Skip to main content
Version: 5.0

Installing Configurations

The first stage is designed to automate the deployment and configuration of dependent objects for the Smart EDR module. Configuration is performed using the utility make_smart_edr.py. The utility is provided in the smart_edr_ko_maker package and located in the bin directory. The utility performs the following tasks:

  1. Deployment of knowledge objects (Smart Monitor entities)
  2. Creation of index templates
  3. Creation of indexes
  4. Deployment of ISM (Index State Management) policies
  5. Loading rules from a CSV file

Requirements

  1. Python 3.x
  2. Installed dependencies: requests, urllib3
  3. Access to the Smart Monitor cluster with administrator credentials

Utility Structure

The script contains the following directory structure:

./
├── data/               # Main directory with configurations
│ ├── sm_*/             # Directories with Smart Monitor entities (starting with sm_)
│ ├── index_templates/  # Index templates
│ ├── indexes/          # Index configurations
│ └── ism_policies/     # Index state management policies
└── lookups/
└── rules.csv           # CSV file with rules

File Formats

warning

Index settings (indexes) and policies (ism_policies) are for demonstration purposes and must be adjusted to meet installation requirements regarding data rotation and replication configuration.

  1. Smart Monitor Entities (in sm_* directories): JSON files with metadata in the _meta field and a unique identifier
  2. Index Templates (index_templates): 
    {
      "name": "template_name",
      "index_template": {
    	// template configuration
      }
    }
  3. Indexes (indexes): 
    {
      "index_name": {
    	// index configuration
      }
    }
  4. ISM Policies (ism_policies): 
    {
      "policy": {
    	"policy_id": "policy_name",
    	// remaining configuration
      }
    }
  5. Rules (rules.csv): Current list of threat detection rules for BI.ZONE EDR

Installation Sequence

1. Running Configuration Installation

Installation is performed by running the utility make_smart_edr.py:

python make_smart_edr.py --sm_host <host> --sm_user <user> --sm_password <password> [--sm_port <port>]

Command line parameters:

ParameterRequiredTypeDefault ValueDescription
--sm_hostYesstr-Smart Monitor host (one of the cluster nodes)
--sm_portNoint9200Smart Monitor port
--sm_userYesstr-Username
--sm_passwordYesstr-User password

Example execution:

python make_smart_edr.py --sm_host open-search-host-1.my_company.ru --sm_user admin --sm_password securepassword --sm_port 9200

2. Verifying Configuration Application

  1. In the Index Policies section (Main Menu - System Parameters - Index Management - Index Policies), the policy bizone is displayed: Index Policies

  2. In the Managed Indexes section (Main Menu - System Parameters - Index Management - Managed Indexes), the module indexes managed by the policy bizone are displayed: Managed Indexes

  3. In the Templates section (Main Menu - System Parameters - Index Management - Templates), the module templates are displayed: Templates

  4. In the directory list Directory List (Main Menu - Lookup Manager - Directory List), the module directories are displayed:

    • bizone_alert_setting
    • dim_bizone_host
    • dim_bizone_rule
    • dim_bizone_task
    • link_bizone_alert_severity_incident_severity

  5. The dim_bizone_rule directory contains a list of threat detection rules