security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[FR] Add Support for ES|QL Rule Type and Remote Validation (#3281)

Browse Source 
* add suuport for esql type
* add unit tests
* set clients in RemoteConnector from auth methods
* thread remote rules; add engine test
* Add versions to remote validation results

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 7514c0a206)
This commit is contained in:
Mika Ayenson
2023-12-08 13:46:28 -06:00
committed by github-actions[bot]
parent 87f8498b68
commit 111ce46b75
10 changed files with 497 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/data/__init__.py
+4
View File
@@ -0,0 +1,4 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
tests/data/command_control_dummy_production_rule.toml
+37
View File
@@ -0,0 +1,37 @@
[metadata]
creation_date = "2023/11/20"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "ES|QL Rule"
min_stack_version = "8.11.0"
updated_date = "2023/11/20"
[rule]
author = ["Elastic"]
description = """
Sample ES|QL rule for unit tests.
"""
from = "now-9m"
language = "esql"
license = "Elastic License v2"
name = "Sample ES|QL rule for unit tests"
risk_score = 47
rule_id = "24220495-cffe-45a1-996c-37b599ba0e43"
severity = "medium"
tags = ["Data Source: Elastic Endpoint", "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "esql"
query = '''
from .ds-logs-endpoint.events.process-default-*
| where event.action == "start" and process.code_signature.subject_name like "Microsoft*" and process.parent.name in ("winword.exe", "WINWORD.EXE", "EXCEL.EXE", "excel.exe")
| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\")
| stats cc = count(*) by process_path, process.parent.name | where cc <= 5
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"