security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Adding related integrations to ML rules (#2972)

Browse Source 
* Adding related integrations to ML rules

* added adjustments to determine related integrations for ML rules

* fixed lint errors

* Empty commit

* Empty commit

* Empty commit

---------

Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box>
This commit is contained in:
Apoorva Joshi
2023-08-22 20:39:18 +02:00
committed by GitHub
parent 2ddcf7817e
commit 9482bda414
43 changed files with 108 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/rule.py
+24 -21
View File
@@ -1001,30 +1001,33 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
current_stack_version = load_current_package_version()
if self.check_restricted_field_version(field_name):
if isinstance(self.data, QueryRuleData) and self.data.language != 'lucene':
package_integrations = self.get_packaged_integrations(self.data, self.metadata, packages_manifest)
if (isinstance(self.data, QueryRuleData) or isinstance(self.data, MachineLearningRuleData)):
if (self.data.get('language') is not None and self.data.get('language') != 'lucene') or \
self.data.get('type') == 'machine_learning':
package_integrations = self.get_packaged_integrations(self.data, self.metadata,
packages_manifest)
if not package_integrations:
return
if not package_integrations:
return
for package in package_integrations:
package["version"] = find_least_compatible_version(
package=package["package"],
integration=package["integration"],
current_stack_version=current_stack_version,
packages_manifest=packages_manifest)
for package in package_integrations:
package["version"] = find_least_compatible_version(
package=package["package"],
integration=package["integration"],
current_stack_version=current_stack_version,
packages_manifest=packages_manifest)
# if integration is not a policy template remove
if package["version"]:
policy_templates = packages_manifest[
package["package"]][package["version"].strip("^")]["policy_templates"]
if package["integration"] not in policy_templates:
del package["integration"]
# if integration is not a policy template remove
if package["version"]:
policy_templates = packages_manifest[
package["package"]][package["version"].strip("^")]["policy_templates"]
if package["integration"] not in policy_templates:
del package["integration"]
# remove duplicate entries
package_integrations = list({json.dumps(d, sort_keys=True):
d for d in package_integrations}.values())
obj.setdefault("related_integrations", package_integrations)
# remove duplicate entries
package_integrations = list({json.dumps(d, sort_keys=True):
d for d in package_integrations}.values())
obj.setdefault("related_integrations", package_integrations)
def _convert_add_required_fields(self, obj: dict) -> None:
"""Add restricted field required_fields to the obj, derived from the query AST."""
@@ -1123,7 +1126,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
rule_integrations = meta.get("integration", [])
if rule_integrations:
for integration in rule_integrations:
if integration in definitions.NON_DATASET_PACKAGES:
if integration in definitions.NON_DATASET_PACKAGES or isinstance(data, MachineLearningRuleData):
packaged_integrations.append({"package": integration, "integration": None})
for value in sorted(datasets):
rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50
rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50
rules/ml/command_and_control_ml_packetbeat_rare_urls.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50
rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50
rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2021/06/10"
integration = ["auditd_manager", "endpoint", "system"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/credential_access_ml_auth_spike_in_logon_events.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2021/06/10"
integration = ["auditd_manager", "endpoint", "system"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2021/06/10"
integration = ["auditd_manager", "endpoint", "system"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/22"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/22"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/credential_access_ml_suspicious_login_activity.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["auditd_manager", "endpoint", "system"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/22"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/22"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/discovery_ml_linux_system_information_discovery.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/03"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/09/03"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 25
rules/ml/discovery_ml_linux_system_network_connection_discovery.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/03"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/discovery_ml_linux_system_process_discovery.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/03"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/discovery_ml_linux_system_user_discovery.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/03"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/execution_ml_windows_anomalous_script.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2021/06/10"
integration = ["auditd_manager", "endpoint", "system"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2021/06/10"
integration = ["auditd_manager", "endpoint", "system"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/initial_access_ml_auth_rare_user_logon.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2021/06/10"
integration = ["auditd_manager", "endpoint", "system"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/initial_access_ml_linux_anomalous_user_name.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/initial_access_ml_windows_anomalous_user_name.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/ml_high_count_network_denies.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2021/04/05"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 75
rules/ml/ml_high_count_network_events.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2021/04/05"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 75
rules/ml/ml_linux_anomalous_network_activity.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/ml_linux_anomalous_network_port_activity.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/ml_packetbeat_rare_server_domain.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50
rules/ml/ml_rare_destination_country.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2021/04/05"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 75
rules/ml/ml_spike_in_traffic_to_a_country.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2021/04/05"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 75
rules/ml/ml_windows_anomalous_network_activity.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/persistence_ml_rare_process_by_host_linux.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/persistence_ml_rare_process_by_host_windows.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/persistence_ml_windows_anomalous_path_activity.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/persistence_ml_windows_anomalous_process_creation.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/persistence_ml_windows_anomalous_service.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/03"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "windows"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml
+2 -1
View File
@@ -1,7 +1,8 @@
[metadata]
creation_date = "2020/09/03"
integration = ["auditd_manager", "endpoint"]
maturity = "production"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"