security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Bug] Duplicate tag on Okta rule (#3020)

Browse Source 
* Fix double tag on rule

* fixed all rules; added unit test

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 4f33a40f48)
This commit is contained in:
Steve Ross
2023-08-21 10:42:47 -04:00
committed by github-actions[bot]
parent 8058b4054c
commit 32f4fe26ba
21 changed files with 51 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -64,7 +64,7 @@ references = [
risk_score = 73
rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0"
severity = "high"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
tags = ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic", "@BenB196", "Austin Songer"]
@@ -63,7 +63,7 @@ references = [
risk_score = 47
rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
type = "threshold"
query = '''
rules/integrations/okta/credential_access_mfa_push_brute_force.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -61,7 +61,7 @@ references = [
risk_score = 73
rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
severity = "high"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
type = "eql"
query = '''
rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -63,7 +63,7 @@ references = [
risk_score = 47
rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
type = "threshold"
query = '''
rules/integrations/okta/credential_access_user_impersonation_access.toml
+2 -7
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -57,12 +57,7 @@ references = [
risk_score = 73
rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911"
severity = "high"
tags = [
"Use Case: Identity and Access Audit",
"Data Source: Okta",
"Use Case: Identity and Access Audit",
"Tactic: Credential Access",
]
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
+2 -7
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -71,12 +71,7 @@ references = [
risk_score = 47
rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0"
severity = "medium"
tags = [
"Use Case: Identity and Access Audit",
"Data Source: Okta",
"Use Case: Identity and Access Audit",
"Tactic: Defense Evasion",
]
tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
+2 -7
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -69,12 +69,7 @@ references = [
risk_score = 21
rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19"
severity = "low"
tags = [
"Use Case: Identity and Access Audit",
"Data Source: Okta",
"Use Case: Identity and Access Audit",
"Tactic: Defense Evasion",
]
tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
+1 -1
View File
@@ -63,7 +63,7 @@ references = [
risk_score = 47
rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"]
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"]
type = "threshold"
query = '''
rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -24,7 +24,7 @@ references = [
risk_score = 21
rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613"
severity = "low"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Initial Access"]
tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
risk_score = 21
rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
severity = "low"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
risk_score = 21
rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181"
severity = "low"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
risk_score = 47
rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_nat_traversal_port_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -30,7 +30,7 @@ name = "IPSEC NAT Traversal Port Activity"
risk_score = 21
rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
severity = "low"
tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_port_26_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = [
risk_score = 21
rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
severity = "low"
tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 47
rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
severity = "medium"
tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
timeline_title = "Comprehensive Network Timeline"
timestamp_override = "event.ingested"
rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
severity = "high"
tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 47
rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
severity = "medium"
tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
timestamp_override = "event.ingested"
type = "query"
rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
severity = "high"
tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"]
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
timestamp_override = "event.ingested"
type = "query"
rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
severity = "high"
tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"]
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
timestamp_override = "event.ingested"
type = "query"
rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
severity = "high"
tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"]
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
timestamp_override = "event.ingested"
type = "query"
tests/test_all_rules.py
+12
View File
@@ -424,6 +424,18 @@ class TestRuleTags(BaseRuleTest):
if invalid:
self.fail(f'Rules with invalid tags:\n{invalid}')
def test_no_duplicate_tags(self):
"""Ensure no rules have duplicate tags."""
invalid = []
for rule in self.all_rules:
rule_tags = rule.contents.data.tags
if len(rule_tags) != len(set(rule_tags)):
invalid.append(self.rule_str(rule))
if invalid:
self.fail(f'Rules with duplicate tags:\n{invalid}')
class TestRuleTimelines(BaseRuleTest):
"""Test timelines in rules are valid."""