security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
133a0799cdf95a3f80fa934cc4a8ed11bc9c0a7c
sigma-rules/pyproject.toml
T
Isai 74d1715f6e [Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance (#4808) 
* [Rule Tuning] AWS EC2 User Data Retrieval for EC2 Instance

- changed execution window
- explicitly added flattened fields to query, to reduce wildcard usage
- added investigation fields
- changed new terms field to evaluate `user.name` over `aws.cloudtrail.user_identity.arn` so that only the role name for Assumed Role identitites is being evaluated instead of each individual session. This should greatly impact performance as most instances of this rule in telemetry is triggered by Assumed Roles.

* Apply suggestions from code review

* remove instanceId parameter

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>
2025-06-17 14:51:18 -04:00

68 lines
2.3 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[project]
name = "detection_rules"
version = "1.2.18"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Securitys Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
license = {file = "LICENSE.txt"}
keywords = ["Detection Rules", "Continuous Monitoring", "Data Protection", "Elastic", "Elastic Endgame", "Endpoint Security"]
classifiers = [
"Topic :: Software Development :: Build Tools",
"Operating System :: OS Independent",
"Programming Language :: Python :: 3",
"Programming Language :: Python :: 3.12",
"Topic :: Security",
"Topic :: Software Development :: Libraries :: Python Modules",
"Topic :: Software Development :: Libraries",
"Topic :: Software Development :: Testing",
"Topic :: Software Development",
"Topic :: Utilities"
]
dependencies = [
"Click~=8.1.7",
"elasticsearch~=8.12.1",
"eql==0.9.19",
"jsl==0.2.4",
"jsonschema>=4.21.1",
"marko==2.0.3",
"marshmallow-dataclass[union]~=8.6.0",
"marshmallow-jsonschema~=0.13.0",
"marshmallow-union~=0.1.15",
"marshmallow~=3.21.1",
"pywin32 ; platform_system=='Windows'",
"pytoml==0.1.21",
"PyYAML~=6.0.1",
"requests~=2.31.0",
"toml==0.10.2",
"typing-inspect==0.9.0",
"typing-extensions==4.10.0",
"XlsxWriter~=3.2.0",
"semver==3.0.2",
"PyGithub==2.2.0",
"detection-rules-kql @ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql",
"detection-rules-kibana @ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana",
"setuptools==75.2.0"
]
[project.optional-dependencies]
dev = ["pep8-naming==0.13.0", "flake8==7.0.0", "pyflakes==3.2.0", "pytest>=8.1.1", "nodeenv==1.8.0", "pre-commit==3.6.2"]
hunting = ["tabulate==0.9.0"]
[project.urls]
"Homepage" = "https://github.com/elastic/detection-rules"
"Bug Reports" = "https://github.com/elastic/detection-rules/issues"
"Research" = "https://www.elastic.co/security-labs"
"Elastic" = "https://www.elastic.co"
[tool.setuptools]
package-data = {"kql" = ["*.g"]}
packages = ["detection_rules", "hunting"]
[tool.pytest.ini_options]
filterwarnings = [
"ignore::DeprecationWarning"
]
[build-system]
requires = ["setuptools", "wheel", "setuptools_scm"]
build-backend = "setuptools.build_meta"
Reference in New Issue View Git Blame Copy Permalink