[New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package (#3119)

* Adding Lateral Movement Detection rules * added tags; adjusted tests; updated manifests and schemas * added default value to build_integrations_schema * combined analytic and non-dataset packages for related integrations * adjusted machine learning definitions * adjusted machine learning definitions * removed splat for machine learning list due to 3.8 constraints --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit 747ee7d593)
2023-09-27 11:53:38 -07:00
parent 7cb4c5216d
commit 116a7de890
20 changed files with 636 additions and 16 deletions
@@ -632,7 +632,8 @@ class TestRuleMetadata(BaseRuleTest):
                    # checks if an index pattern exists if the package integration tag exists
                    integration_string = "|".join(indices)
                    if not re.search(rule_integration, integration_string):
-                        if rule_integration == "windows" and re.search("winlog", integration_string):
+                        if rule_integration == "windows" and re.search("winlog", integration_string) or \
+                                rule_integration in [*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)]:
                            continue
                        err_msg = f'{self.rule_str(rule)} {rule_integration} tag, index pattern missing.'
                        failures.append(err_msg)
@@ -658,7 +659,8 @@ class TestRuleMetadata(BaseRuleTest):
                    ]
                    if any([re.search("|".join(non_dataset_packages), i, re.IGNORECASE)
                            for i in rule.contents.data.index]):
-                        if not rule.contents.metadata.integration and rule.id not in ignore_ids:
+                        if not rule.contents.metadata.integration and rule.id not in ignore_ids and \
+                                rule.contents.data.type not in definitions.MACHINE_LEARNING:
                            err_msg = f'substrings {non_dataset_packages} found in '\
                                      f'{self.rule_str(rule)} rule index patterns are {rule.contents.data.index},' \
                                      f'but no integration tag found'