* adding solution for historical rules in release package
* addressing flake errors
* format changes
* REVERT CHANGES - testing release-fleet workflow
* REVERTING CHANGES
* added historical flag for packaging to account for older branches
* addressing flake errors
* updated build for CI
* REMOVE: This is temporary to run a workflow from this branch
* updates to address requirements for contents
* reverting packages.yml
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed feedback and added click echo comments
* addressed flake errors and added some comments
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Updated for AND logic
* Added case for no package_intregrations
* Fixed linting
* Added unit test for new functionality
* Fixed linting
* Added valid query tests
* Add unit test for event.dataset
* Switched type calls to isinstance calls
* Removed unused stack validation call
* Added additional error type
* Fixed linting
* Cleaned up error handling
* fixed linting
* Added proper type hints
* Fixed typo in Unions
* Updated unit test with additional test cases
* Updated test_invalid_queries unit test
* Fixed linting
* Added kql to unit tests
* Updated tests
* Fixed error handling
* Fixed style issues
* updating integration manifests and schemas
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* initial changes to release fleet workflow and CLI
* changed the default value of package version for 8.8
* changed how true/false is passed into CLI command
* reverted changes to packages.yml
* adding new rule 'Google Workspace New OAuth Login from Custom Application'
* changed name and 'custom' to 'third-party'
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* updated non-ecs
* add promotion to rulemeta schema class and updated promotion rules
* add promotion to rulemeta schema class and updated promotion rules
* adjusted test_integration_tag and okta rule missing dataset
* fixed flake errors
* updated manifests and schemas to include cloud defend
* testing order of operations in workflow
* reverted testing order; adjusting secrets token
* adjusting secrets token
* changing checkout to v3
* removed token for testing workflow
* changed repo reference
* changing secret token
* reverting token changes
* removing master reference
* adjusted elastic-package installation
* changed path of integrations during install
* added integrations fetch run commands
* changed target branch to main, setup latest go
* changed token back to protections machine
* trying different secret for integrations PR creation
* created testing token for permission errors
* adjusted 'bump-pkg-versions' so minors are bumped if no previous pkg
* added bumping package versions as a step
* updated actions/upload-artifact to v3
* removed inaccurate comments; removed release-kibana workflow
* adjusted sequence of steps to bump packge version before build
* added a bump to major if it does not match packages.yml
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7
* newline in version lock file to start CI
* removed newline in version lock file
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
* adding preparations for 8.8 release
* addressed flake single new line error
* froze and updated API schemas
* updated get_intregration_manifests
* adjusted boolean in find_latest_integration_version
* removed custom semver and replaced with pypi
* updated beats.py version references
* updated bump-versions CLI command to use semver and change logic
* updated schemas __init__, test_version_lock and unstage incompatible rules CLI
* updated test_stack_schema_map in TestVersions unittest
* updated test_all_rules unit testing Version() references
* updated stack_compat.py for get_restricted_field references)
* updated version_lock.py Version() references
* updated docs.py Version() reference for parse_registry
* updated devtools.py Version() reference for trim-version-lock
* updated mixins.py Version() reference in validate_field_compatibility
* adjusted schemas.__init__ Version() reference in get_stack_schemas
* adjusted ecs.py Version() references
* adjusted integrations.py Version() references
* adjusted rule.py Version() references
* sorted imports
* replaced custom semver with pypi semver in unit test files
* addressed unit test and flake errors
* changed semver strings casted to version_lock.py
* fixed sorting in integrations.py
* updated bump-pkgs-versions CLI command
* adjusted semantic version in unstage-incompatible-rules command
* adjusted semver import to VersionInfo
* added semver 3 and adjusted import names
* added option_minor_and_patch parameter where version is major.minor
* updated bump-pkg-versions to always save to packages.yml
* removed leftover split call & updated find latest compatible version command
* updated integrations.py, version_lock.py and schemas.__init__.py
* changed fstring reference in downgrade function
* reverted formatting changes for detection_rules __init__.py
* added newline to detection_rules __init__.py
* adjusted finding latest_release for attack package logic
* adjusted unstage-incompatible-rules command logic comparing versions
* removing changes from misc.py related to auto-formatting
* adding newline to misc.py
* fixed bug in downgrade function calling decorators
* added semantic version validation on migrate decorator function
* added expected type returned from find_latest_integration_version in integrations.py
* add comment about stripped versions for version lock file
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6
* added newline in version lock file to trigger checks
* removed trailing newline from version lock file
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* initial commit with rule changes
* removed rule from version lock file to pass unit testing; adjusted rule file name
* adjusted maturity to development
* initial commit with changes to new terms validation
* adjusted validation to call KQLValidator for flattened ECS variable
* changed call to KQLValidator instead of super; validate from same variable
* removed testing rules
* removed commented line
* Version() called on all string versions prior to comparison logic
* adjusted assert error punctuation
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host
* Update non-ecs-schema.json
* Remove duplicated value on non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* adding support new_terms_fields and window_start_history
* adjusted rule.py to address flake errors
* added assertion error if history_window_start does not exist
* removed sample rule
* removed self.rule_id from DataValidator
* added new_terms to RuleType
* changed new terms to its own class in rule.py
* removed nonexisting function call in DataValidator class
* adjusted new_terms field value in dataclass
* changed literal type for history_window_start; view-rule working
* removing test TOML rule
* addressed flake errors for missing newlines
* added validation option and adjusted object referencing
* adjusted validation method call in post_validation
* addressed flake errors for multiple spaces
* added transform method to NewTermsRuleData class
* added validation for min stack version and new terms array length restraints
* added validation for unique new terms array
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* removed historywindowstart definition and adjusted subclass
* removed test rule from commit
* adjusted if/else for data transform method check
* adjusted stack-schema-map; validation method name
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* added assertion for history_window_start field value
* added variables for feature min stack and extended field min stack
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed flake errors for continuation line with same indent
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Terrance DeJesus