* Cleanup rule survey code
* default to only unique-ing on process name for lucene rules
* fix bug in kibana url parsing by removing redundant port from domain
* update search-alerts columns and nest fields
* fix rule.contents.data.index
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* add support for self-signed certs in es and kibana
* allow Kibana to auth against any providerType
* fix export-rules command
* fix kibana upload-rule command
* fix view-rule command
* fix validate-rule command
* fix search-rules command
* fix dev kibana-diff command
* fix dev package-stats command
* fix dev search-rule-prs command
* fix dev deprecate-rule command
* replace toml with pytoml to fix import-rules command
* use no_verify in get_kibana_client
* use Path for rule-file type in view-rule
* update schemas to resolve additionalProperties type bug
* fix missing unique_fields in package rule filter
* fix github pr loader
* Load gh rules as TOMLRule instead of dict
* remove unnecessary version insertion
* create new cli commands
* add kibana object to create_dnstwist_rule
* Adding code for index-dnstwist-results
* Changed es to es_client
* Tested. it works!
* flake8-ed
* Adding timestamps
* use eql.utils.load_dump to load json file
* rename data to dnstwist_data
* start working on create-dnstwist-rule command
* add print statements for user
* tweak formatting for line length
* add template threat match rule file
* continue working on threat match rule creation
* create rule using TomlRuleContents
* save rule to toml file
* Moving rule creation to eswrap.py
* Moving create dnstwist rule stuff to eswrap
* Fixed imports
* flake8 fixes
* More flake8 fixes
* fix usage of @add_client('kibana')
* use ctx.invoke to upload rule
* cleanup record assembly and use bulk api
* swap order of notes in `note` for sample rule
* small modifications
* move command to root click group
* remove unused click group
* Update detection_rules/main.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* remove rule upload and convert template to ndjson
* Adding docs for typosquatting rule
* renaming the file
* Adding a note
* separate index and rule prep commands
* Final changes
Co-authored-by: Apoorva <appujo@gmail.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>
* Add a RuleCollection object instead of a "loader" module
* Remove legacy loader code
* Remove more legacy loader
* Freeze the default collection
* Change RULE_LOADER default
* Rename to _toml_load_cache
* Use rglob magic
* Typo should've been a string
* Remove no longer needed glob import
* Fix pycharm import bad ordering
* Restore the detection_rules/schemas imports
* Put more imports back for a smaller diff
* Check cache in _deserialize_toml
* Add multi collection and single collection decorators
* Reorder RuleCollection methods
* Move filter method up
* [Rule Tuning] Add empty arrays in place of tactic only threat mappings
* dynamically insert empty technique array in payload
* use replace_id as function parameter
* Restructure commands under more specific click groups
* standardize CLI error handling
* add global debug options
* move es and kibana clients into their click groups
* move commands and groups to dedicated files
* distinguish variable names for better env/config parsing
Justin Ibarra