From 51b7df861312277829a98ba31bc28250b92c99b9 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 2 Feb 2023 18:17:02 -0500 Subject: [PATCH] Check integrations cross major versions for older release support (#2520) --- detection_rules/etc/non-ecs-schema.json | 29 +++++++++++++++---------- detection_rules/integrations.py | 8 ++++++- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 0fd8dc4f9..92f01754f 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -32,7 +32,7 @@ "RelativeTargetName": "keyword", "ShareName": "keyword", "SubjectLogonId": "keyword", - "SubjectUserName": "keyword", + "SubjectUserName": "keyword", "SubjectUserSid": "keyword", "TargetUserName": "keyword", "TargetImage": "keyword", @@ -45,16 +45,16 @@ "AuthenticationPackageName" : "keyword", "TargetUserSid" : "keyword", "LogonProcessName": "keyword", - "DnsHostName" : "keyword", - "ServiceFileName": "keyword", - "ImagePath": "keyword", - "TaskName": "keyword", + "DnsHostName" : "keyword", + "ServiceFileName": "keyword", + "ImagePath": "keyword", + "TaskName": "keyword", "Status": "keyword", - "EnabledPrivilegeList": "keyword", + "EnabledPrivilegeList": "keyword", "OperationType": "keyword" } }, - "winlog.logon.type": "keyword", + "winlog.logon.type": "keyword", "winlog.logon.id": "keyword", "powershell.file.script_block_text": "text" }, @@ -63,14 +63,14 @@ }, "logs-endpoint.events.*": { "process.Ext.token.integrity_level_name": "keyword", - "process.parent.Ext.real.pid": "long", - "process.Ext.effective_parent.executable": "keyword", + "process.parent.Ext.real.pid": "long", + "process.Ext.effective_parent.executable": "keyword", "process.Ext.effective_parent.name": "keyword", - "file.Ext.header_bytes": "keyword", + "file.Ext.header_bytes": "keyword", "file.Ext.entropy": "long", "file.size": "long", "file.Ext.original.name": "keyword", - "dll.Ext.relative_file_creation_time": "double", + "dll.Ext.relative_file_creation_time": "double", "dll.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_creation_time": "double" @@ -102,11 +102,16 @@ "kubernetes.audit.objectRef.serviceAccountName": "keyword", "kubernetes.audit.requestObject.spec.serviceAccountName": "keyword", "kubernetes.audit.responseStatus.reason": "keyword", - "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword", + "kubernetes.audit.requestObject.spec.containers.securityContext.capabilities.add": "keyword", "kubernetes.audit.requestObject.spec.containers.image": "text" }, ".alerts-security.*": { "signal.rule.name": "keyword", "kibana.alert.rule.threat.tactic.id": "keyword" + }, + "logs-google_workspace*": { + "gsuite.admin": "keyword", + "gsuite.admin.new_value": "keyword", + "gsuite.admin.setting.name": "keyword" } } diff --git a/detection_rules/integrations.py b/detection_rules/integrations.py index 272970c8d..9ebc5b36b 100644 --- a/detection_rules/integrations.py +++ b/detection_rules/integrations.py @@ -197,9 +197,15 @@ def find_latest_compatible_version(package: str, integration: str, f"Update the rule min_stack version from {rule_stack_version} to " f"{highest_compatible_version} if using new features in this latest version.") - elif int(highest_compatible_version[0]) == int(rule_stack_version[0]): + if int(highest_compatible_version[0]) == int(rule_stack_version[0]): return version, notice + else: + # Check for rules that cross majors + for compatible_version in compatible_versions: + if Version(compatible_version) <= Version(rule_stack_version): + return version, notice + raise ValueError(f"no compatible version for integration {package}:{integration}")