], "ruleThrottle": "no_actions", "alertThrottle": null }, "type": "siem-detection-engine-rule-actions", "references": [ { "id": "d7a55540-01f7-11ed-86b8-3da887c8e8fa", "type": "alert", "name": "alert_0" } ], "namespaces": [ "default" ], "migrationVersion": { "siem-detection-engine-rule-actions": "8.0.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:32:32.842Z" } } ] } } ```

## Get rules
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.queryRule"
    }
  }
}

Query results

```json { "took": 1, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 5, "relation": "eq" }, "max_score": 0.5978369, "hits": [ { "_index": ".kibana_8.3.2_001", "_id": "alert:d7a55540-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.5978369, "_source": { "alert": { "name": "No action", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "sdf", "ruleId": "9dc52b27-83e5-4e24-b416-24a754dd145b", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "ofAsY/dwfgsCGedURM871JGQLJ4X8+MiLh7PdRNicdABFWQEb5uX/R8uCoLFfTJvQN/KiZOEWmm1krHz32zIBH/v2IkpxDA4s4Ob3lCMKNSRCxtmnl6DTCq1ToNzbNRkEo1y56qJIvnbE26frWxsOS/olsq0ENVO2gOhl6j39aWbYbeZiDrr6GGzqODdp2xsWi4oFq1IWBXGOg==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:32:30.770Z", "updatedAt": "2022-07-12T15:32:30.770Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T15:57:45.610Z", "error": null, "lastDuration": 3142 }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "scheduledTaskId": "d86dae50-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "d7a55540-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:57:48.753Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:59994440-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.5978369, "_source": { "alert": { "name": "Every hour", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "asdf", "ruleId": "a9e46830-be2b-49a9-923a-bd6518456225", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "/ZnilBadR1o0nrXZWLfmt7wXqMvHyAcd+TynG/lhy+Y9vxccYM6tCuuRXJxv3OeDteV8kjjMnrfXjv+wAlyd1t0l92ndF6PIxWolfVjXBdv647/vCSA6pn0XM8XJ71t3v7qzQ6uj513rzeRUICUAZXiL+DQgF9wOrx/QE/0mD9OMeJQWQQNry5zlB8u1gjTQboZkrlROWk6lcw==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:29:00.018Z", "updatedAt": "2022-07-12T15:29:00.018Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T15:59:21.619Z", "error": null, "lastDuration": 2825 }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "scheduledTaskId": "5acba9c0-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "59994440-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T15:59:24.446Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:70e7e930-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.5978369, "_source": { "alert": { "name": "Every day", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "asdf", "ruleId": "b124c445-b253-4cab-9304-ae7b5cd2396f", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "9P9d2ROYyZfpswS6OBuLhP24qyUm9qadQderNt4Vi+bmKwOl3klFfKWl5IZhxYB6crk1x753ipkGwGTteSqCvS4A/2A4BF/P3ZqiM01lPNpuxMuacjGx2reygfSSZQZFDunh1r3kxsabFSvBtI15BVfoxTyQEBjuzFimnXCCN6tG5XZOSg97uHyC6GQoMMBTtnrGIYqwttWZ7Q==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:29:39.112Z", "updatedAt": "2022-07-12T15:29:39.112Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T15:59:57.614Z", "error": null, "lastDuration": 2879 }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "scheduledTaskId": "7219b270-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "70e7e930-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T16:00:00.495Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:9ea6e100-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.5978369, "_source": { "alert": { "name": "Every run", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "sdf", "ruleId": "c819f675-0f78-4b13-903a-5cf5856bae7f", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [ { "group": "default", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionTypeId": ".slack", "actionRef": "action_0" } ], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "uosEPRJlFfNqxrpxTJi1hlXOoMjgEaJQcUB4yYnZ4pdOC1EwNiaA/lbwl9XJ62s6hhwjaIHH8dwxCLvcIyOjZhZM/53pKVIRUtIoyVMyq8WU9zPc50fDV/QfTCs8vNEZzMlkp4FGTr5VQG++zrk3xwurt4/oWN4INR6NM+HiX3H3wOeMm9PNwjJko/HKXqXng3pe/rQLZ54WsQ==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:30:55.336Z", "updatedAt": "2022-07-12T15:30:55.336Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T16:01:15.622Z", "error": null, "lastDuration": 2930 }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "scheduledTaskId": "9f86b9b0-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "9ea6e100-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [] }, "type": "alert", "references": [ { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T16:01:18.552Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:8899e3d0-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.5978369, "_source": { "alert": { "name": "Every week", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "sdf", "ruleId": "bf97c21a-6061-433a-aa49-46a183d523c4", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": false, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "ORFwh7y8a4EIvZ1aZVQm3z5S7X5oVCgRLOFW0eNcVn4evt5ijA73RYWBgvYqJuBcxlIiGu86mIT+4qAjBu/rlC5Wo4iU1VM42KQVkOa4Pm1PJcpRXwJO1GnNlDGUYXxbul/cRZ0JUjdpaSWMkT5BZnR9h2WSNdQgd5fQxMnhqhwrMo9m0PMSO7CZ65ZTprHdJRS2qtY3Li3OZA==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:30:18.222Z", "updatedAt": "2022-07-12T15:30:18.222Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T16:01:15.625Z", "error": null, "lastDuration": 2929 }, "meta": { "versionApiKeyLastmodified": "7.15.2" }, "scheduledTaskId": "8968a580-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "8899e3d0-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [] }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T16:01:18.554Z" } } ] } } ```

8.3.2 Post-migrating

## Gets the alerting rule type created for the legacy action
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.notifications"
    }
  }
}

Query results

```json { "took": 0, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } } ```

## Gets the siem sidecar actions
GET .kibana/_search
{
  "query": {
    "term": {
      "type": {
        "value": "siem-detection-engine-rule-actions"
      }
    }
  }
}

Query results

```json { "took": 0, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } } ```

## Get rules
GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.queryRule"
    }
  }
}

Query results

```json { "took": 1, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 5, "relation": "eq" }, "max_score": 0.077961534, "hits": [ { "_index": ".kibana_8.3.2_001", "_id": "alert:9ea6e100-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.077961534, "_source": { "alert": { "name": "Every run", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "sdf", "ruleId": "c819f675-0f78-4b13-903a-5cf5856bae7f", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "8lTAwCXOzSGRP1Ccl1PK37V2Y46j5psLNKcAOQPVJYU528w7ps+KluKPsQX9VDNCXiY8q7OHD2hj7i/ApKeyMWeBLC7fOEpiXOFK19jv4J6QrRaD1AEixI/mrDAQSpSk7He2Arfmf42dku0ULMCs11lbhLe9GV2crU6oMISYU87f/VI0K30IRgqssvsqZZdK9tq9Kcs+3XwF3w==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:30:55.336Z", "updatedAt": "2022-07-12T16:34:10.089Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T16:34:13.784Z", "error": null, "lastDuration": 2073, "warning": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "9ea6e100-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "9ea6e100-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 2073, "success": true, "timestamp": 1657643655858 } ], "calculated_metrics": { "p99": 2073, "success_ratio": 1, "p50": 2073, "p95": 2073 } } } }, "type": "alert", "references": [ { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T16:34:15.866Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:d7a55540-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.077961534, "_source": { "alert": { "name": "No action", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "sdf", "ruleId": "9dc52b27-83e5-4e24-b416-24a754dd145b", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1311967740", "apiKey": "F9nVV0nSsLGnQmy856hebq1ADTqfrKPrDxaSU5wM9kfw5WiUGvvE3xgODXGapaK9lHD0WQ78cq3+LD5AQFSGZnGKuKRDdRB8H28/5WPqrLELSgEFs0qeRk7TNdMXpVJl8HyGUGcQHqaO0YUKXW3XXrr1CRd3V2hDNkaxPTK6pC1bSWLQpkee9upYIBsiqjfPZBSttWPzZUxahg==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:32:30.770Z", "updatedAt": "2022-07-12T16:34:10.085Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T16:34:13.782Z", "error": null, "lastDuration": 2071, "warning": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "d7a55540-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "d7a55540-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 2071, "success": true, "timestamp": 1657643655855 } ], "calculated_metrics": { "p99": 2071, "success_ratio": 1, "p50": 2071, "p95": 2071 } } } }, "type": "alert", "references": [], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T16:34:15.865Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:59994440-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.077961534, "_source": { "alert": { "name": "Every hour", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "asdf", "ruleId": "a9e46830-be2b-49a9-923a-bd6518456225", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "1h", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1311967740", "apiKey": "FhACc3RDA9E8N4xEg0rGEomgfu6WEJsqP7YtPfchiwuKXcV4AYjY/6EhYUj4BC9b/WQHdvCx6CDsLbndkHB/PzoF2GXZ1L4M4RjdMA651s/XHge1MoLEpU59mVgokVCnEMq9Y61CkFlyrrrU8oREOUODb3JSWM2geiXU4Yxl0eLR9m0pF4mhzT9M2KeqQiiz/1lsqoSEG1mnRQ==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:29:00.018Z", "updatedAt": "2022-07-12T16:34:15.051Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T16:34:19.764Z", "lastDuration": 2119, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "59994440-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "59994440-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 2119, "success": true, "timestamp": 1657643661884 } ], "calculated_metrics": { "p99": 2119, "success_ratio": 1, "p50": 2119, "p95": 2119 } } } }, "type": "alert", "references": [ { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T16:34:21.889Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:8899e3d0-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.077961534, "_source": { "alert": { "name": "Every week", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "sdf", "ruleId": "bf97c21a-6061-433a-aa49-46a183d523c4", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "7d", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1311967740", "apiKey": "FJ+fmfRaY/rw15/0UHOOC35l18Li59r+2BcVeLJBez7efAExKartj8NwUY52LQ30NWhOiwDbFj9JaPlUw7TYv4RB60VjGessydTmLffH/xEe+ASeRCa7ALL5a7+MNvCdmCuxtaB+1OpH9qxUAwdZP4XvwjGSJziKrpFsIPP0+o3SVawCzWEXS4c/oXkGwXxf/NB15yYaltltDA==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:30:18.222Z", "updatedAt": "2022-07-12T16:34:15.053Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T16:34:19.763Z", "lastDuration": 2124, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "8899e3d0-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "8899e3d0-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 2124, "success": true, "timestamp": 1657643661888 } ], "calculated_metrics": { "p99": 2124, "success_ratio": 1, "p50": 2124, "p95": 2124 } } } }, "type": "alert", "references": [ { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T16:34:21.893Z" } }, { "_index": ".kibana_8.3.2_001", "_id": "alert:70e7e930-01f7-11ed-86b8-3da887c8e8fa", "_score": 0.077961534, "_source": { "alert": { "name": "Every day", "tags": [ "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "asdf", "ruleId": "b124c445-b253-4cab-9304-ae7b5cd2396f", "falsePositives": [], "from": "now-360s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "1m", "kibana_siem_app_url": "https://test-actions.kb.us-central1.gcp.foundit.no:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "*:*", "filters": [] }, "schedule": { "interval": "5m" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "1d", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1311967740", "apiKey": "QwHA/0+0zMwyJLSq1rdGHTIy8lMvm0HEZwUBffXPJRkwy9YccDOKjcfQB5oHyLWpuBw0fbNscJj8SZfr0jV+1wpjkduVl+P6hkxB/88+QCabEpwOdQrP45jBFt+GrFLlMUNto4hqpL/jy0Twc3yHGRVWAMOE/Mn69fugEZ3ulHQqv7bwqpcsoQT7yGsGq9keodz9deSauqhEAg==", "createdBy": "1311967740", "updatedBy": "1311967740", "createdAt": "2022-07-12T15:29:39.112Z", "updatedAt": "2022-07-12T16:34:15.053Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-12T16:34:19.765Z", "lastDuration": 2126, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "70e7e930-01f7-11ed-86b8-3da887c8e8fa", "legacyId": "70e7e930-01f7-11ed-86b8-3da887c8e8fa", "mapped_params": { "risk_score": 21, "severity": "20-low" }, "snoozeSchedule": [], "monitoring": { "execution": { "history": [ { "duration": 2126, "success": true, "timestamp": 1657643661892 } ], "calculated_metrics": { "p99": 2126, "success_ratio": 1, "p50": 2126, "p95": 2126 } } } }, "type": "alert", "references": [ { "id": "557b7ea0-01f7-11ed-86b8-3da887c8e8fa", "name": "action_0", "type": "action" } ], "namespaces": [ "default" ], "migrationVersion": { "alert": "8.3.0" }, "coreMigrationVersion": "8.3.2", "updated_at": "2022-07-12T16:34:21.897Z" } } ] } } ```

[ghost]

Hi @yctercero,

Thank you so much for your kind help, we have validated above issue on 8.3.2 and it's fixed.

Build Details:

VERSION: 8.3.2
BUILD: 53596
COMMIT: 12341eba941264b1d015dc6394ec3f006b13b1af

GET .kibana/_search
{
  "query": {
    "term": {
      "alert.alertTypeId": "siem.notifications"
    }
  }
}

Query Results

``` { "took": 0, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } } ```

GET .kibana/_search
{
  "query": {
    "term": {
      "type": {
        "value": "siem-detection-engine-rule-actions"
      }
    }
  }
}

Query Results

``` { "took": 44, "timed_out": false, "_shards": { "total": 1, "successful": 1, "skipped": 0, "failed": 0 }, "hits": { "total": { "value": 0, "relation": "eq" }, "max_score": null, "hits": [] } ``` }

GET .kibana/_search 
{
  "size": 10000
}

Query results

``` { "_index": ".kibana_8.3.2_001", "_id": "alert:922647e0-028d-11ed-a22a-5d8363675bed", "_score": 1, "_source": { "alert": { "name": "Hourly Run", "tags": [ "qa", "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "testing", "ruleId": "81130315-7791-4ab7-bbac-be0ecb8bb4b3", "falsePositives": [], "from": "now-36010s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "10h", "kibana_siem_app_url": "https://44728024f7fd4ca48214d670d8f82a96.europe-west1.gcp.cloud.es.io:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "process.name : \"powershell.exe\" ", "filters": [] }, "schedule": { "interval": "10s" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "1h", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1368683100", "apiKey": "57Cw6YyRa/E2foaguNekW64U4cBn/ifCnBQ0h3eRLFYTeApP1PmbclNqSGRtD1teXnzMR5pNY3Pr4PwV0M2uzsMPqkwWgl8J36ljMaU0pPObLDgCE2zgsGpCfOXShIZ4SW8OVO3Ra9LlHBjuUYDsDven7oNeTY+N9SxTvxmB3qzdDFmjTmeKPNxSFFSZtgQLeFU7NuZSRwYFOA==", "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-13T09:24:18.873Z", "updatedAt": "2022-07-14T16:02:54.785Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-18T04:50:53.873Z", "lastDuration": 1518, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "922647e0-028d-11ed-a22a-5d8363675bed", "legacyId": "922647e0-028d-11ed-a22a-5d8363675bed", "mapped_params": { "risk_score": 21, "severity": "20-low" }{ "_index": ".kibana_8.3.2_001", "_id": "alert:b543d800-028d-11ed-a22a-5d8363675bed", "_score": 1, "_source": { "alert": { "name": "Daily run", "tags": [ "qa", "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "testing", "ruleId": "321615ca-14bf-423b-9679-3838cbc5b478", "falsePositives": [], "from": "now-36010s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "10h", "kibana_siem_app_url": "https://44728024f7fd4ca48214d670d8f82a96.europe-west1.gcp.cloud.es.io:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "process.name : \"powershell.exe\" ", "filters": [] }, "schedule": { "interval": "10s" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "1d", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1368683100", "apiKey": "S5wrGjS1FdtxOpZ4Pew+e7D9v4+zlkEYHv+KfFUwClqNVShg+zYY7+0we5LQpYfrMBb6rDM3HL7OX1/Sutudwoo3ooklYQcFyEJxC5xmcFgODQ00h+q9LKAgCXP6LsBEGV2G8mPUMGj39oLDrqJoKVTIre5Iy2K9NLEBBdWcqfH5EIiYaZTIFYjkVqlfmkbjrJHCo7pFa3CQzA==", "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-13T09:25:18.348Z", "updatedAt": "2022-07-14T16:02:54.787Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-18T04:50:59.845Z", "lastDuration": 1653, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "b543d800-028d-11ed-a22a-5d8363675bed", "legacyId": "b543d800-028d-11ed-a22a-5d8363675bed", "mapped_params": { "risk_score": 21, "severity": "20-low" } { "_index": ".kibana_8.3.2_001", "_id": "alert:d9cf7710-028d-11ed-a22a-5d8363675bed", "_score": 1, "_source": { "alert": { "name": "Weekly Run", "tags": [ "qa", "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "testing", "ruleId": "baed84b4-92e4-4a9a-aa39-fe26329eb61b", "falsePositives": [], "from": "now-36010s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "10h", "kibana_siem_app_url": "https://44728024f7fd4ca48214d670d8f82a96.europe-west1.gcp.cloud.es.io:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "process.name : \"powershell.exe\" ", "filters": [] }, "schedule": { "interval": "10s" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": "7d", "notifyWhen": "onThrottleInterval", "apiKeyOwner": "1368683100", "apiKey": "0PmNJDHUBUh2HS1ORkuQy1R4SOZzqG47WvpsYQT+4wFzFC3+HJOJVQrDu7V3NvZOvcjT6VQdsjklSIYLxvfPAzmssWH0QlnKAQJgnV/gE74jRihrbsxEG54atxfv4+R6YBr5QVHyq64wDpdaFXmu36XYO5e40pZ5sB6zxmeWFCr2saH8oETHsV+icYhlq4pswgg8fGH96msZWA==", "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-13T09:26:19.556Z", "updatedAt": "2022-07-14T16:02:54.786Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "active", "lastExecutionDate": "2022-07-18T04:50:59.845Z", "lastDuration": 1656, "warning": null, "error": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "d9cf7710-028d-11ed-a22a-5d8363675bed", "legacyId": "d9cf7710-028d-11ed-a22a-5d8363675bed", "mapped_params": { "risk_score": 21, "severity": "20-low" } { "_index": ".kibana_8.3.2_001", "_id": "alert:30369080-028d-11ed-a22a-5d8363675bed", "_score": 1, "_source": { "alert": { "name": "No Action", "tags": [ "qa", "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "testing", "ruleId": "106bf3d6-5d49-4c51-8a9b-f22f27ca8506", "falsePositives": [], "from": "now-36010s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "10h", "kibana_siem_app_url": "https://44728024f7fd4ca48214d670d8f82a96.europe-west1.gcp.cloud.es.io:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "process.name : \"powershell.exe\" ", "filters": [] }, "schedule": { "interval": "10s" }, "enabled": true, "actions": [], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1368683100", "apiKey": "U2nVQrqUY+lSSsFgUnnEOvSPbOf4AJUBsiLQeinUU0Ym86Fkd7JtWwve6KCjaFRJzY0E8A6adbg0lf8XJYZycGowxJ1czzPyj1UslM2acGCtn6twJIWlS3dYqBbfV8qp5gr6QOq4rWOHzWlulMtAOPiUA2YCQ9eGzDcaEjh7i4uquURC5LBoLeXbS7WxiWuGDK5XDC6XUkz/VQ==", "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-13T09:21:35.094Z", "updatedAt": "2022-07-14T16:02:49.750Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-18T04:50:59.844Z", "error": null, "lastDuration": 1648, "warning": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "30369080-028d-11ed-a22a-5d8363675bed", "legacyId": "30369080-028d-11ed-a22a-5d8363675bed", "mapped_params": { "risk_score": 21, "severity": "20-low" } { "_index": ".kibana_8.3.2_001", "_id": "alert:6c62ec20-028d-11ed-a22a-5d8363675bed", "_score": 1, "_source": { "alert": { "name": "Every run", "tags": [ "qa", "auto_disabled_8.0" ], "alertTypeId": "siem.queryRule", "consumer": "siem", "params": { "author": [], "description": "testing", "ruleId": "a504912f-d913-406a-a329-0ea962711459", "falsePositives": [], "from": "now-36010s", "immutable": false, "license": "", "outputIndex": "", "meta": { "from": "10h", "kibana_siem_app_url": "https://44728024f7fd4ca48214d670d8f82a96.europe-west1.gcp.cloud.es.io:9243/app/security" }, "maxSignals": 100, "riskScore": 21, "riskScoreMapping": [], "severity": "low", "severityMapping": [], "threat": [], "to": "now", "references": [], "version": 1, "exceptionsList": [], "type": "query", "language": "kuery", "index": [ "apm-*-transaction*", "traces-apm*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*" ], "query": "process.name : \"powershell.exe\" ", "filters": [] }, "schedule": { "interval": "10s" }, "enabled": true, "actions": [ { "actionTypeId": ".slack", "params": { "message": "Rule {{context.rule.name}} generated {{state.signals_count}} alerts" }, "actionRef": "action_0", "group": "default" } ], "throttle": null, "notifyWhen": "onActiveAlert", "apiKeyOwner": "1368683100", "apiKey": "oWQ3Fnvg2wiFrClhvCjHhpypmTLT47HfnOug5k2JUHp8aI7sT5U1O1oUDSJORitLBaNGD8sREnNbm0dFZzmosfCnjH61t2YivXmk4BxykS6LVVICYgWtczfCx1gvLl6hCv8puudH3kuk2aZNAdn9Kqpj2yohH0bnDMGqz4hi1aRtK6YMyuu2EwtOqDxxr3LIRi8WBurqXtd79Q==", "createdBy": "1368683100", "updatedBy": "1368683100", "createdAt": "2022-07-13T09:23:15.594Z", "updatedAt": "2022-07-14T16:02:49.763Z", "muteAll": false, "mutedInstanceIds": [], "executionStatus": { "status": "ok", "lastExecutionDate": "2022-07-18T04:50:53.873Z", "error": null, "lastDuration": 1515, "warning": null }, "meta": { "versionApiKeyLastmodified": "8.3.2" }, "scheduledTaskId": "6c62ec20-028d-11ed-a22a-5d8363675bed", "legacyId": "6c62ec20-028d-11ed-a22a-5d8363675bed", "mapped_params": { "risk_score": 21, "severity": "20-low" } ```