[FR] Add support for building block rules (BBR) (#2822)

* added test bbr * initial implementation * Added Unit test and exempted bbr from integrations * fixed linting * Add schema validation to building block rules * add separate error messages * fixed linting * Add testing bbr validation * fixed linting * Add default values * fixed linting * added defaults * fixed linting * cleaned up test rule * removed .gitkeep * read .gitkeep * Switch to using validates_schema * addressing some linting * fixed linting * Update detection_rules/schemas/definitions.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * add env variable check * fix skip function * updated name * Update detection_rules/schemas/definitions.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Add bbr validation unit test * Clean up comments * fix linting * Move convert time to utils * Moved to rules_building_block * Add check for only bbr in bbr dir * fix linting * additional linting fix * Changed to bbr rule loader * fixed bbr default * Updated error messages and README * fixed more linting * Updating root level README * Fixed convert_time_span calls * fixed typo in unit test logic and updated txt * fixed error message * updated comment for clarity * Update detection_rules/rule.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update detection_rules/rule.py Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Updated validation methods for clarity * fix doctring location * Fixed typo * updated error messages. * removed excess whitespace * Add per rule bypass * Add single rule bypass * Split unit tests * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2023-06-20 13:00:30 +00:00
parent dc05f1d8f3
commit 6449cecd08
9 changed files with 165 additions and 23 deletions
@@ -24,15 +24,16 @@ This repository was first announced on Elastic's blog post, [Elastic Security op

 Detection Rules contains more than just static rule files. This repository also contains code for unit testing in Python and integrating with the Detection Engine in Kibana.

-| folder                                |  description                                                                        |
-|-------------------------------------- |------------------------------------------------------------------------------------ |
-| [`detection_rules/`](detection_rules) | Python module for rule parsing, validating and packaging                            |
-| [`detection_rules/etc/`](etc)         | Miscellaneous files, such as ECS and Beats schemas                                  |
-| [`kibana/`](kibana)                   | Python library for handling the API calls to Kibana and the Detection Engine        |
-| [`kql/`](kql)                         | Python library for parsing and validating Kibana Query Language                     |
-| [`rta/`](rta)                         | Red Team Automation code used to emulate attacker techniques, used for rule testing |
-| [`rules/`](rules)                     | Root directory where rules are stored                                               |
-| [`tests/`](tests)                     | Python code for unit testing rules                                                  |
+| folder                                          |  description                                                                        |
+|------------------------------------------------ |------------------------------------------------------------------------------------ |
+| [`detection_rules/`](detection_rules)           | Python module for rule parsing, validating and packaging                            |
+| [`detection_rules/etc/`](etc)                   | Miscellaneous files, such as ECS and Beats schemas                                  |
+| [`kibana/`](kibana)                             | Python library for handling the API calls to Kibana and the Detection Engine        |
+| [`kql/`](kql)                                   | Python library for parsing and validating Kibana Query Language                     |
+| [`rta/`](rta)                                   | Red Team Automation code used to emulate attacker techniques, used for rule testing |
+| [`rules/`](rules)                               | Root directory where rules are stored                                               |
+| [`rules_building_block/`](rules_building_block) | Root directory where building block rules are stored                                |
+| [`tests/`](tests)                               | Python code for unit testing rules                                                  |


 ## Getting started