security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Bug] Annotated Fields Ignored (#5125)

Browse Source 
* Add Note for stop gap
This commit is contained in:
Eric Forte
2025-09-17 17:34:42 -04:00
committed by GitHub
parent 8f79d58f3f
commit 80c01cf665
2 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/schemas/definitions.py
+6 -3
View File
@@ -66,8 +66,11 @@ OS_OPTIONS = ["windows", "linux", "macos"]
NAME_PATTERN = re.compile(r"^[a-zA-Z0-9].+?[a-zA-Z0-9\[\]()]$")
PR_PATTERN = re.compile(r"^$|\d+$")
SHA256_PATTERN = re.compile(r"^[a-fA-F0-9]{64}$")
UUID_PATTERN = re.compile(r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$")
# NOTE this additional bad UUID pattern is a stop gap until the rule has been deprecated
UUID_PATTERN = re.compile(
r"^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" # UUID pattern
r"|^7eb54028-ca72-4eb7-8185-b6864572347db$" # Additional pattern of known bad UUID
)
_version = r"\d+\.\d+(\.\d+[\w-]*)*"
CONDITION_VERSION_PATTERN = re.compile(rf"^\^{_version}$")
VERSION_PATTERN = f"^{_version}$"
@@ -108,7 +111,7 @@ QUERY = "query"
QUERY_FIELD_OP_EXCEPTIONS = ["powershell.file.script_block_text"]
# we had a bad rule ID make it in before tightening up the pattern, and so we have to let it bypass
KNOWN_BAD_RULE_IDS = Literal["119c8877-8613-416d-a98a-96b6664ee73a5"]
KNOWN_BAD_RULE_IDS = Literal["119c8877-8613-416d-a98a-96b6664ee73a5", "7eb54028-ca72-4eb7-8185-b6864572347db"]
KNOWN_BAD_DEPRECATED_DATES = Literal["2021-03-03"]
# Known Null values that cannot be handled in TOML due to lack of Null value support via compound dicts
KNOWN_NULL_ENTRIES = [{"rule.actions": "frequency.throttle"}]
pyproject.toml
+2 -2
View File
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.4.4"
version = "1.4.5"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
@@ -25,7 +25,7 @@ dependencies = [
"jsl==0.2.4",
"jsonschema>=4.21.1",
"marko==2.0.3",
"marshmallow-dataclass[union]==8.6.1",
"marshmallow-dataclass==8.7.1",
"marshmallow-jsonschema~=0.13.0",
"marshmallow-union~=0.1.15",
"marshmallow~=3.26.1",