security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Change the JSON schema for the security_rule Kibana asset (#1066)

Browse Source 
* Change the JSON schema for the security_rule Kibana asset
* Use the asset type for the folder name
This commit is contained in:
Ross Wolf
2021-03-30 13:31:02 -06:00
committed by GitHub
parent 8ee1b2ffd4
commit 1e6e49a2cb
3 changed files with 10 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/packaging.py
+4 -3
View File
@@ -21,7 +21,7 @@ from . import rule_loader
from .misc import JS_LICENSE, cached
from .rule import TOMLRule, BaseQueryRuleData, RULES_DIR, ThreatMapping
from .rule import downgrade_contents_from_rule
from .schemas import CurrentSchema
from .schemas import CurrentSchema, definitions
from .utils import Ndjson, get_path, get_etc_path, load_etc_dump, save_etc_dump
RELEASE_DIR = get_path("releases")
@@ -485,7 +485,7 @@ class Package(object):
package_dir = Path(save_dir).joinpath(manifest.version)
docs_dir = package_dir / 'docs'
rules_dir = package_dir / 'kibana' / 'security_rule'
rules_dir = package_dir / 'kibana' / definitions.ASSET_TYPE
docs_dir.mkdir(parents=True)
rules_dir.mkdir(parents=True)
@@ -498,7 +498,8 @@ class Package(object):
# shutil.copyfile(CHANGELOG_FILE, str(rules_dir.joinpath('CHANGELOG.json')))
for rule in self.rules:
rule.save_json(Path(rules_dir.joinpath(f'rule-{rule.id}.json')))
with Path(rules_dir.joinpath(f'rule-{rule.id}.json')).open("w", encoding="utf-8") as f:
json.dump(rule.get_asset(), f, indent=2, sort_keys=True)
readme_text = ('# Detection rules\n\n'
'The detection rules package stores all the security rules '
detection_rules/rule.py
+4
View File
@@ -432,6 +432,10 @@ class TOMLRule:
def name(self):
return self.contents.data.name
def get_asset(self) -> dict:
"""Generate the relevant fleet compatible asset."""
return {"id": self.id, "attributes": self.contents.to_api_format(), "type": definitions.ASSET_TYPE}
def save_toml(self):
converted = self.contents.to_dict()
toml_write(converted, str(self.path.absolute()))
detection_rules/schemas/definitions.py
+2
View File
@@ -10,6 +10,8 @@ from typing import Literal
from marshmallow import validate
from marshmallow_dataclass import NewType
ASSET_TYPE = "security_rule"
DATE_PATTERN = r'\d{4}/\d{2}/\d{2}'
MATURITY_LEVELS = ['development', 'experimental', 'beta', 'production', 'deprecated']
OS_OPTIONS = ['windows', 'linux', 'macos']