[Bug] Tighten definitions validation patterns (#1396)

* [Bug] Anchor validation patterns * Deprecate rule with invalid rule_id and duplicate as new one Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> (cherry picked from commit ab17dfcc28)
2021-10-26 10:26:20 -05:00
parent cd3cef5996
commit cb3d90040e
3 changed files with 57 additions and 10 deletions
@@ -13,22 +13,22 @@ from marshmallow_dataclass import NewType
 ASSET_TYPE = "security_rule"
 SAVED_OBJECT_TYPE = "security-rule"

-DATE_PATTERN = r'\d{4}/\d{2}/\d{2}'
+DATE_PATTERN = r'^\d{4}/\d{2}/\d{2}$'
 MATURITY_LEVELS = ['development', 'experimental', 'beta', 'production', 'deprecated']
 OS_OPTIONS = ['windows', 'linux', 'macos']
-PR_PATTERN = r'^$|\d+'
-SHA256_PATTERN = r'[a-fA-F0-9]{64}'
-UUID_PATTERN = r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
+PR_PATTERN = r'^$|\d+$'
+SHA256_PATTERN = r'^[a-fA-F0-9]{64}$'
+UUID_PATTERN = r'^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'

 _version = r'\d+\.\d+(\.\d+[\w-]*)*'
 CONDITION_VERSION_PATTERN = rf'^\^{_version}$'
 VERSION_PATTERN = f'^{_version}$'
 BRANCH_PATTERN = f'{VERSION_PATTERN}|^master$'

-INTERVAL_PATTERN = r'\d+[mshd]'
-TACTIC_URL = r'https://attack.mitre.org/tactics/TA[0-9]+/'
-TECHNIQUE_URL = r'https://attack.mitre.org/techniques/T[0-9]+/'
-SUBTECHNIQUE_URL = r'https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/'
+INTERVAL_PATTERN = r'^\d+[mshd]$'
+TACTIC_URL = r'^https://attack.mitre.org/tactics/TA[0-9]+/$'
+TECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/$'
+SUBTECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$'
 MACHINE_LEARNING = 'machine_learning'
 SAVED_QUERY = 'saved_query'
 QUERY = 'query'
@@ -0,0 +1,47 @@
+[metadata]
+creation_date = "2021/06/06"
+deprecation_date = "2021/08/02"
+integration = "aws"
+maturity = "deprecated"
+updated_date = "2021/08/02"
+
+[rule]
+author = ["Elastic"]
+description = "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot."
+false_positives = [
+    """
+    Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent,
+    and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should
+    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
+    """,
+]
+from = "now-60m"
+index = ["filebeat-*", "logs-aws*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "AWS RDS Snapshot Export"
+note = """## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"]
+risk_score = 21
+rule_id = "119c8877-8613-416d-a98a-96b6664ee73a5"
+severity = "low"
+tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+
+[rule.threat.tactic]
+name = "Exfiltration"
+id = "TA0010"
+reference = "https://attack.mitre.org/tactics/TA0010/"
+
@@ -25,7 +25,7 @@ note = """## Config
 The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"]
 risk_score = 21
-rule_id = "119c8877-8613-416d-a98a-96b6664ee73a5"
+rule_id = "119c8877-8613-416d-a98a-96b6664ee73a"
 severity = "low"
 tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"]
 timestamp_override = "event.ingested"
@@ -40,7 +40,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
-id = "TA0010"
 name = "Exfiltration"
+id = "TA0010"
 reference = "https://attack.mitre.org/tactics/TA0010/"