security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

636 Commits

Author SHA1 Message Date
Terrance DeJesus 829f5ea885 [Bug] Add Integration Schema Validation to NewTermsRuleData.validate Method (#3227) 
* adjusted validation method to include integration schema checks

* fixed linting errors

* re-factored NewTermsRuleData and added unit testing
 2023-11-02 16:52:18 -04:00
Terrance DeJesus cdeb398ab3 [FR] Adjust Prebuilt Rules Packaging to Use Elastic Package v3 (#3252) 
* Adding support for elastic package version 3

* replaced OS with Pathlib where applicable

* added sub-dataclasses for V3

* fixed flake errors

* adjusted registry dataclasses to inherit base
 2023-11-01 12:47:40 -04:00
Mika Ayenson d0b0216362 [FR] Support missing events (#3153) 2023-10-31 16:20:52 -05:00
Apoorva Joshi a4f9cf4616 [New Rule] Adding Beaconing Rules from Advanced Analytic Beaconing Package (#3128) 
* Adding beaconing rules

* Update rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Update rules/integrations/beaconing/command_and_control_beaconing.toml

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>

* Updating min stack version

* added beaconing to manifests and schemas; updated rules

---------

Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-10-30 10:05:24 -04:00
Mika Ayenson a808130390 Cleanup saved_query references (#3205) 2023-10-26 18:07:33 -05:00
github-actions[bot] ab6f28a380 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3223) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-10-24 14:01:11 -04:00
shashank-elastic 7254c582c5 Move Setup information into setup filed (#3206) 2023-10-23 19:28:18 +05:30
Terrance DeJesus 3ab57fb8a7 [FR] Adding Support for missing_field_strategy Field in Alert Suppression (#3201) 
* adding missing field strategy option to alert suppression

* fixed linting errors

* added validate methods for alertsuppression dataclass

* fixed linting errors

* replaced old variable with new variable

* removing test rule

* adding post_load to queryruledata

* changed post_load to validates_schema

* updated unit testing for alert suppression

* fixed linting errors

* changed validates method name to validates_exceptions

* removed min compat for fields
 2023-10-19 18:16:54 -04:00
Apoorva Joshi a5a606e804 [New Rule] Adding DGA Rules from Advanced Analytic DGA Package (#3102) 
* Adding DGA rules

* Adding references

* updated rule tags and queries

* Updating min stack version

* added logic to handle ml jobs

* added code comments for clarity

* removing subbed security docs folder

* added event dataset to queries for endpoint; updated note

* removed event dataset

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-10-16 15:48:54 -04:00
github-actions[bot] 2b0735024e Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 (#3183) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-10-13 15:10:49 -04:00
Terrance DeJesus b4f8fc3290 [FR] 8.11 Release Preparation and Update Main Branch to 8.12 (#3182) 
* prepping for 8.12 branch

* added ananlytic manifests and schemas

* fix linting issues

* updated analytic package manifests and schemas
 2023-10-13 13:37:21 -04:00
Terrance DeJesus 1e514afa57 [New Rule] Migrate Lateral Movement Detection Rules (#3175) 
* adding LMD rules

* added setup note; updated references

* adds 2.0.0 lmd manifest and schema

* adjusted min-stack for non-ML rules
 2023-10-12 15:02:19 -04:00
Terrance DeJesus 3e212e2b74 [FR] Add ML Jobs to Schemas and Unit Test for Validation (#3161) 
* adding machine learning job id validation

* Update rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml

* Update tests/test_all_rules.py

* adding integration manifests and schemas from main

* rebuilt manifests and schemas with lmd

* fixed unit test linting

* adding manifests and schemas for other analytic packages

* updated manifests and schemas; adjusted unit test for verbosity

* sorted imports
 2023-10-12 10:51:12 -04:00
Justin Ibarra 7f8a9849c4 [New Rule] File Compressed or Archived into Common Format (#3173) 
* [New Rule] File Compressed or Archived into Common Format
* new build-threat-map-entry-command

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-11 11:34:34 -07:00
eric-forte-elastic 9f61ce4923 [FR] Only supporting known compatible rule file types (#3167) 
* Only supporting known compatible file types

* Add --ignore-invalid-files flag

* Added support to ignore invalid rule files

* Update detection_rules/utils.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/utils.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/utils.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/utils.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/main.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* reverting main

* add punctuation

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-10-11 11:43:42 -04:00
Ruben Groenewoud 4cdf52129a [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-11 09:43:26 +02:00
Isai ef8f5620e1 [New Rule] New GitHub Owner Added (#3090) 
* [New Rule] New GitHub Owner Added

new rule

* name change

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-10-06 15:57:26 -04:00
Terrance DeJesus 57c05f0444 removing lmd rules and fixing version lock history (#3159) 2023-10-05 12:16:53 -04:00
github-actions[bot] 0e2ae5b9ef Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3155) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-10-03 14:34:22 -04:00
Mika Ayenson e4b66c23dc [Bug] Create Rule CLI Crashes on Required Arg (#3127) 2023-09-28 14:28:13 -05:00
Apoorva Joshi 747ee7d593 [New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package (#3119) 
* Adding Lateral Movement Detection rules

* added tags; adjusted tests; updated manifests and schemas

* added default value to build_integrations_schema

* combined analytic and non-dataset packages for related integrations

* adjusted machine learning definitions

* adjusted machine learning definitions

* removed splat for machine learning list due to 3.8 constraints

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-09-27 14:53:38 -04:00
github-actions[bot] de2b97a492 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3108) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-09-18 11:14:42 -04:00
Isai 904e37b732 [New Rule] GitHub Protected Branch Settings Changed (#3054) 
* new rule file

* testing query change

* query changed back

* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml

updates based on review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* updated integration manifests with github schema

* Update defense_evasion_github_protected_branch_settings_changed.toml

added event.dataset to query

* added timestamp_override

* changed timestamp_override to @timestamp

* changed timestamp_override

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-09-14 17:16:51 -04:00
Jonhnathan af99186992 [New Rule] New BBR Rules - Part 3 (#3034) 
* [New Rule] New BBR Rules - Part 3

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-09-12 21:28:01 -03:00
Mika Ayenson 20de1d8d1d [FR] Add support for samples in eql 0.9.18 (#3000) 2023-09-07 09:01:28 -05:00
github-actions[bot] 87af5b43ba Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3079) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-09-06 13:21:22 -04:00
Jonhnathan 6d7df50d78 [New Rule] Suspicious WMI Event Subscription Created (#1860) 
* Suspicious WMI Event Subscription Initial rule

* Use EQL sequence

* Update non-ecs-schema

* Update persistence_sysmon_wmi_event_subscription.toml

* update description

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* update query too look for even code 21 only

* update to case sensitive compare

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-29 16:42:19 -03:00
Apoorva Joshi 9482bda414 Adding related integrations to ML rules (#2972) 
* Adding related integrations to ML rules

* added adjustments to determine related integrations for ML rules

* fixed lint errors

* Empty commit

* Empty commit

* Empty commit

---------

Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box>
 2023-08-22 14:39:18 -04:00
Jonhnathan 9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-17 13:00:50 -03:00
github-actions[bot] 4cf70654ad Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 (#3019) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10

* Update detection_rules/etc/deprecated_rules.json

* Update detection_rules/etc/deprecated_rules.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-17 09:09:05 -04:00
Terrance DeJesus 08b646aa94 [FR] 8.10 Release Preparation and Update Main Branch to 8.11 (#3012) 
* prepping for 8.11 branch

* fixed lint errors

* added 8.11 to stack schema map

* trimmed version lock file; adjusted new terms validation

* reverting changes to version lock, stack schema and workflow
 2023-08-16 14:23:44 -04:00
Mika Ayenson 3f9e7aced1 [Bug] Strip Non-Public Fields Prior to Uploading Rules (#2986) 2023-08-02 12:38:48 -05:00
github-actions[bot] 1cb5c174ce Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2988) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9

* Update detection_rules/etc/version.lock.json

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-01 10:12:29 -04:00
eric-forte-elastic ea26ea77d7 [FR] Update build-release to support bbr release (#2987) 
* Fixes bug in unit tests

* fix rule paths

* removed unused import
 2023-07-31 15:20:18 -04:00
Mika Ayenson 3813a08f59 [FR] Add support for BBR rules to the rule loader (#2968) 
---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-07-27 11:27:04 -05:00
Mika Ayenson 77b43d16e8 [FR] Generate Prebuilt Rules Reference Page (#2964) 2023-07-27 11:05:31 -05:00
Ruben Groenewoud b330cf9438 [New Rule] Pspy Process Monitoring Detected (#2945) 
* [New Rule] Pspy Process Monitoring Detected

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 15:58:33 +02:00
Terrance DeJesus 9f29129585 [FR] Add EQL Rule Type Configuration Fields (#2918) 
* adding initial EQL fields to EQLRuleData

* added validation

* adjusted validation

* fixed flake errors

* adjusted type linting; variable names

* added a min_compat to EQL Rule fields

* Update detection_rules/rule_validators.py

* Update detection_rules/rule_validators.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-07-13 11:20:14 -04:00
github-actions[bot] 9414095d96 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2921) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9

* adding newline to start CI

* removing newline

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
 2023-07-11 19:57:02 -04:00
Mika Ayenson 2ff4584456 load unsupported rule type from schema (#2893) 2023-06-29 15:32:32 -04:00
github-actions[bot] d9bc209c76 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2892) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-29 12:25:51 -04:00
Terrance DeJesus 35d373b2bd [FR] 8.9 Release Preparation and Update Main Branch to 8.10 (#2891) 
* adding new branch and refreshed schema

* fixed flake errors
 2023-06-29 11:39:11 -04:00
Mika Ayenson cec41b4072 [FR Build a limited compatible rule ndjson for older stacks (#2885) 2023-06-29 10:18:24 -04:00
Terrance DeJesus 73970eb2f2 [FR] Add Support for Multi-Fields and Validation in Rules (#2882) 2023-06-28 20:35:33 -04:00
Jonhnathan a7e605a0e5 [Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 (#2889) 
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823

* Add exception to unit test

* fixed linting

* proper linting fix

* updated to add to definitions.py

* fix linting

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-06-28 15:55:43 -03:00
Jonhnathan 90c79a8283 [Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-28 10:22:24 -03:00
github-actions[bot] c94c79ba77 Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 (#2883) 
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8

* Update detection_rules/etc/version.lock.json

---------

Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-27 12:00:19 -04:00
Terrance DeJesus 48cf95c8eb [Rule Tuning] Change Network Rules to Use Network Packet Capture Integration (#2665) 
* updated indexes and updated dates

* added network_traffic integration tag to rules

* reverting changes to resolve conflicts

* metadata changes; indexes changed; schemas and manifest updated

* updated default telnet port connection rule

* updating integration manifests

* adjusted rules; updated integrations; deduplicate packages
 2023-06-26 17:35:49 -04:00
Terrance DeJesus d829b145ef [Bug] Fix Tag Navigator Generation (#2875) 
* bug fix for tag navigator generation

* addressing flake errors

* added unit test to ensure prefix exists

* updated unit test case sensitivity

* moved expected tags to definitions.py

* removed expected prefixes

* revert downloadable updates JSON file
 2023-06-23 10:44:55 -04:00
eric-forte-elastic 6449cecd08 [FR] Add support for building block rules (BBR) (#2822) 
* added test bbr

* initial implementation

* Added Unit test and exempted bbr from integrations

* fixed linting

* Add schema validation to building block rules

* add separate error messages

* fixed linting

* Add testing bbr validation

* fixed linting

* Add default values

* fixed linting

* added defaults

* fixed linting

* cleaned up test rule

* removed .gitkeep

* read .gitkeep

* Switch to using validates_schema

* addressing some linting

* fixed linting

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* add env variable check

* fix skip function

* updated name

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Add bbr validation unit test

* Clean up comments

* fix linting

* Move convert time to utils

* Moved to rules_building_block

* Add check for only bbr in bbr dir

* fix linting

* additional linting fix

* Changed to bbr rule loader

* fixed bbr default

* Updated error messages and README

* fixed more linting

* Updating root level README

* Fixed convert_time_span calls

* fixed typo in unit test logic and updated txt

* fixed error message

* updated comment for clarity

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated validation methods for clarity

* fix doctring location

* Fixed typo

* updated error messages.

* removed excess whitespace

* Add per rule bypass

* Add single rule bypass

* Split unit tests

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-20 09:00:30 -04:00