security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,703 Commits 1 Branch 0 Tags
ba16e27edb87b8613dd7ddccabe3a7dc77a2bbdf
Commit Graph

20 Commits

Author SHA1 Message Date
Eric Forte 2d2c5b4d88 [Bug] Update Custom Rules Markdown Location (#4565) 
* Update to custom-rules markdown location

* bump version

* Update link reference
 2025-03-26 10:00:52 -04:00
Eric Forte eadcd9d3e0 [FR] Add Env Var DR_CLI_MAX_WIDTH and DaC Docs Updates (#4518) 
* Add Env Var DR_CLI_MAX_WIDTH

* Version Bump

* Update limit from 120 to 240

* Clean references to reference main

* Update Readme with DaC Info

* Add DaC to Table of Contents

* Bump Patch Version

* Updated naming and add dac md

* Organize Imports

* Deprecate upload-rule

* Update docs/detections-as-code.md

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

* move docs to docs-dev

* Sort custom rules imports

* Remove duplicate

* Fix typo

* Bump Patch Version

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
 2025-03-10 12:59:12 -04:00
Sergey Polzunov 3bdda091e1 chore: use docs-dev instead of docs dir for docs (#4522) 
* chore: use `docs-dev` instead of `docs` folder

* patch version bump

* Rollback an incorrect rename

* Use exact docs dir in the helper comment

* Revert some overeager renamings

* Moving `docs` to `docs-dev`

* Update Docs Paths

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2025-03-07 14:34:51 +01:00
Eric Forte 4b8676c586 [Bug] [DaC] Fix Typo in CLI.md (#4491) 
* Fix Typo in CLI.md
 2025-02-24 10:15:19 -05:00
Eric Forte 47d7a3acaa [DaC] Beta Release (#3889) 
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>
 2024-08-06 18:07:12 -04:00
Justin Ibarra 361e97a256 [FR] Add API auth to Kibana module (#3815) 
* [FR] Add API auth to Kibana module

* update make file to properly install all deps

* Bump Kibana Version

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
 2024-07-11 17:19:41 -04:00
Mika Ayenson 78837549e8 [FR] Bundle KQL & Kibana libs into base dependencies (#3662) 2024-05-13 14:29:03 -05:00
Justin Ibarra c567d3731a Refresh Kibana module with API updates (#3466) 
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2024-04-26 11:12:50 -06:00
Mika Ayenson b6a7e7ebda [FR] Add required-fields option to import-rules (#3546) 2024-03-28 18:29:47 -05:00
Mika Ayenson a808130390 Cleanup saved_query references (#3205) 2023-10-26 18:07:33 -05:00
eric-forte-elastic 4828ae07df [FR] Added asset tag to expected tags (#3115) 
* Added asset tag to expected tags

* removed *

* Add regex wildcard tag support

* Updated tag format test location

* Updated to use env variable

* fixed typo
 2023-09-28 14:09:05 -04:00
eric-forte-elastic 6449cecd08 [FR] Add support for building block rules (BBR) (#2822) 
* added test bbr

* initial implementation

* Added Unit test and exempted bbr from integrations

* fixed linting

* Add schema validation to building block rules

* add separate error messages

* fixed linting

* Add testing bbr validation

* fixed linting

* Add default values

* fixed linting

* added defaults

* fixed linting

* cleaned up test rule

* removed .gitkeep

* read .gitkeep

* Switch to using validates_schema

* addressing some linting

* fixed linting

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* add env variable check

* fix skip function

* updated name

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Add bbr validation unit test

* Clean up comments

* fix linting

* Move convert time to utils

* Moved to rules_building_block

* Add check for only bbr in bbr dir

* fix linting

* additional linting fix

* Changed to bbr rule loader

* fixed bbr default

* Updated error messages and README

* fixed more linting

* Updating root level README

* Fixed convert_time_span calls

* fixed typo in unit test logic and updated txt

* fixed error message

* updated comment for clarity

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated validation methods for clarity

* fix doctring location

* Fixed typo

* updated error messages.

* removed excess whitespace

* Add per rule bypass

* Add single rule bypass

* Split unit tests

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-20 09:00:30 -04:00
Justin Ibarra 411ec36ff0 Validate markdown plugin fields (#2602) 2023-03-28 09:17:50 -04:00
Mika Ayenson a52751494e 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 15:41:32 -04:00
Mika Ayenson 4ef1a1a627 Update cli documentation for search-alerts (#2051) 
* Add cli documentation for search-alerts and table fields
 2022-06-24 09:58:58 -04:00
Ross Wolf 6ed1a39efe Add a RuleCollection object instead of a "loader" module (#1063) 
* Add a RuleCollection object instead of a "loader" module
* Remove legacy loader code
* Remove more legacy loader
* Freeze the default collection
* Change RULE_LOADER default
* Rename to _toml_load_cache
* Use rglob magic
* Typo should've been a string
* Remove no longer needed glob import
* Fix pycharm import bad ordering
* Restore the detection_rules/schemas imports
* Put more imports back for a smaller diff
* Check cache in _deserialize_toml
* Add multi collection and single collection decorators
* Reorder RuleCollection methods
* Move filter method up
 2021-04-05 14:23:37 -06:00
Justin Ibarra 56dc4745b5 Add export-rules command (#639) 
* Add export-rule command to CLI
* add `export` method to packaging class
 2021-02-08 20:43:16 -09:00
Justin Ibarra ad4a2ef0eb Add test commands to search and survey rule hits (#485) 2020-11-17 13:08:00 -09:00
Justin Ibarra bd680a2bd4 Re-organize commands under more specific click groups (#356) 
* Restructure commands under more specific click groups
* standardize CLI error handling
* add global debug options
* move es and kibana clients into their click groups
* move commands and groups to dedicated files 
* distinguish variable names for better env/config parsing
 2020-10-07 12:15:33 -08:00
Justin Ibarra 28c869fb5f Expand documentation on CLI and workflows (#130) 2020-08-18 14:27:51 -05:00