security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,077 Commits 1 Branch 0 Tags
2bf7df189063136ce17977510bc85f56ebbd622d
Commit Graph

21 Commits

Author SHA1 Message Date
Eric Forte 2bd230ff60 [Bug] Query validation failing to capture InSet edge case with ip field types (#3572) 
* Move test case to separate file

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit a4a0bc6a7e)
 2024-05-06 12:07:00 +00:00
Eric Forte dee8c947de Update default (#3574) 
(cherry picked from commit fbb6df506e)
 2024-04-05 00:35:15 +00:00
Eric Forte 72ba0b16a9 [Bug] KQL fails validation on uppercase keywords (#3568) 
* add todo

* Add a normalize_kql_keywords function to utils

* update rule loader to normalize and warn

* optimized loading

* fix linting

* Moved conversion to kql module.

* Updated unit test

* Refactor KQL parser to normalize keywords via flag

* Fix logic typo

* Update detection_rules/utils.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update lib/kql/kql/__init__.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated to fix unit tests and remove warnings

* linting typo

* Added comments

* remove unused imports

* Update kql.parse default

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 1566c29bae)
 2024-04-04 22:10:57 +00:00
Mika Ayenson 2af0c64945 [FR] Add support for dataviews in the rule schema (#3510) 
(cherry picked from commit 8724077a0e)
 2024-03-14 22:48:44 +00:00
Mika Ayenson 2312455d7a [FR] Skip eql optimizations on parsing query for unique fields (#3443) 
(cherry picked from commit 542053719b)
 2024-02-21 02:31:01 +00:00
Mika Ayenson 8a80d74136 [FR] Update Validate Integrations to Check Fields Across All Schema Variations (#3372) 
(cherry picked from commit a873abbb5b)
 2024-01-18 21:47:51 +00:00
Mika Ayenson 53f924d52e [FR] Add Support for ES|QL Rule Type and Remote Validation (#3281) 
* add suuport for esql type
* add unit tests
* set clients in RemoteConnector from auth methods
* thread remote rules; add engine test
* Add versions to remote validation results

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 7514c0a206)
 2023-12-08 19:52:16 +00:00
Terrance DeJesus 7df6661596 Adjust ESQLRuleData to Inherit QueryRuleData Dataclass (#3297) 
* adjusting inheritance of ESQL rule data

* update tests to handle missing index from QueryRuleData

* removed test es|ql rule

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

(cherry picked from commit 5358361754)
 2023-11-30 14:12:26 +00:00
Mika Ayenson 53c4ff1fdc FR] Add Core Support for ES|QL Rule Type (#3292) 
(cherry picked from commit bc39c20eaf)
 2023-11-28 19:08:40 +00:00
Mika Ayenson 20de1d8d1d [FR] Add support for samples in eql 0.9.18 (#3000) 2023-09-07 09:01:28 -05:00
Terrance DeJesus 9f29129585 [FR] Add EQL Rule Type Configuration Fields (#2918) 
* adding initial EQL fields to EQLRuleData

* added validation

* adjusted validation

* fixed flake errors

* adjusted type linting; variable names

* added a min_compat to EQL Rule fields

* Update detection_rules/rule_validators.py

* Update detection_rules/rule_validators.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-07-13 11:20:14 -04:00
Terrance DeJesus 73970eb2f2 [FR] Add Support for Multi-Fields and Validation in Rules (#2882) 2023-06-28 20:35:33 -04:00
eric-forte-elastic 8ef2f6557b Patch to allow integration validation if ECS/beats fails (#2701) 
* Updated for AND logic

* Added case for no package_intregrations

* Fixed linting

* Added unit test for new functionality

* Fixed linting

* Added valid query tests

* Add unit test for event.dataset

* Switched type calls to isinstance calls

* Removed  unused stack validation call

* Added additional error type

* Fixed linting

* Cleaned up error handling

* fixed linting

* Added proper type hints

* Fixed typo in Unions

* Updated unit test with additional test cases

* Updated  test_invalid_queries unit test

* Fixed linting

* Added kql to unit tests

* Updated tests

* Fixed error handling

* Fixed style issues

* updating integration manifests and schemas

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-04-18 15:43:35 -04:00
Mika Ayenson 60115443a4 Validate against beats and integrations schemas (#2524) 2023-02-08 12:01:31 -05:00
Mika Ayenson 1784429aa7 [FR] Add Integration Schema Query Validation (#2470) 2023-02-02 16:22:44 -05:00
Mika Ayenson aa8239652d [FR] Add endgame schema validation to detection-rule query (#2257) 2022-10-19 09:54:47 -04:00
Mika Ayenson c76a397969 Add new required_fields as a build-time restricted field (#2059) 
* Add new `require_field` restricted field
* validate new fields against BaseRuleData schema and global constant

Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-06 11:49:44 -04:00
Mika Ayenson 1f015ebe85 1554 update eql schemas to fail validation on text fields (#1866) 
* Ensure kql2eql conversion doesnt support `text` fields

* Add unit test cases for`text` not supported in eql

* test `field not recognized` in the rule_validator and output a verbose message.

* use elasticsearch_type_family to lookup text mappings

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-23 16:22:26 -04:00
Justin Ibarra 2e78da5c9a Prepare for creation of 8.1 branch (#1700) 2022-01-25 18:11:59 -09:00
Justin Ibarra 781953a0a0 Add min_stack_version to rule metadata (#1173) 
* Add min_stack_version to metadata of rule structure
* validate all "stack versions" between defined and current package
* Use master schemas if min_stack_version > current_package

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-06-30 13:26:27 -08:00
Ross Wolf 8789dd7c90 Separate out query validation from the class hierarchy (#1136) 
* Separate out query validation from the class hierarchy
* Rename to *RuleData for consistency
* Apply suggestions from code review
* Fix lint error
 2021-04-21 14:55:26 -06:00