Skip to main content
Version: 5.3

Configuration Installation

The first stage is designed to automate the deployment and setup of dependent module objects for Smart EDR. The setup is performed by the make_smart_edr.py utility. The utility is provided in the smart_edr_ko_maker package and located in the bin directory. The utility performs the following tasks:

  1. Deploying knowledge objects (Smart Monitor entities)
  2. Creating index templates
  3. Creating index patterns
  4. Loading rules from CSV file

Requirements

  1. Python 3.10+
  2. Installed dependencies: requests, urllib3, jinja2
  3. Access to Smart Monitor cluster with administrator credentials

Utility Structure

The script contains the following directory structure:

./
├── data/                    # Main directory with configurations
│   ├── sm_*/                # Directories with `Smart Monitor` entities (starting with sm_)
│   ├── index_templates/     # Index templates
│   ├── index_patterns/      # Index patterns
└── lookups/
    └── rules.csv            # CSV file with rules

File Formats

  1. Smart Monitor Entities (in sm_* directories): JSON files with metadata in _meta field and unique identifier

  2. Index Templates (index_templates):

    {
      "name": "template_name",
      "index_template": {
    	// template configuration
      }
    }

  3. Index Patterns (index_patterns):

    {
      "attributes": {
    	"title": "pattern_name"
      },
      "references": []
    }

  4. Rules (rules.csv): Actual list of threat detection rules BI.ZONE EDR

Installation Sequence

1. Running Configuration Installation

Installation is performed by running the make_smart_edr.py utility:

python make_smart_edr.py --sm_host <host> --sm_user <user> --sm_password <password> [--sm_port <port>]

Command line parameters:

ParameterRequiredTypeDefault ValueDescription
--sm_hostYesstr-Smart Monitor host (one of the cluster nodes)
--sm_portNoint9200Smart Monitor port
--sm_userYesstr-Username
--sm_passwordYesstr-User password

Example run:

python make_smart_edr.py --sm_host open-search-host-1.my_company.ru --sm_user admin --sm_password securepassword --sm_port 9200

2. Checking Configuration Application

  1. In the Templates section: (Navigation Menu - System Settings - Index Management - Templates) module templates are displayed: Templates

  2. In the Index Patterns section: (Navigation Menu - System Settings - Module Settings - OPENSEARCH - Index Patterns) module index patterns are displayed: Index Patterns

  3. In the lookup list Lookup List: (Navigation Menu - Lookup Manager - Lookup List) module lookups are displayed:

    • bizone_alert_setting
    • dim_bizone_host
    • dim_bizone_rule
    • dim_bizone_task
    • link_bizone_alert_severity_incident_severity

  4. The dim_bizone_rule lookup contains a list of threat detection rules