security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Prep for Creation of 8.4 Branch (#2001)

Browse Source 
* prepping for 8.4 branch

* adjusted schemas init file

* adjusted target matrix to only backport to 7.16, updated api schemas

* adjusted the lock-versions workflow to account for 7.16 and up support only

* Add test for version lock to schema map correlation

* decouple from static 7.13 references

* keep patch version for lock

* Update detection_rules/etc/packages.yml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

Removed changes from:
- detection_rules/etc/packages.yml

(selectively cherry picked from commit 35b1a69ff5)
This commit is contained in:
Terrance DeJesus
2022-06-02 14:59:18 -04:00
committed by github-actions[bot]
parent b12d1cb978
commit 220996b1b8
19 changed files with 2409 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/backport.yml
+1 -1
View File
@@ -56,7 +56,7 @@ jobs:
max-parallel: 1
matrix:
# 7.17 was intentionally skipped because it was added late and was bug fix only
target_branch: [7.13, 7.14, 7.15, 7.16, '8.0', 8.1, 8.2]
target_branch: [7.16, '8.0', 8.1, 8.2, 8.3]
steps:
- name: Checkout repo
.github/workflows/lock-versions.yml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '7.13,7.14,7.15,7.16,8.0,8.1,8.2'
default: '7.16,8.0,8.1,8.2,8.3'
jobs:
pr:
detection_rules/etc/api_schemas/8.3/8.3.base.json
+344
View File
@@ -0,0 +1,344 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query",
"saved_query",
"machine_learning",
"eql",
"threshold",
"threat_match"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"author",
"description",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.3/8.3.eql.json
+355
View File
@@ -0,0 +1,355 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"eql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.3/8.3.machine_learning.json
+357
View File
@@ -0,0 +1,357 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"anomaly_threshold": {
"format": "integer",
"type": "number"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"license": {
"type": "string"
},
"machine_learning_job_id": {
"anyOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array"
}
]
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"machine_learning"
],
"type": "string"
}
},
"required": [
"anomaly_threshold",
"author",
"description",
"machine_learning_job_id",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.3/8.3.query.json
+357
View File
@@ -0,0 +1,357 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.3/8.3.threat_match.json
+448
View File
@@ -0,0 +1,448 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"concurrent_searches": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"items_per_search": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threat_filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"threat_index": {
"items": {
"type": "string"
},
"type": "array"
},
"threat_indicator_path": {
"type": "string"
},
"threat_language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"threat_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"entries": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"enum": [
"mapping"
],
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"type",
"value"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object"
},
"type": "array"
},
"threat_query": {
"type": "string"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threat_match"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threat_index",
"threat_mapping",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.3/8.3.threshold.json
+406
View File
@@ -0,0 +1,406 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threshold": {
"additionalProperties": false,
"properties": {
"cardinality": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"field": {
"description": "CardinalityFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"type": "array"
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threshold"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threshold",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/master/master.base.json
+10 -2
View File
@@ -288,7 +288,11 @@
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
@@ -299,7 +303,11 @@
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
detection_rules/etc/api_schemas/master/master.eql.json
+10 -2
View File
@@ -303,7 +303,11 @@
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
@@ -314,7 +318,11 @@
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
detection_rules/etc/api_schemas/master/master.machine_learning.json
+10 -2
View File
@@ -305,7 +305,11 @@
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
@@ -316,7 +320,11 @@
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
detection_rules/etc/api_schemas/master/master.query.json
+10 -2
View File
@@ -305,7 +305,11 @@
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
@@ -316,7 +320,11 @@
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
detection_rules/etc/api_schemas/master/master.threat_match.json
+10 -2
View File
@@ -394,7 +394,11 @@
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
@@ -405,7 +409,11 @@
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
detection_rules/etc/api_schemas/master/master.threshold.json
+10 -2
View File
@@ -353,7 +353,11 @@
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e"
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799"
],
"enumNames": [],
"type": "string"
@@ -364,7 +368,11 @@
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline"
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline"
],
"enumNames": [],
"type": "string"
detection_rules/etc/stack-schema-map.yaml
+17 -12
View File
@@ -4,18 +4,19 @@
#
# refer to release branch in https://github.com/elastic/beats/blob/main/libbeat/_meta/fields.ecs.yml
"7.13.0":
# beats release about the same time as the stack, so we cannot update this until it is released
beats: "7.13.2"
ecs: "1.9.0"
"7.14.0":
beats: "7.14.0"
ecs: "1.10.0"
"7.15.0":
beats: "7.15.1"
ecs: "1.11.0"
# dropped backport support for 7.13.0, 7.14.0, 7.15.0 as of 8.4 branch creation
#"7.13.0":
# # beats release about the same time as the stack, so we cannot update this until it is released
# beats: "7.13.2"
# ecs: "1.9.0"
#
#"7.14.0":
# beats: "7.14.0"
# ecs: "1.10.0"
#
#"7.15.0":
# beats: "7.15.1"
# ecs: "1.11.0"
"7.16.0":
beats: "7.16.2"
@@ -36,5 +37,9 @@
ecs: "8.2.1"
"8.3.0":
beats: "main"
ecs: "8.2.1"
"8.4.0":
beats: "main" # TODO: update this once beats releases
ecs: "8.2.1"
detection_rules/rule.py
+1 -1
View File
@@ -50,7 +50,7 @@ class RuleMeta(MarshmallowDataclassMixin):
def get_validation_stack_versions(self) -> Dict[str, dict]:
"""Get a dict of beats and ecs versions per stack release."""
stack_versions = get_stack_schemas(self.min_stack_version or MIN_FLEET_PACKAGE_VERSION)
stack_versions = get_stack_schemas(self.min_stack_version)
return stack_versions
detection_rules/schemas/__init__.py
+23 -3
View File
@@ -20,6 +20,7 @@ __all__ = (
"definitions",
"downgrade",
"get_stack_schemas",
"get_stack_versions",
"validate_rta_mapping",
"all_versions",
)
@@ -197,6 +198,12 @@ def migrate_to_8_2(version: Version, api_contents: dict) -> dict:
return strip_additional_properties(version, api_contents)
@migrate("8.3")
def migrate_to_8_3(version: Version, api_contents: dict) -> dict:
"""Default migration for 8.3."""
return strip_additional_properties(version, api_contents)
def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict:
"""Downgrade a rule to a target stack version."""
from ..packaging import current_stack_version
@@ -222,11 +229,11 @@ def downgrade(api_contents: dict, target_version: str, current_version: Optional
@cached
def get_stack_schemas(stack_version: str) -> OrderedDictType[str, dict]:
"""Return all ECS + beats to stack versions for a every stack version >= specified stack version and <= package."""
def get_stack_schemas(stack_version: Optional[str] = '0.0.0') -> OrderedDictType[str, dict]:
"""Return all ECS + beats to stack versions for every stack version >= specified stack version and <= package."""
from ..packaging import load_current_package_version
stack_version = Version(stack_version)
stack_version = Version(stack_version or '0.0.0')
current_package = Version(load_current_package_version())
if len(current_package) == 2:
@@ -241,3 +248,16 @@ def get_stack_schemas(stack_version: str) -> OrderedDictType[str, dict]:
versions_reversed = OrderedDict(sorted(versions.items(), reverse=True))
return versions_reversed
def get_stack_versions(drop_patch=True, reverse=True) -> List[str]:
"""Get a list of stack versions supported (for the matrix)."""
versions = reversed(get_stack_schemas()) if reverse else list(get_stack_schemas())
if drop_patch:
abridged_versions = []
for version in versions:
abridged, _ = version.rsplit('.', 1)
abridged_versions.append(abridged)
return abridged_versions
else:
return versions
detection_rules/version_lock.py
+5 -3
View File
@@ -12,7 +12,7 @@ import click
from .mixins import LockDataclassMixin, MarshmallowDataclassMixin
from .rule_loader import RuleCollection
from .schemas import definitions
from .schemas import definitions, get_stack_versions
from .semver import Version
from .utils import cached, get_etc_path
@@ -82,9 +82,11 @@ class DeprecatedRulesFile(LockDataclassMixin):
def _convert_lock_version(stack_version: Optional[str]) -> Version:
"""Convert an optional stack version to the minimum for the lock."""
versions = get_stack_versions(drop_patch=False)
min_version = min(Version(v) for v in versions)
if stack_version is None:
return MIN_LOCK_VERSION_DEFAULT
return max(Version(stack_version), MIN_LOCK_VERSION_DEFAULT)
return min_version
return max(Version(stack_version), min_version)
@cached
tests/test_gh_workflows.py
+34
View File
@@ -0,0 +1,34 @@
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
"""Tests for GitHub workflow functionality."""
import unittest
from pathlib import Path
import yaml
from detection_rules.schemas import get_stack_versions
from detection_rules.utils import get_path
from detection_rules.packaging import current_stack_version
GITHUB_FILES = Path(get_path()) / '.github'
GITHUB_WORKFLOWS = GITHUB_FILES / 'workflows'
class TestWorkflows(unittest.TestCase):
"""Test GitHub workflow functionality."""
def test_matrix_to_lock_version_defaults(self):
"""Test that the default versions in the lock-versions workflow mirror those from the schema-map."""
lock_workflow_file = GITHUB_WORKFLOWS / 'lock-versions.yml'
lock_workflow = yaml.safe_load(lock_workflow_file.read_text())
lock_versions = lock_workflow[True]['workflow_dispatch']['inputs']['branches']['default'].split(',')
matrix_versions = get_stack_versions()
# drop the current package since that should not be backported to (since it is main)
matrix_versions.remove(current_stack_version())
err_msg = 'lock-versions workflow default does not match current matrix in stack-schema-map'
self.assertListEqual(lock_versions, matrix_versions, err_msg)