security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Linux Shell Evasion Rule Tuning (#1878)

Browse Source 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Colson Wilhoit
2022-03-29 09:16:21 -05:00
committed by Mika Ayenson
commit 150ff0502e
1059 changed files with 102941 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/CODEOWNERS
+13
View File
@@ -0,0 +1,13 @@
# detection-rules code owners
# POC: Elastic Security Intelligence and Analytics Team
tests/**/*.py @brokensound77 @rw-access
detection_rules/ @brokensound77 @rw-access
tests/ @brokensound77 @rw-access
# skip rta-mapping to avoid the spam
etc/packages.yml @brokensound77 @rw-access
etc/*.json @brokensound77 @rw-access
etc/*.json @brokensound77 @rw-access
etc/*/* @brokensound77 @rw-access
.github/ISSUE_TEMPLATE/bug_report.md
+31
View File
@@ -0,0 +1,31 @@
---
name: Bug report
about: Report a bug to report for the python/testing parts of Detection Rules
title: "[Bug]"
labels: bug
assignees: ''
---
**Describe the bug**
A clear and concise description of what the bug is.
**To Reproduce**
Steps to reproduce the behavior:
1. Go to '...'
2. Click on '....'
3. Scroll down to '....'
4. See error
**Expected behavior**
A clear and concise description of what you expected to happen.
**Screenshots**
If applicable, add screenshots to help explain your problem.
**Desktop (please complete the following information):**
- OS:
- Version:
**Additional context**
Add any other context about the problem here.
.github/ISSUE_TEMPLATE/feature_request.md
+20
View File
@@ -0,0 +1,20 @@
---
name: Feature request
about: "Suggest an idea for this project (Note: this does not include rule logic)"
title: "[FR]"
labels: enhancement
assignees: ''
---
**Is your feature request related to a problem? Please describe.**
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]
**Describe the solution you'd like**
A clear and concise description of what you want to happen.
**Describe alternatives you've considered**
A clear and concise description of any alternative solutions or features you've considered.
**Additional context**
Add any other context or screenshots about the feature request here.
.github/ISSUE_TEMPLATE/integration-oob-updates.md
+39
View File
@@ -0,0 +1,39 @@
---
name: Integration (OOB) updates
about: Template used by Elastic team to release updates to fleet integration package
title: "[Integration Release] <x.x.x>"
labels: fleet-release
assignees: ''
---
# OOB Fleet integration release
### Release branch
<!-- this will dictate which stacks get the updates (>= up to major)
the title should reflect this version; ex: releasing from 8.0 is 1.0.x
the patch version represents the iteration of the release, so the 3rd release for 8.0 is 1.0.3
-->
*
## Checklist
<!-- each root level checklist item should have accompanying pr link -->
<!-- always push from latest (main) and merge, before proceeding
link the completed "kibana updates" issue here
-->
### Prep
- [ ] complete `updates to kibana` <issue link>
- [ ] tag the locked commit (ex `integration-vx.x.x`) <tag link>
### Release package
- [ ] integrations PR <link>
- [ ] package-storage promotion to `production` PR <link>
- [ ] `Pipeline Release Package Distribution` job <job link>
- [ ] production `epr` <link>
### Updates
- [ ] security-docs PR <link>
- [ ] newsfeed PR <link>
.github/ISSUE_TEMPLATE/kibana-updates.md
+28
View File
@@ -0,0 +1,28 @@
---
name: Kibana updates
about: Template used by Elastic team to push rule updates to Kibana
title: "[Kibana Updates] <source-branch> to kibana:<target-banch>"
labels: kibana-updates
assignees: ''
---
# Kibana updates
- [ ] check if this the final push to the respective Kibana release branch
### Which Kibana branches will this backport to?
<!-- bullet per branch, if none, add 'none' as a bullet. Also link to each backport PR -->
*
## Checklist
<!-- each root level checklist item should have accompanying pr link -->
- [ ] lock versions
- [ ] PR rules updates to Kibana
## Additional if this is the final push targeting a respective Kibana release branch
- [ ] create a tag for the branch from the locked versions commit (ex: `v7.15.0`)
- [ ] update security-docs with rule changes
.github/ISSUE_TEMPLATE/new_rule.md
+47
View File
@@ -0,0 +1,47 @@
---
name: New rule
about: Suggestions and ideas for new rules
title: "[New Rule] Name of rule"
labels: "Rule: New"
assignees: ''
---
<!-- Before submitting an issue to tune a rule, be sure to reference CONTRIBUTING.md --->
## Description
<!-- Provide a detailed description of the activity to be detected -->
## Required Info
### Target indexes
<!-- filebeat-*, logs-windows.*, etc. -->
### Additional requirements
<!-- sysmon, beats config modification, etc. -->
### Target Operating Systems
<!-- windows, linux, macOS, etc -->
### Platforms
<!-- okta, cloudtrail, etc -->
### Tested ECS Version
x.x.x
## Optional Info
### Query
### New fields required in ECS/data sources for this rule?
### Related issues or PRs
### References
## Example Data
<!-- Example JSON data from the actual detonated activity makes this process much quicker -->
.github/ISSUE_TEMPLATE/rule_deprecation.md
+15
View File
@@ -0,0 +1,15 @@
---
name: Rule deprecation
about: Recommendation to deprecate a rule
title: "[Deprecation] Name of the rule"
labels: "Rule: Deprecation"
assignees: ''
---
## Link to rule
## Description
Provide a detailed description of why the rule should be deprecated
.github/ISSUE_TEMPLATE/rule_tuning.md
+19
View File
@@ -0,0 +1,19 @@
---
name: Tune existing rule
about: Suggestion for logic changes to an existing rule
title: "[Rule Tuning] Name of rule"
labels: "Rule: Tuning"
assignees: ''
---
<!-- Before submitting an issue to tune a rule, be sure to reference CONTRIBUTING.md --->
## Link to rule
## Description
<!-- Provide a detailed description of the suggested changes -->
## Example Data
<!-- If the query is to be changed, include example JSON data or a screenshot -->
.github/PULL_REQUEST_TEMPLATE.md
+18
View File
@@ -0,0 +1,18 @@
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
## Issues
<!-- Link to related issues. Use closing keywords when appropriate -->
## Summary
## Contributor checklist
- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?
.github/paths-labeller.yml
+59
View File
@@ -0,0 +1,59 @@
---
- "documentation":
- "./**/*.md"
- "schema":
- "detection_rules/beats.py"
- "etc/beats_schemas/**/*"
- "detection_rules/ecs.py"
- "etc/ecs_schemas/**/*"
- "etc/api_schemas/**/*"
- "detection_rules/schemas/**/*"
- "python":
- "detection_rules/**/*.py"
- "kibana/**/*.py"
- "kql/**/*.py"
- "RTA":
- "rta/**/*"
# rules
- "Domain: Cloud":
- "rules/integrations/aws/**/*.toml"
- "rules/integrations/azure/**/*.toml"
- "rules/integrations/cyberarkpas/**/*.toml"
- "rules/integrations/gcp/**/*.toml"
- "rules/integrations/google_workspace/**/*.toml"
- "rules/integrations/o365/**/*.toml"
- "rules/integrations/okta/**/*.toml"
- "Domain: Endpoint":
- "rules/windows/**/*.toml"
- "rules/linux/**/*.toml"
- "rules/macos/**/*.toml"
- "ML":
- "rules/ml/**/*.toml"
- "rules/**/ml_*.toml"
- "OS: Linux":
- "rules/linux/**/*.toml"
- "OS: macOS":
- "rules/macos/**/*.toml"
- "OS: Windows":
- "rules/windows/**/*.toml"
- "Integration: AWS":
- "rules/integrations/aws/**/*.toml"
- "Integration: Azure":
- "rules/integrations/azure/**/*.toml"
- "Integration: Crowdstrike":
- "rules/integrations/crowdstrike/**/*.toml"
- "Integration: CyberArkPas":
- "rules/integrations/cyberarkpas/**/*.toml"
- "Integration: Endpoint":
- "rules/integrations/endpoint/**/*.toml"
- "Integration: GCP":
- "rules/integrations/gcp/**/*.toml"
- "Integration: Google Workspace":
- "rules/integrations/google_workspace/**/*.toml"
- "Integration: Microsoft 365":
- "rules/integrations/o365/**/*.toml"
- "Integration: Okta":
- "rules/integrations/okta/**/*.toml"
- "Rule: Deprecation":
- "rules/_deprecated/**/*"
.github/stale.yml
+59
View File
@@ -0,0 +1,59 @@
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 60
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
daysUntilClose: 7
# Only issues or pull requests with all of these labels are checked if stale. Defaults to `[]` (disabled)
onlyLabels: []
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
exemptLabels:
- bug
- backlog
# Set to true to ignore issues in a project (defaults to false)
exemptProjects: false
# Set to true to ignore issues in a milestone (defaults to false)
exemptMilestones: false
# Set to true to ignore issues with an assignee (defaults to false)
exemptAssignees: false
# Label to use when marking as stale
staleLabel: stale
# Comment to post when marking as stale. Set to `false` to disable
markComment: >
This issue has been automatically marked as stale because it has not had
recent activity. It will be closed if no further activity occurs. Thank you
for your contributions.
# Comment to post when removing the stale label.
# unmarkComment: >
# Your comment here.
# Comment to post when closing a stale Issue or Pull Request.
closeComment: >
This has been closed due to inactivity. If you feel this is an error,
please re-open and include a justifying comment.
# Limit the number of actions per hour, from 1-30. Default is 30
limitPerRun: 30
# Limit to only `issues` or `pulls`
# only: issues
# Optionally, specify configuration settings that are specific to just 'issues' or 'pulls':
# pulls:
# daysUntilStale: 30
# markComment: >
# This pull request has been automatically marked as stale because it has not had
# recent activity. It will be closed if no further activity occurs. Thank you
# for your contributions.
# issues:
# exemptLabels:
# - confirmed
.github/workflows/backport.yml
+155
View File
@@ -0,0 +1,155 @@
name: backport
on:
pull_request_target:
branches:
- main
types:
- opened
- reopened
- unlabeled
- labeled
- closed
jobs:
label:
runs-on: ubuntu-latest
if: |
github.event.pull_request.state == 'open' && !github.event.pull_request.draft
steps:
- name: 'Apply default "backport: auto" label'
uses: actions/github-script@v4
if: |
!contains(github.event.pull_request.labels.*.name, 'backport: auto') &&
!contains(github.event.pull_request.labels.*.name, 'backport: skip')
with:
script: |
github.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ['backport: auto']
})
- name: 'Remove "backport: auto" if "backport: skip" is set'
uses: actions/github-script@v4
if: |
contains(github.event.pull_request.labels.*.name, 'backport: auto') &&
contains(github.event.pull_request.labels.*.name, 'backport: skip')
with:
script: |
github.issues.removeLabel({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
name: 'backport: auto'
})
commit:
if: |
github.event.pull_request.merged == true
&& contains(github.event.pull_request.labels.*.name, 'backport: auto')
&& (
(github.event.action == 'labeled' && github.event.label.name == 'backport: auto')
|| (github.event.action == 'closed')
)
runs-on: ubuntu-latest
strategy:
max-parallel: 1
matrix:
# 7.17 was intentionally skipped because it was added late and was bug fix only
target_branch: [7.13, 7.14, 7.15, 7.16, '8.0', 8.1]
steps:
- name: Checkout repo
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTIONS_MACHINE_TOKEN }}
ref: main
- name: Set github config
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "github-actions[bot]"
- name: Get branch histories
run: |
git fetch origin main --depth 100
git fetch origin ${{matrix.target_branch}} --depth 1
git status
git log -1 --format='%H'
- name: Checkout the commit into the staging area
run: |
# Checkout the merged commit
git checkout ${{github.event.pull_request.merge_commit_sha}}
# Move it to the staging area
git reset --soft HEAD^
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Prune non-${{matrix.target_branch}} rules
env:
UNSTAGED_LIST_FILE: "../unstaged-rules.txt"
run: |
python -m detection_rules dev unstage-incompatible-rules --target-stack-version ${{matrix.target_branch}}
# Track which rules were unstaged
git diff --name-only > $UNSTAGED_LIST_FILE
# Since they've been tracked, remove any untracked files
git checkout -- .
- name: Commit and push to ${{matrix.target_branch}}
env:
COMMIT_MSG_FILE: "../commit-message.txt"
UNSTAGED_LIST_FILE: "../unstaged-rules.txt"
run: |
set -x
echo "Switch to the target branch and keep the staged changes"
git checkout ${{matrix.target_branch}}
NEEDS_BACKPORT=$(git diff HEAD --quiet --exit-code && echo n || echo y)
if [ "n" = "$NEEDS_BACKPORT" ]
then
echo "No changes to backport"
exit 0
fi
echo "Create the new commit with the same author"
git commit --reuse-message ${{github.event.pull_request.merge_commit_sha}}
echo "Save the commit message"
git log ${{github.event.pull_request.merge_commit_sha}} --format=%B -n1 > $COMMIT_MSG_FILE
echo "Append to the commit message"
if [ -s "$UNSTAGED_LIST_FILE" ]
then
echo "Track note for the removed files"
echo "" >> $COMMIT_MSG_FILE
echo "Removed changes from:" >> $COMMIT_MSG_FILE
awk '{print "- " $0}' $UNSTAGED_LIST_FILE >> $COMMIT_MSG_FILE
echo "" >> $COMMIT_MSG_FILE
echo '(selectively cherry picked from commit ${{github.event.pull_request.merge_commit_sha}})' >> $COMMIT_MSG_FILE
else
echo "No removed files"
echo "" >> $COMMIT_MSG_FILE
echo '(cherry picked from commit ${{github.event.pull_request.merge_commit_sha}})' >> $COMMIT_MSG_FILE
fi
echo "Amend the commit message and push"
git commit --amend -F $COMMIT_MSG_FILE
git push
- name: "Notify slack on failure"
uses: craftech-io/slack-action@v1
with:
slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
status: failure
if: failure()
.github/workflows/community.yml
+43
View File
@@ -0,0 +1,43 @@
name: Community
on:
pull_request_target:
types:
- opened
issues:
types:
- opened
jobs:
label:
runs-on: ubuntu-latest
steps:
- name: Check if member of elastic org
uses: actions/github-script@v4
id: membership
with:
github-token: ${{ secrets.READ_ORG_TOKEN }}
result-encoding: string
script: |
const result = await github.orgs.getMembershipForUser({
org: "elastic",
username: context.payload.sender.login
})
console.log(result.data.state)
if (result.data.state == "active"){
console.log("%s: detected as an active member of elastic org", context.payload.sender.login)
return "member"
} else {
console.log("%s: not detected as active member of elastic org", context.payload.sender.login)
return "notMember"
}
- name: Add label for community members
uses: actions/github-script@v4
if: ${{ steps.membership.outputs.result == 'notMember' }}
with:
script: |
github.issues.addLabels({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
labels: ['community']
})
.github/workflows/lock-versions.yml
+75
View File
@@ -0,0 +1,75 @@
name: lock-versions
on:
workflow_dispatch:
inputs:
branches:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '7.13,7.14,7.15,7.16,8.0,8.1'
jobs:
pr:
runs-on: ubuntu-latest
steps:
- name: Validate the source branch
uses: actions/github-script@v3
with:
script: |
if ('refs/heads/main' !== '${{github.event.ref}}') {
core.setFailed('Forbidden branch, expected "main"')
}
- name: Checkout detection-rules
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Build release package
run: |
python -m detection_rules dev build-release
- name: Set github config
run: |
git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
git config --global user.name "protectionsmachine"
- name: Lock the versions
env:
BRANCHES: "${{github.event.inputs.branches}}"
run: |
./etc/lock-multiple.sh $BRANCHES
git add etc/version.lock.json
- name: Create Pull Request
uses: peter-evans/create-pull-request@v3
with:
assignees: '${{github.actor}}'
delete-branch: true
branch: "version-lock"
commit-message: "Locked versions for releases: ${{github.event.inputs.branches}}"
branch-suffix: "short-commit-hash"
title: 'Lock versions for releases: ${{github.event.inputs.branches}}'
body: |
Lock versions for releases: ${{github.event.inputs.branches}}.
- Autogenerated from job `lock-versions: pr`.
labels: "backport: auto"
- name: Archive production artifacts
uses: actions/upload-artifact@v2
with:
name: release-files
path: |
releases
.github/workflows/pythonpackage.yml
+59
View File
@@ -0,0 +1,59 @@
name: Unit Tests
on:
push:
branches: [ "main", "7.*", "8.*" ]
pull_request:
branches: [ "*" ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install -r requirements.txt
- name: Python Lint
run: |
python -m flake8 tests detection_rules --ignore D203 --max-line-length 120
- name: Python License Check
run: |
python -m detection_rules dev license-check
- name: Build release package
env:
# only generate the navigator files on push events to main
GENERATE_NAVIGATOR_FILES: "${{ github.event_name == 'push' && github.ref == 'refs/heads/main' && '--generate-navigator' || ' ' }}"
run: |
python -m detection_rules dev build-release $GENERATE_NAVIGATOR_FILES
- name: Archive production artifacts for branch builds
uses: actions/upload-artifact@v2
if: |
github.event_name == 'push'
with:
name: release-files
path: |
releases
- name: Unit tests
run: |
python -m detection_rules test
- name: Update navigator gist files
env:
GITHUB_TOKEN: "${{ secrets.NAVIGATOR_GIST_TOKEN }}"
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
run: python -m detection_rules dev update-navigator-gists
.github/workflows/release-fleet.yml
+94
View File
@@ -0,0 +1,94 @@
name: release-fleet
on:
workflow_dispatch:
inputs:
target_repo:
description: 'Target repository to build a PR against'
required: true
default: 'elastic/integrations'
target_branch:
description: 'Target branch for PR base'
required: true
default: 'master'
draft:
description: 'Create a PR as draft (y/n)'
required: false
jobs:
fleet-pr:
runs-on: ubuntu-latest
steps:
- name: Validate the source branch
uses: actions/github-script@v3
with:
script: |
if ('refs/heads/main' === '${{github.ref}}') {
core.setFailed('Forbidden branch')
}
- name: Checkout detection-rules
uses: actions/checkout@v2
with:
path: detection-rules
- name: Checkout elastic/integrations
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTIONS_MACHINE_TOKEN }}
ref: ${{github.event.inputs.target_branch}}
repository: ${{github.event.inputs.target_repo}}
path: integrations
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install Python dependencies
run: |
cd detection-rules
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Build release package
run: |
cd detection-rules
python -m detection_rules dev build-release
- name: Set github config
run: |
git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
git config --global user.name "protectionsmachine"
- name: Setup go
uses: actions/setup-go@v2
with:
go-version: '^1.16.0'
- name: Build elastic-package
run: |
go get github.com/elastic/elastic-package
- name: Create the PR to Integrations
env:
DRAFT_ARGS: "${{startsWith(github.event.inputs.draft,'y') && '--draft' || ' '}}"
TARGET_REPO: "${{github.event.inputs.target_repo}}"
TARGET_BRANCH: "${{github.event.inputs.target_branch}}"
LOCAL_REPO: "../integrations"
GITHUB_TOKEN: "${{ secrets.PROTECTIONS_MACHINE_TOKEN }}"
run: |
cd detection-rules
python -m detection_rules dev integrations-pr \
$LOCAL_REPO \
--github-repo $TARGET_REPO \
--base-branch $TARGET_BRANCH \
--assign ${{github.actor}} \
$DRAFT_ARGS
- name: Archive production artifacts
uses: actions/upload-artifact@v2
with:
name: release-files
path: |
detection-rules/releases
.github/workflows/release-kibana.yml
+71
View File
@@ -0,0 +1,71 @@
name: release-kibana
on:
workflow_dispatch:
inputs:
kibana_branch:
description: 'Target branch for a Kibana PR'
required: true
default: 'master'
labels:
description: 'Labels to assign to the PR (comma-separated)'
required: true
default: 'release_note:skip,release_note:enhancement,auto-backport'
draft:
description: 'Create a PR as draft (y/n)'
required: false
jobs:
kibana-pr:
runs-on: ubuntu-latest
steps:
- name: Checkout detection-rules
uses: actions/checkout@v2
with:
path: detection-rules
- name: Checkout Kibana
uses: actions/checkout@v2
with:
token: ${{ secrets.PROTECTIONS_MACHINE_TOKEN }}
ref: ${{github.event.inputs.kibana_branch}}
repository: elastic/kibana
path: kibana
- name: Set up Python 3.8
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install dependencies
run: |
cd detection-rules
python -m pip install --upgrade pip
pip install -r requirements.txt -r requirements-dev.txt
- name: Build release package
run: |
cd detection-rules
python -m detection_rules dev build-release
- name: Set github config
run: |
git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
git config --global user.name "protectionsmachine"
- name: Create the PR to Kibana
env:
DRAFT_ARGS: "${{startsWith(github.event.inputs.draft,'y') && '--draft' || ' '}}"
LABEL_ARGS: "--label ${{github.event.inputs.labels}}"
BRANCH_ARGS: "--base-branch ${{github.event.inputs.kibana_branch}}"
GITHUB_TOKEN: "${{ secrets.PROTECTIONS_MACHINE_TOKEN }}"
run: |
cd detection-rules
python -m detection_rules dev kibana-pr --assign ${{github.actor}} $LABEL_ARGS $DRAFT_ARGS $BRANCH_ARGS
- name: Archive production artifacts for branch builds
uses: actions/upload-artifact@v2
with:
name: release-files
path: |
detection-rules/releases