security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Expand timestamp override tests (#1907)

Browse Source 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
This commit is contained in:
Justin Ibarra
2022-04-01 15:27:08 -08:00
committed by GitHub
parent 648daf1237
commit 6bdfddac8e
233 changed files with 1695 additions and 731 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/rule.py
+6 -1
View File
@@ -294,10 +294,15 @@ class EQLRuleData(QueryRuleData):
else:
return self.convert_time_span(lookback)
@cached_property
def is_sequence(self) -> bool:
"""Checks if the current rule is a sequence-based rule."""
return eql.utils.get_query_type(self.ast) == 'sequence'
@cached_property
def max_span(self) -> Optional[int]:
"""Maxspan value for sequence rules if defined."""
if eql.utils.get_query_type(self.ast) == 'sequence' and hasattr(self.ast.first, 'max_span'):
if self.is_sequence and hasattr(self.ast.first, 'max_span'):
return self.ast.first.max_span.as_milliseconds() if self.ast.first.max_span else None
@cached_property