Terrance DeJesus
50e23ba242
* updating python code for hunting library * fixed okta queries; added MITRE search capability * fixed hunting unit test imports * fixed duplicate UUID; fixed duplicate index entry bug * fixed technique finding sub-technique in search * added more unit tests * linted * flake errors addressed; fixed unit test import; fixed markdown generate bug * added description for generate-markdown command * updated README * adjusted YAML index, adjusted code for index changes * adjusted relative imports; updated CODEOWNERS * adding updates; moving to different branch for main dependencies * finished run-query command; made some code adjustments * removed some comments * revised makefile; fixed unit tests; adjusted detection rules pyproject * updated README * updated README * adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands * adjusted package to be more object-oriented * removed unused variable * Add simple breakdown stats * addressed feedback; added keyword option for search * Update hunting/README.md Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update detection_rules/etc/test_hunting_cli.bash Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> * addressing feedback * addressed feedback * added message for unknown index; fixed function call * fixed search command * fixed flake error --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
1.7 KiB
1.7 KiB
Hunt: New - Guidelines
Welcome to the hunting folder within the detection-rules repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.
Documentation and Context
- Detailed description of the Hunt.
- Link related issues or PRs.
- Include references.
- Field Usage: Ensure standardized fields for compatibility across different data environments and sources.
Hunt Metadata Checks
author: The name of the individual or organization authoring the rule.uuid: Unique UUID.nameanddescriptionare descriptive and typo-free.language: The query language(s) used in the rule, such asKQL,EQL,ES|QL,OsQuery, orYARA.queryis inclusive, not overly exclusive, considering performance for diverse environments.integrationaligns with theindex. Ensure updates if the integration is newly introduced.notesincludes additional information regarding data collected from the hunting query.mitrematches appropriate technique and sub-technique IDs that hunting query collect's data for.referencesare valid URL links that include information relevenat to the hunt or threat.license
Testing and Validation
- Evidence of testing and valid query usage.
- Markdown Generated: Run
python -m hunting generate-markdownwith specific parameters to ensure a markdown version of the hunting TOML files is created. - Index Refreshed: Run
python -m hunting refresh-indexto refresh indexes. - Run Unit Tests: Run
pytest tests/test_hunt_data.pyto run unit tests.