[Security Solution] - Feat Add Severity and risk_score to the Siem migrations
#211202
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
logeekal
changed the title
Severity to the Splunk --> Elastic migrationSeverity to the Splunk --> Elastic migration
|
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
logeekal
added
backport:version
logeekal
changed the title
Severity to the Splunk --> Elastic migrationSeverity and risk_score to the Siem migrations
logeekal
added
the
release_note:feature
semd
added
release_note:skip
|
We have been using @Charelzard How do we plan to handle release notes? |
semd
reviewed
Feb 17, 2025
...mponents/data_input_flyout/steps/rules/sub_steps/rules_file_upload/splunk_rules.test.data.ts
Outdated
Show resolved
Hide resolved
semd
reviewed
Feb 17, 2025
x-pack/solutions/security/plugins/security_solution/common/siem_migrations/constants.ts
Outdated
Show resolved
Hide resolved
semd
reviewed
Feb 17, 2025
...ponents/data_input_flyout/steps/rules/sub_steps/rules_file_upload/rules_file_upload.test.tsx
Outdated
Show resolved
Hide resolved
semd
reviewed
Feb 17, 2025
...ns/rules/task/agent/sub_graphs/translate_rule/nodes/translation_result/translation_result.ts
Outdated
Show resolved
Hide resolved
semd
reviewed
Feb 17, 2025
..._solution/server/lib/siem_migrations/rules/task/util/map_original_rule_risk_score_elastic.ts
Outdated
Show resolved
Hide resolved
semd
approved these changes
Feb 19, 2025
|
@elastic/security-detection-engine team, Please refer to commit : 7a5135d where I have moved Please let me know if you have any opinions against this change. cc: @semd |
PhilippeOberti
approved these changes
Feb 20, 2025
x-pack/solutions/security/plugins/security_solution/common/detection_engine/constants.ts
Show resolved
Hide resolved
vitaliidm
approved these changes
Feb 21, 2025
There was a problem hiding this comment.
Detection Engine changes LGTM, just moving definitions around.
@logeekal , When I tired to test PR by uploading splunk rules attached to description, I got error
Do I need to do some additional set up for this functionality to work?
Edit: I was able to replicate this error with OpenAI connector. I will check why telemetry is causing the issue.
|
Yes, I am using OpenAI Azure connector too |
|
Could you please try now as well? After updating |
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
Unknown metric groupsESLint disabled line counts
Total ESLint disabled count
History
|
|
I've got 429, too many requests: At least it proves, it tried to migrate rules |
Thanks. Yes. This error occurs sometimes depending on the connector. But it should be resolved soon with this PR: #211469 |
|
Starting backport for target branches: 8.18, 8.x, 9.0 |
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 21, 2025
…m migrations (elastic#211202) ## Summary Handles below Features: - elastic/security-team#11837 This PR adds `risk_score` and `severity` based on below 3 rules - `Rule Severity` should be mapped to Splunk's `alert.severity`. - `Rule Severity` values should be mapped as mentioned in below section Mapping Elastic Security Rule's Severity with Splunk's Severity > > |Splunk's Severity| Elastic Rule Severity | > |---|---| > |1- Info|Low| > |2-Low|Low| > |3-Medium|Medium| > |4-High|High| > |5-Critical|Critical| - Elastic Security Rule's `Risk Score` derived from the `Severity` of the Rulet based on below mapping( [Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params) )  ## Desk Testing [splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json) 1. Use the above attached test file which has the `alert.severity` exported from Splunk. 2. Check the Severity of the translated rule should match the mapping given above. Expect results like below : <img width="1474" alt="Screenshot 2025-02-17 at 14 19 23" src="https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a" /> ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 74ef9fc)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 21, 2025
…m migrations (elastic#211202) ## Summary Handles below Features: - elastic/security-team#11837 This PR adds `risk_score` and `severity` based on below 3 rules - `Rule Severity` should be mapped to Splunk's `alert.severity`. - `Rule Severity` values should be mapped as mentioned in below section Mapping Elastic Security Rule's Severity with Splunk's Severity > > |Splunk's Severity| Elastic Rule Severity | > |---|---| > |1- Info|Low| > |2-Low|Low| > |3-Medium|Medium| > |4-High|High| > |5-Critical|Critical| - Elastic Security Rule's `Risk Score` derived from the `Severity` of the Rulet based on below mapping( [Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params) )  ## Desk Testing [splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json) 1. Use the above attached test file which has the `alert.severity` exported from Splunk. 2. Check the Severity of the translated rule should match the mapping given above. Expect results like below : <img width="1474" alt="Screenshot 2025-02-17 at 14 19 23" src="https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a" /> ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 74ef9fc)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 21, 2025
…m migrations (elastic#211202) ## Summary Handles below Features: - elastic/security-team#11837 This PR adds `risk_score` and `severity` based on below 3 rules - `Rule Severity` should be mapped to Splunk's `alert.severity`. - `Rule Severity` values should be mapped as mentioned in below section Mapping Elastic Security Rule's Severity with Splunk's Severity > > |Splunk's Severity| Elastic Rule Severity | > |---|---| > |1- Info|Low| > |2-Low|Low| > |3-Medium|Medium| > |4-High|High| > |5-Critical|Critical| - Elastic Security Rule's `Risk Score` derived from the `Severity` of the Rulet based on below mapping( [Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params) )  ## Desk Testing [splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json) 1. Use the above attached test file which has the `alert.severity` exported from Splunk. 2. Check the Severity of the translated rule should match the mapping given above. Expect results like below : <img width="1474" alt="Screenshot 2025-02-17 at 14 19 23" src="https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a" /> ### Checklist Check the PR satisfies following conditions. Reviewers should verify this PR satisfies this list as well. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md) - [x] [Unit or functional tests](https://www.elastic.co/guide/en/kibana/master/development-tests.html) were updated or added to match the most common scenarios ### Identify risks Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss. Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging. - [ ] [See some risk examples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx) - [ ] ... --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> (cherry picked from commit 74ef9fc)
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
kibanamachine
added a commit
that referenced
this pull request
Feb 21, 2025
…he Siem migrations (#211202) (#212118) # Backport This will backport the following commits from `main` to `8.x`: - [[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations (#211202)](#211202) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jatin Kathuria","email":"jatin.kathuria@elastic.co"},"sourceCommit":{"committedDate":"2025-02-21T16:24:44Z","message":"[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations (#211202)\n\n## Summary\n\nHandles below Features:\n- https://github.com/elastic/security-team/issues/11837\n\n\nThis PR adds `risk_score` and `severity` based on below 3 rules\n- `Rule Severity` should be mapped to Splunk's `alert.severity`.\n- `Rule Severity` values should be mapped as mentioned in below section\nMapping Elastic Security Rule's Severity with Splunk's Severity\n\n> \n> |Splunk's Severity| Elastic Rule Severity |\n> |---|---|\n> |1- Info|Low|\n> |2-Low|Low|\n> |3-Medium|Medium|\n> |4-High|High|\n> |5-Critical|Critical|\n\n- Elastic Security Rule's `Risk Score` derived from the `Severity` of\nthe Rulet based on below mapping(\n[Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params)\n)\n\n\n\n\n\n## Desk Testing\n\n\n[splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json)\n\n\n1. Use the above attached test file which has the `alert.severity`\nexported from Splunk.\n2. Check the Severity of the translated rule should match the mapping\ngiven above. Expect results like below :\n\n<img width=\"1474\" alt=\"Screenshot 2025-02-17 at 14 19 23\"\nsrc=\"https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a\"\n/>\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"74ef9fcdee2086bf2c48a35c5c15fb0997fc41dd","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat Hunting","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations","number":211202,"url":"https://github.com/elastic/kibana/pull/211202","mergeCommit":{"message":"[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations (#211202)\n\n## Summary\n\nHandles below Features:\n- https://github.com/elastic/security-team/issues/11837\n\n\nThis PR adds `risk_score` and `severity` based on below 3 rules\n- `Rule Severity` should be mapped to Splunk's `alert.severity`.\n- `Rule Severity` values should be mapped as mentioned in below section\nMapping Elastic Security Rule's Severity with Splunk's Severity\n\n> \n> |Splunk's Severity| Elastic Rule Severity |\n> |---|---|\n> |1- Info|Low|\n> |2-Low|Low|\n> |3-Medium|Medium|\n> |4-High|High|\n> |5-Critical|Critical|\n\n- Elastic Security Rule's `Risk Score` derived from the `Severity` of\nthe Rulet based on below mapping(\n[Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params)\n)\n\n\n\n\n\n## Desk Testing\n\n\n[splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json)\n\n\n1. Use the above attached test file which has the `alert.severity`\nexported from Splunk.\n2. Check the Severity of the translated rule should match the mapping\ngiven above. Expect results like below :\n\n<img width=\"1474\" alt=\"Screenshot 2025-02-17 at 14 19 23\"\nsrc=\"https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a\"\n/>\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"74ef9fcdee2086bf2c48a35c5c15fb0997fc41dd"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/211202","number":211202,"mergeCommit":{"message":"[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations (#211202)\n\n## Summary\n\nHandles below Features:\n- https://github.com/elastic/security-team/issues/11837\n\n\nThis PR adds `risk_score` and `severity` based on below 3 rules\n- `Rule Severity` should be mapped to Splunk's `alert.severity`.\n- `Rule Severity` values should be mapped as mentioned in below section\nMapping Elastic Security Rule's Severity with Splunk's Severity\n\n> \n> |Splunk's Severity| Elastic Rule Severity |\n> |---|---|\n> |1- Info|Low|\n> |2-Low|Low|\n> |3-Medium|Medium|\n> |4-High|High|\n> |5-Critical|Critical|\n\n- Elastic Security Rule's `Risk Score` derived from the `Severity` of\nthe Rulet based on below mapping(\n[Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params)\n)\n\n\n\n\n\n## Desk Testing\n\n\n[splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json)\n\n\n1. Use the above attached test file which has the `alert.severity`\nexported from Splunk.\n2. Check the Severity of the translated rule should match the mapping\ngiven above. Expect results like below :\n\n<img width=\"1474\" alt=\"Screenshot 2025-02-17 at 14 19 23\"\nsrc=\"https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a\"\n/>\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"74ef9fcdee2086bf2c48a35c5c15fb0997fc41dd"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jatin Kathuria <jatin.kathuria@elastic.co>
kibanamachine
added a commit
that referenced
this pull request
Feb 21, 2025
…the Siem migrations (#211202) (#212116) # Backport This will backport the following commits from `main` to `8.18`: - [[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations (#211202)](#211202) <!--- Backport version: 9.6.6 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sorenlouv/backport) <!--BACKPORT [{"author":{"name":"Jatin Kathuria","email":"jatin.kathuria@elastic.co"},"sourceCommit":{"committedDate":"2025-02-21T16:24:44Z","message":"[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations (#211202)\n\n## Summary\n\nHandles below Features:\n- https://github.com/elastic/security-team/issues/11837\n\n\nThis PR adds `risk_score` and `severity` based on below 3 rules\n- `Rule Severity` should be mapped to Splunk's `alert.severity`.\n- `Rule Severity` values should be mapped as mentioned in below section\nMapping Elastic Security Rule's Severity with Splunk's Severity\n\n> \n> |Splunk's Severity| Elastic Rule Severity |\n> |---|---|\n> |1- Info|Low|\n> |2-Low|Low|\n> |3-Medium|Medium|\n> |4-High|High|\n> |5-Critical|Critical|\n\n- Elastic Security Rule's `Risk Score` derived from the `Severity` of\nthe Rulet based on below mapping(\n[Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params)\n)\n\n\n\n\n\n## Desk Testing\n\n\n[splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json)\n\n\n1. Use the above attached test file which has the `alert.severity`\nexported from Splunk.\n2. Check the Severity of the translated rule should match the mapping\ngiven above. Expect results like below :\n\n<img width=\"1474\" alt=\"Screenshot 2025-02-17 at 14 19 23\"\nsrc=\"https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a\"\n/>\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"74ef9fcdee2086bf2c48a35c5c15fb0997fc41dd","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat Hunting","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations","number":211202,"url":"https://github.com/elastic/kibana/pull/211202","mergeCommit":{"message":"[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations (#211202)\n\n## Summary\n\nHandles below Features:\n- https://github.com/elastic/security-team/issues/11837\n\n\nThis PR adds `risk_score` and `severity` based on below 3 rules\n- `Rule Severity` should be mapped to Splunk's `alert.severity`.\n- `Rule Severity` values should be mapped as mentioned in below section\nMapping Elastic Security Rule's Severity with Splunk's Severity\n\n> \n> |Splunk's Severity| Elastic Rule Severity |\n> |---|---|\n> |1- Info|Low|\n> |2-Low|Low|\n> |3-Medium|Medium|\n> |4-High|High|\n> |5-Critical|Critical|\n\n- Elastic Security Rule's `Risk Score` derived from the `Severity` of\nthe Rulet based on below mapping(\n[Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params)\n)\n\n\n\n\n\n## Desk Testing\n\n\n[splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json)\n\n\n1. Use the above attached test file which has the `alert.severity`\nexported from Splunk.\n2. Check the Severity of the translated rule should match the mapping\ngiven above. Expect results like below :\n\n<img width=\"1474\" alt=\"Screenshot 2025-02-17 at 14 19 23\"\nsrc=\"https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a\"\n/>\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"74ef9fcdee2086bf2c48a35c5c15fb0997fc41dd"}},"sourceBranch":"main","suggestedTargetBranches":["9.0","8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/211202","number":211202,"mergeCommit":{"message":"[Security Solution] - Feat Add `Severity` and `risk_score` to the Siem migrations (#211202)\n\n## Summary\n\nHandles below Features:\n- https://github.com/elastic/security-team/issues/11837\n\n\nThis PR adds `risk_score` and `severity` based on below 3 rules\n- `Rule Severity` should be mapped to Splunk's `alert.severity`.\n- `Rule Severity` values should be mapped as mentioned in below section\nMapping Elastic Security Rule's Severity with Splunk's Severity\n\n> \n> |Splunk's Severity| Elastic Rule Severity |\n> |---|---|\n> |1- Info|Low|\n> |2-Low|Low|\n> |3-Medium|Medium|\n> |4-High|High|\n> |5-Critical|Critical|\n\n- Elastic Security Rule's `Risk Score` derived from the `Severity` of\nthe Rulet based on below mapping(\n[Source](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-basic-params)\n)\n\n\n\n\n\n## Desk Testing\n\n\n[splunk_rules_test_severity.json](https://github.com/user-attachments/files/18825855/splunk_rules_test_severity.json)\n\n\n1. Use the above attached test file which has the `alert.severity`\nexported from Splunk.\n2. Check the Severity of the translated rule should match the mapping\ngiven above. Expect results like below :\n\n<img width=\"1474\" alt=\"Screenshot 2025-02-17 at 14 19 23\"\nsrc=\"https://github.com/user-attachments/assets/a8459c71-3208-480e-8049-05293a0a3d2a\"\n/>\n\n\n\n### Checklist\n\nCheck the PR satisfies following conditions. \n\nReviewers should verify this PR satisfies this list as well.\n\n- [x] Any text added follows [EUI's writing\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\nsentence case text and includes [i18n\nsupport](https://github.com/elastic/kibana/blob/main/src/platform/packages/shared/kbn-i18n/README.md)\n- [x] [Unit or functional\ntests](https://www.elastic.co/guide/en/kibana/master/development-tests.html)\nwere updated or added to match the most common scenarios\n\n\n### Identify risks\n\nDoes this PR introduce any risks? For example, consider risks like hard\nto test bugs, performance regression, potential of data loss.\n\nDescribe the risk, its severity, and mitigation for each identified\nrisk. Invite stakeholders and evaluate how to proceed before merging.\n\n- [ ] [See some risk\nexamples](https://github.com/elastic/kibana/blob/main/RISK_MATRIX.mdx)\n- [ ] ...\n\n---------\n\nCo-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>","sha":"74ef9fcdee2086bf2c48a35c5c15fb0997fc41dd"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}] BACKPORT--> Co-authored-by: Jatin Kathuria <jatin.kathuria@elastic.co>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Handles below Features:
This PR adds
risk_scoreandseveritybased on below 3 rulesRule Severityshould be mapped to Splunk'salert.severity.Rule Severityvalues should be mapped as mentioned in below section Mapping Elastic Security Rule's Severity with Splunk's SeverityRisk Scorederived from theSeverityof the Rulet based on below mapping( Source )Desk Testing
splunk_rules_test_severity.json
alert.severityexported from Splunk.Checklist
Check the PR satisfies following conditions.
Reviewers should verify this PR satisfies this list as well.
Identify risks
Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.
Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.