security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

[Fleet] Update template and packaging code for fleet packages (#1280)

Browse Source 
* Update template and packaging code for fleet packages
* Fix linting
This commit is contained in:
Ross Wolf
2021-06-15 07:54:50 -06:00
committed by GitHub
parent 12577f7380
commit 61e5b44c44
5 changed files with 76 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files
NOTICE.txt
+9 -9
View File
@@ -1,15 +1,15 @@
Detection Rules
Copyright 2020 Elasticsearch B.V.
Copyright 2021 Elasticsearch B.V.
---
This product bundles rules based on https://github.com/BlueTeamLabs/sentinel-attack
which is available under a "MIT" license. The files based on this license are:
which is available under a "MIT" license. The rules based on this license are:
- defense_evasion_via_filter_manager
- discovery_process_discovery_via_tasklist_command
- persistence_priv_escalation_via_accessibility_features
- persistence_via_application_shimming
- defense_evasion_execution_via_trusted_developer_utilities
- "Potential Evasion via Filter Manager" (06dceabf-adca-48af-ac79-ffdf4c3b1e9a)
- "Process Discovery via Tasklist" (cc16f774-59f9-462d-8b98-d27ccd4519ec)
- "Potential Modification of Accessibility Binaries" (7405ddf1-6c8e-41ce-818f-48bea6bcaed8)
- "Potential Application Shimming via Sdbinst" (fd4a992d-6130-4802-9ff8-829b89ae801f)
- "Trusted Developer Application Usage" (9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1)
MIT License
@@ -35,9 +35,9 @@ SOFTWARE.
---
This product bundles rules based on https://github.com/FSecureLABS/leonidas
which is available under a "MIT" license. The files based on this license are:
which is available under a "MIT" license. The rules based on this license are:
- credential_access_secretsmanager_getsecretvalue.toml
- "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622)
MIT License
detection_rules/packaging.py
+25 -9
View File
@@ -10,6 +10,7 @@ import hashlib
import json
import os
import shutil
import textwrap
from collections import defaultdict, OrderedDict
from pathlib import Path
from typing import List, Optional, Tuple
@@ -27,6 +28,7 @@ from .utils import Ndjson, get_path, get_etc_path, load_etc_dump, save_etc_dump
RELEASE_DIR = get_path("releases")
PACKAGE_FILE = get_etc_path('packages.yml')
NOTICE_FILE = get_path('NOTICE.txt')
FLEET_PKG_LOGO = get_etc_path("security-logo-color-64px.svg")
# CHANGELOG_FILE = Path(get_etc_path('rules-changelog.json'))
@@ -476,30 +478,44 @@ class Package(object):
manifest = RegistryPackageManifest.from_dict(self.registry_data)
package_dir = Path(save_dir).joinpath(manifest.version)
package_dir = Path(save_dir) / 'fleet' / manifest.version
docs_dir = package_dir / 'docs'
rules_dir = package_dir / 'kibana' / definitions.ASSET_TYPE
docs_dir.mkdir(parents=True)
rules_dir.mkdir(parents=True)
manifest_file = package_dir.joinpath('manifest.yml')
readme_file = docs_dir.joinpath('README.md')
notice_file = package_dir.joinpath('NOTICE.txt')
manifest_file = package_dir / 'manifest.yml'
readme_file = docs_dir / 'README.md'
notice_file = package_dir / 'NOTICE.txt'
logo_file = package_dir / 'img' / 'security-logo-color-64px.png'
manifest_file.write_text(yaml.safe_dump(manifest.asdict()))
logo_file.parent.mkdir(parents=True)
shutil.copyfile(FLEET_PKG_LOGO, logo_file)
# shutil.copyfile(CHANGELOG_FILE, str(rules_dir.joinpath('CHANGELOG.json')))
for rule in self.rules:
asset_path = rules_dir / f'rule-{rule.id}.json'
asset_path = rules_dir / f'{rule.id}.json'
asset_path.write_text(json.dumps(rule.get_asset(), indent=4, sort_keys=True), encoding="utf-8")
readme_text = ('# Detection rules\n\n'
'The detection rules package stores all the security rules '
'for the detection engine within the Elastic Security application.\n\n')
notice_contents = Path(NOTICE_FILE).read_text()
readme_text = textwrap.dedent("""
# Detection rules
The detection rules package stores the prebuilt security rules for the Elastic Security [detection engine](https://www.elastic.co/guide/en/security/7.13/detection-engine-overview.html).
To download or update the rules, click **Settings** > **Install Prebuilt Security Detection Rules assets**.
Then [import](https://www.elastic.co/guide/en/security/master/rules-ui-management.html#load-prebuilt-rules)
the rules into the Detection engine.
## License Notice
""") + textwrap.indent(notice_contents, prefix=" ") # noqa: E501
readme_file.write_text(readme_text)
notice_file.write_text(Path(NOTICE_FILE).read_text())
notice_file.write_text(notice_contents)
def bump_versions(self, save_changes=False, current_versions=None):
"""Bump the versions of all production rules included in a release and optionally save changes."""
detection_rules/schemas/registry_package.py
+13 -13
View File
@@ -6,9 +6,9 @@
"""Definitions for packages destined for the registry."""
from dataclasses import dataclass, field
from typing import Dict, List, Type
from typing import Dict, List, Optional, Type
from marshmallow import Schema, validate
from marshmallow import Schema
from marshmallow_dataclass import class_schema
from .definitions import ConditionSemVer, SemVer
@@ -18,22 +18,22 @@ from .definitions import ConditionSemVer, SemVer
class RegistryPackageManifest:
"""Base class for registry packages."""
categories: List[str]
conditions: Dict[str, ConditionSemVer]
description: str
format_version: SemVer
icons: list
license: str
name: str
owner: Dict[str, str]
release: str
title: str
type: str
version: SemVer
categories: List[str] = field(default_factory=lambda: ['security'])
description: str = 'Rules for the detection engine in the Security application.'
format_version: SemVer = field(metadata=dict(validate=validate.Equal('1.0.0')), default='1.0.0')
icons: list = field(default_factory=list)
internal: bool = True
license: str = 'basic'
name: str = 'detection_rules'
owner: Dict[str, str] = field(default_factory=lambda: dict(github='elastic/protections'))
internal: Optional[bool] = None
policy_templates: list = field(default_factory=list)
release: str = 'experimental'
screenshots: list = field(default_factory=list)
title: str = 'Detection rules'
type: str = 'integration'
@classmethod
def get_schema(cls) -> Type[Schema]:
etc/packages.yml
+15 -4
View File
@@ -24,9 +24,20 @@ package:
# elastic/integrations
registry_data:
# integration package schema version
format_version: "1.0.0"
categories: ["security"]
conditions:
kibana_version: "^7.13.0"
# this determines the version for the package-storage generated artifact
version: "0.0.1-dev.3"
description: "Prebuilt detection rules for Elastic Security"
format_version: "1.0.0"
icons:
- src: "/img/security-logo-color-64px.svg"
size: "16x16"
type: "image/svg+xml"
license: basic
name: "detection_rules"
owner:
github: elastic/protections
release: "beta"
title: "Prebuilt Security Detection Rules"
type: "integration"
version: "0.13.0"
etc/security-logo-color-64px.svg
+14
View File
@@ -0,0 +1,14 @@
<?xml version="1.0" encoding="UTF-8"?>
<svg width="64px" height="64px" viewBox="0 0 64 64" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<!-- Generator: Sketch 63.1 (92452) - https://sketch.com -->
<title>security-logo-color-64px</title>
<desc>Created with Sketch.</desc>
<g id="security-logo-color-64px" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
<rect id="bounding-box" x="0" y="0" width="64" height="64"></rect>
<g id="Group" transform="translate(9.000000, 4.000000)">
<path d="M11,13 L11,5.68434189e-14 L47,5.68434189e-14 L47,30 C47,37.0111899 34.7467341,41.6043834 30,43 L30,13 L11,13 Z" id="Shape" fill="#FA744E"></path>
<path d="M0,35.3983993 L0,18 L25,18 L25,56 C8.33333333,49.0564437 0,42.1892435 0,35.3983993 Z" id="Path" fill="#1DBAB0"></path>
<path d="M10,18 L25,18 L25,43 C19.4060122,40.9626041 10,36.2920291 10,30.4224321 L10,18 Z" id="Path" fill="#343741"></path>
</g>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB