7604c20d9e
[FR] Add ESQL rules to dataset exception ( #5249 )
...
* Add ESQL rules to dataset exception
* Add unit test
2025-10-27 11:03:48 -04:00
9345e0ec27
Add unit test for protected prebuilt-rules ( #5242 )
2025-10-24 19:15:52 +05:30
566242772f
Remove toml filtering for branches ( #5243 )
2025-10-23 12:53:15 -04:00
b9b8e24514
Lock versions for releases: 8.19,9.0,9.1,9.2 ( #5234 )
2025-10-17 22:10:05 +05:30
818978975d
Prep 9.2 ( #5231 )
2025-10-17 21:01:13 +05:30
c7246313f7
feat: ESQL query validation against Elastic cluster ( #4955 )
...
* Add remote ESQL validation
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-10-15 15:17:07 -04:00
a5c100a65b
[Bug] Add unit tests and fix Alert Suppression schema validation for ThresholdQueryRuleData ( #5196 )
...
* Add schema validation for AlertSuppressionMapping
* Add support for indicator match alert suppression
* Add unit tests
* Update order and remove validates_schema method
* Add comments
* Add test for query rule duration only
2025-10-09 16:21:21 -04:00
ebb7bb5bce
Update Package Category ( #5192 )
2025-10-08 19:26:11 +05:30
49637fbfc7
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #5188 )
2025-10-06 22:14:15 +05:30
3397b7e707
Monthly Schema Updates ( #5187 )
2025-10-06 21:39:14 +05:30
7410ec7db9
[Rule Tuning] Updated ESQL Rules Based on Validation Results ( #5151 )
...
* Updated ESQL rules based on validation results
* Patch bump
* Updated regex patterns
* added missing azure fields to non-ecs-schema.json; adjusted okta query logic to use LIKE instead of RLIKE
* fixed incorrect field in non-ecs-schema.json; changed logs-azure.signinlogs* sightings to logs-azure.signinlogs-*
* Add and
* Additional non-ecs fields
* Add EOF
* Add kibana.alert.rule.name
* removed azure.platforlogs.identity.claim.objectid; updated query for 'c07f7898-5dc3-11f0-9f27-f661ea17fbcd'
* Field removed from query removing from keep
* Patch Bump
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-30 00:36:29 -04:00
42be8bc8ba
[Bug] Add Required to the Annotation ( #5159 )
...
* Add Required to the Annotation
* Additional required fields
* remove nonempty sting validation
* Required Types via Annotated and Dataclass
* remove space
* Remove inline comment
* Switch to getting a list
* Fix typo and sort
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-29 18:30:50 -04:00
e147188939
Add SIEM package category ( #5128 )
2025-09-18 19:15:53 +05:30
80c01cf665
[Bug] Annotated Fields Ignored ( #5125 )
...
* Add Note for stop gap
2025-09-17 17:34:42 -04:00
8f79d58f3f
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #5123 )
2025-09-16 19:56:59 +05:30
99ebad576b
Added handling for unauth error ( #5115 )
2025-09-16 18:25:10 +05:30
b2b9d677c7
[Bug] Github Gist API Now Requires Auth ( #5119 )
...
* Add headers to public call
2025-09-16 08:18:48 -04:00
39b6f19eb9
Pin dependencies ( #5086 )
...
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2025-09-12 22:46:24 +05:30
f0f7d217c0
[FR] Refactor Schema Validation & Support Multi-Dataset Sequence Validation ( #5059 )
2025-09-10 13:11:04 -05:00
6adee51410
Fix Ruff failures ( #5083 )
2025-09-10 22:24:07 +05:30
a6dfd2c0e1
Add test_min_stack_version_supported testcase ( #5077 )
2025-09-10 20:12:36 +05:30
35b000b7ab
[FR] Add negate DOES NOT MATCH capability to IM rule type (>=9.2) ( #5041 )
2025-09-09 10:58:53 -05:00
cbb892b4bc
[Bug] Incorrect Integrations Schema Parsing for Nested Fields ( #5058 )
...
* Add proper handling for nested fields
* Updated schemas
* bump patch
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-04 14:12:33 -04:00
3c1de72f6b
[FR] Add support for 5 group_by fields in threshold rules (>=9.2) ( #5040 )
2025-09-04 09:24:36 -05:00
f2291e0261
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #5049 )
2025-09-01 23:19:12 +05:30
93ac471574
Monthly Schema Updates ( #5046 )
2025-09-01 20:42:42 +05:30
ee70674e2c
Add all rule types DaC testing ( #4969 )
2025-08-20 19:04:57 +05:30
dde448ee6b
[Bug] Rule Toml Write Formatting Wrongly Formats \\\\x ( #4978 )
...
* Fix rule and mitigate py toml
* Bump patch version
* Add reference to issue
* Add unit test for path issues
* Update comment
* Certain strings were not properly escaped
* Updated to use json instead of repr
* replace _old_dump_str with json.dumps
* Bump Version
2025-08-18 17:03:51 -04:00
fb76ec1b2d
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4991 )
2025-08-18 22:36:37 +05:30
154283f457
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4963 )
2025-08-06 08:58:16 +05:30
a726da5e83
[Bug] [DAC] Custom Rules Filter Discrepancy on Stacks Upgraded to 8.18 ( #4945 )
...
* Update Custom Rules KQL
* Bump Patch Version
* Update detection_rules/kbwrap.py
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com >
* Use or instead of and
* Bump patch version
* Fix results len typo
---------
Co-authored-by: Marshall Main <55718608+marshallmain@users.noreply.github.com >
2025-08-05 09:42:25 -04:00
c210a88b1f
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4960 )
2025-08-04 22:37:59 +05:30
2c2b15368c
Update latest integration manifests and schema and investigation guides ( #4957 )
2025-08-04 19:30:01 +05:30
ff46a7ab4a
fix: Allow different order of the metadata fields in ESQL queries ( #4956 )
...
* Initial commit
* Python project version bump
2025-08-02 02:26:39 +02:00
a9ad66935c
[FR] [DAC] Add Arbitrary File location Support for Local Creation Date ( #4915 )
...
* Add support for local file contents
* Update Rule Params
* Update CLI docs
* Update to Pathlib
* Format updating
* Delete duplicate
* Update logic to handle just local_contents path
* Update to Glob Based Approach
* Updated to use RawRuleCollection
* Fix Logging Typo
* New utils functions no longer needed
* Update naming for convention
2025-07-31 14:35:00 -04:00
bf3071d3d1
[FR] Add white space checking for KQL parse ( #3789 )
...
* Add whitespace checking for KQL parse
* Add unit test for blank space check
* Bump patch version
* Add test cases for newline blank space
* Add additional unit tests
* Update to only walk tree once
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-07-31 14:23:53 -04:00
1dc3926203
[New Rules] External Promotion Alerts ( #4903 )
2025-07-31 11:00:50 -05:00
f2fac1bc48
[FR] [DAC] Add existing mitre threat information on import ( #4948 )
2025-07-31 09:44:09 -05:00
f348e92f06
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4926 )
2025-07-22 21:19:44 +05:30
0cb1e596b3
[Bug] [DAC] Kibana Export Rules Rule Name Filter Exports All Rules ( #4917 )
...
* Add check for not rule_id
2025-07-22 11:32:17 -04:00
3bec392e66
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4924 )
2025-07-22 18:10:32 +05:30
b3c681e475
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4922 )
2025-07-22 12:50:27 +05:30
bbdde20f7b
Fix variable usage impacting schema build performance ( #4910 )
2025-07-15 21:20:30 +05:30
c0631d2df2
fix: Better aligning prompt behaviour with jsonschema types ( #4894 )
...
* Check for `["array"]` in addition to `"array"`
* version bump
* Exclude non-ecs-schema.json from CI check
2025-07-11 07:10:47 -05:00
1b12ecff87
Clarify authentication settings to Kibana related to #4495 ( #4819 )
...
* Update CLI.md
Removing mentions of kibana_user and kibana_password since #4495 removed them entirely.
* Bump patch version
* Bump patch version
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2025-07-10 15:21:01 -04:00
03f977246f
[FR] Updates to KQL Lib Parsing and Install ( #3605 )
...
* Bump Version
* updated
* Bump patch version
* Optimization should only occur on single values
* Wildcard semantically equivalent to query_string*
* Add unit test for optimization
* Move code-checks to yml
* Add tests path to code-checks
* Add lib path for code-checks
* Install deps from local
* Update DSL optimization unit test
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-07-10 15:03:08 -04:00
932163e9cd
Bump setuptools from 75.2.0 to 78.1.1 and lock marshmallow-dataclass[union] to 8.6.1 ( #4730 )
...
* Bump setuptools from 75.2.0 to 78.1.1
Bumps [setuptools](https://github.com/pypa/setuptools ) from 75.2.0 to 78.1.1.
- [Release notes](https://github.com/pypa/setuptools/releases )
- [Changelog](https://github.com/pypa/setuptools/blob/main/NEWS.rst )
- [Commits](https://github.com/pypa/setuptools/compare/v75.2.0...v78.1.1 )
---
updated-dependencies:
- dependency-name: setuptools
dependency-version: 78.1.1
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com >
* Bump Package Version
---------
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2025-07-09 18:08:31 -04:00
898be50e95
[Bug] Fix Filter Support for Import Rules ( #4852 )
...
* Fix Filter Support for Import Rules
* Patch Bump
* Update Remove CLI Test Script
* Ruff formatting
2025-07-09 10:07:42 -04:00
52a3652965
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #4887 )
2025-07-08 15:05:39 +05:30
9b292b97ea
Prep 8.19/9.1 ( #4869 )
...
* Prep 8.19/9.1 Release
* Download Beats Schema
* Download API Schema
* Download 8.18.3 Beats Schema
* Download Latest Integrations manifest and schema
* Comment old schemas
* Update Patch version
2025-07-07 11:27:48 -04:00
Eric Forte