Test remote_cli update test indices
This commit is contained in:
Eric Forte
@@ -2,7 +2,7 @@
|
||||
{"id":"c7c868c0-cfe1-4139-a873-4c8ce7b181c1","updated_at":"2025-08-18T03:41:10.096Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.310Z","created_by":"841510929","name":"test_kql_with_alert_supprestion_and_investigation_fileds","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":0,"severity":"low","note":"This a a test sample investigation Guide\nThis a a test sample investigation Guide\nThis a a test sample investigation Guide\n\n!{osquery{\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/lib/systemd/system/%' )\",\"label\":\"test-osquery\"}}\n\n!{investigate{\"label\":\"test-investigation-query\",\"description\":\"test-investigation-query\",\"providers\":[[{\"field\":\"host.name\",\"excluded\":false,\"queryType\":\"phrase\",\"value\":\"test-host\",\"valueType\":\"string\"}]]}}","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"742feb36-ac4c-45e0-b8a5-3b3cfa66b6d2","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"$state":{"store":"appState"},"meta":{"disabled":false,"key":"event.action","negate":false,"type":"phrase","params":{"query":"Process Create (rule: ProcessCreate)"}},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"alert_suppression":{"group_by":["process.parent.name"],"duration":{"value":5,"unit":"h"},"missing_fields_strategy":"suppress"},"actions":[]}
|
||||
{"id":"e9430a4c-5fce-41b7-9d55-7645360e11d9","updated_at":"2025-08-18T03:40:30.081Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.326Z","created_by":"841510929","name":"test_kql_with_alert_suppression","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"2c6c5352-11cb-40a5-9294-e61ef5f1954f","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"meta":{"type":"phrase","key":"event.action","params":{"query":"Process Create (rule: ProcessCreate)"},"disabled":false,"negate":false},"$state":{"store":"appState"},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"alert_suppression":{"group_by":["process.parent.name"],"duration":{"value":5,"unit":"h"},"missing_fields_strategy":"suppress"},"actions":[]}
|
||||
{"id":"45241dcf-1bb2-41eb-8e91-89741af275c0","updated_at":"2025-08-18T03:43:41.240Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.317Z","created_by":"841510929","name":"test_eql_rule","tags":["EQL","Windows","rundll32.exe"],"interval":"5m","enabled":true,"revision":1,"description":"Unusual rundll32.exe network connection","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"2cc8f325-e1b1-4201-8b8d-88a51c94992b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.args_count","type":"long","ecs":true},{"name":"process.entity_id","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.pe.original_file_name","type":"keyword","ecs":true}],"setup":"None","type":"eql","language":"eql","index":["logs-*"],"query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]\n","filters":[],"actions":[]}
|
||||
{"id":"11d7b970-0076-4ae1-b328-16d6778489f2","updated_at":"2025-08-18T03:45:34.509Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.308Z","created_by":"841510929","name":"test_esql_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Find Excel events","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"7e0f6dae-5847-465f-89e9-a6de0e9ef918","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"esql","language":"esql","query":"from auditbeat-* METADATA _id, _version, _index | KEEP process.parent.name | where process.parent.name == \"EXCEL.EXE\"\n","actions":[]}
|
||||
{"id":"11d7b970-0076-4ae1-b328-16d6778489f2","updated_at":"2025-08-18T03:45:34.509Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.308Z","created_by":"841510929","name":"test_esql_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Find Excel events","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"7e0f6dae-5847-465f-89e9-a6de0e9ef918","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"esql","language":"esql","query":"from logs-* METADATA _id, _version, _index | KEEP process.parent.name, _id, _version, _index | where process.parent.name == \"EXCEL.EXE\"\n","actions":[]}
|
||||
{"id":"72abd101-fe39-43f0-a6d1-e9a373684cab","updated_at":"2025-08-18T03:46:00.515Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.334Z","created_by":"841510929","name":"test_new_terms_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Detects a user associated with a new IP address","risk_score":0,"severity":"medium","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"2390c9dd-ad90-4af6-97a4-1d607ba0f092","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"user.id","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"new_terms","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","new_terms_fields":["user.id","source.ip"],"history_window_start":"now-30d","index":["auditbeat*"],"filters":[],"language":"kuery","actions":[]}
|
||||
{"id":"a1605087-5c6f-4363-9686-ecd47e9c44b6","rule_id":"4c589d81-2622-4036-8cc7-372ea8f0e038","name":"test_indicator_match_rule_with_email_actions","immutable":false,"rule_source":{"type":"internal"},"version":1,"revision":1,"updated_at":"2025-10-29T17:02:23.823Z","updated_by":"3610252053","created_at":"2025-10-29T17:01:09.848Z","created_by":"3610252053","enabled":true,"interval":"5m","from":"now-6m","to":"now","description":"Checks for bad IP addresses listed in the ip-threat-list index","tags":[],"author":["841510929"],"license":"","threat":[],"related_integrations":[],"required_fields":[{"name":"destination.ip","type":"ip","ecs":true},{"name":"destination.port","type":"long","ecs":true},{"name":"host.ip","type":"ip","ecs":true}],"setup":"None","note":"None","false_positives":[],"references":[],"risk_score":0,"risk_score_mapping":[],"severity":"medium","severity_mapping":[],"output_index":"","max_signals":100,"exceptions_list":[],"actions":[{"id":"1b8d347f-2542-4390-85de-2653518311e2","params":{"message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts","to":["tradebot-elastic@elastic.com"],"subject":"Test Actions"},"action_type_id":".email","uuid":"98de9d3f-87e9-468a-b656-26f8c2f64c00","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}],"meta":{"kibana_siem_app_url":""},"type":"threat_match","language":"kuery","index":["packetbeat-*"],"query":"destination.ip:* or host.ip:*\n","filters":[],"threat_filters":[],"threat_query":"*:*","threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_language":"kuery","threat_index":["ip-threat-list"],"threat_indicator_path":"threat.indicator"}
|
||||
{"id":"d46a29ca-9b5b-4cbd-b11f-35c6b59f207b","updated_at":"2025-08-18T03:44:54.407Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.331Z","created_by":"841510929","name":"test_threshold_with_rule_exception","tags":["Brute force"],"interval":"2m","enabled":true,"revision":1,"description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-3m","rule_id":"d46a29ca-9b5b-4cbd-b11f-35c6b59f207b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"82395156-8ad2-46c3-be79-1f1a23c0d802","list_id":"0a4124f8-2074-450b-8689-d7dee319c666","type":"rule_default","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"threshold","language":"kuery","index":["winlogbeat-*"],"query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","filters":[],"threshold":{"field":["source.ip"],"value":20,"cardinality":[]},"actions":[]}
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
[project]
|
||||
name = "detection_rules"
|
||||
version = "1.5.34"
|
||||
version = "1.5.35"
|
||||
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
|
||||
readme = "README.md"
|
||||
requires-python = ">=3.12"
|
||||
|
||||
@@ -177,7 +177,7 @@ class TestRemoteRules(BaseRuleTest):
|
||||
original_production_rule = load_rule_contents(file_path)
|
||||
production_rule = deepcopy(original_production_rule)[0]
|
||||
production_rule["rule"]["query"] = """
|
||||
from logs-endpoint.alerts-*
|
||||
from logs-endpoint.alerts-* METADATA _id, _version, _index
|
||||
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null
|
||||
| keep host.id, rule.name, event.code, _id, _version, _index
|
||||
| stats Esql.host_id_count_distinct = count_distinct(host.id) by rule.name, event.code
|
||||
@@ -207,7 +207,7 @@ class TestRemoteRules(BaseRuleTest):
|
||||
production_rule = deepcopy(original_production_rule)[0]
|
||||
production_rule["metadata"]["integration"] = []
|
||||
production_rule["rule"]["query"] = """
|
||||
from logs-endpoint.alerts-*
|
||||
from logs-endpoint.alerts-* METADATA _id, _version, _index
|
||||
| where event.code in ("malicious_file", "memory_signature", "shellcode_thread") and rule.name is not null and file.Ext.entry_modified > 0
|
||||
| keep host.id, rule.name, event.code, file.Ext.entry_modified, _id, _version, _index
|
||||
| stats Esql.host_id_count_distinct = count_distinct(host.id) by rule.name, event.code, file.Ext.entry_modified
|
||||
|
||||
Reference in New Issue
Block a user