Terrance DeJesus
50e23ba242
* updating python code for hunting library * fixed okta queries; added MITRE search capability * fixed hunting unit test imports * fixed duplicate UUID; fixed duplicate index entry bug * fixed technique finding sub-technique in search * added more unit tests * linted * flake errors addressed; fixed unit test import; fixed markdown generate bug * added description for generate-markdown command * updated README * adjusted YAML index, adjusted code for index changes * adjusted relative imports; updated CODEOWNERS * adding updates; moving to different branch for main dependencies * finished run-query command; made some code adjustments * removed some comments * revised makefile; fixed unit tests; adjusted detection rules pyproject * updated README * updated README * adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands * adjusted package to be more object-oriented * removed unused variable * Add simple breakdown stats * addressed feedback; added keyword option for search * Update hunting/README.md Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update detection_rules/etc/test_hunting_cli.bash Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> * addressing feedback * addressed feedback * added message for unknown index; fixed function call * fixed search command * fixed flake error --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
30 lines
1.8 KiB
Markdown
30 lines
1.8 KiB
Markdown
## Hunt: Tuning - Guidelines
|
|
|
|
These guidelines serve as a reminder set of considerations when tuning an existing Hunt.
|
|
|
|
### Documentation and Context
|
|
|
|
- [ ] Detailed description of the suggested changes.
|
|
- [ ] Provide example JSON data or screenshots.
|
|
- [ ] Evidence of enhancing hunting results by either reducing false-positives or removing false-negatives.
|
|
- [ ] Evidence of specific environment factors influencing customized hunt tuning (Contextual Tuning).
|
|
- [ ] Evidence of refining hunts to better detect deviations from typical behavior (Behavioral Tuning).
|
|
- [ ] Field Usage: Ensure standardized fields for compatibility across different data environments and sources.
|
|
|
|
### Hunt Metadata Checks
|
|
|
|
- [ ] `author`: The name of the individual or organization authoring the rule.
|
|
- [ ] `name` and `description` are descriptive and typo-free.
|
|
- [ ] `language`: The query language(s) used in the rule, such as `KQL`, `EQL`, `ES|QL`, `OsQuery`, or `YARA`.
|
|
- [ ] `query` is inclusive, not overly exclusive. Review to ensure the original intent of the hunt is maintained.
|
|
- [ ] `integration` aligns with the `index`. Ensure updates if the integration is newly introduced.
|
|
- [ ] `notes` includes additional information (e.g., Triage and analysis investigation guides, timeline templates).
|
|
- [ ] `mitre` matches appropriate technique and sub-technique IDs that hunting query collect's data for.
|
|
- [ ] `references` are valid URL links that include information relevenat to the hunt or threat.
|
|
|
|
### Testing and Validation
|
|
|
|
- [ ] Evidence of testing and valid query usage.
|
|
- [ ] Markdown Generated: Run `python -m hunting generate-markdown` with specific parameters to ensure a markdown version of the hunting TOML files is created.
|
|
- [ ] Index Refreshed: Run `python -m hunting refresh-index` to refresh indexes.
|
|
- [ ] Run Unit Tests: Run `pytest tests/test_hunt_data.py` to run unit tests. |