Terrance DeJesus
50e23ba242
* updating python code for hunting library * fixed okta queries; added MITRE search capability * fixed hunting unit test imports * fixed duplicate UUID; fixed duplicate index entry bug * fixed technique finding sub-technique in search * added more unit tests * linted * flake errors addressed; fixed unit test import; fixed markdown generate bug * added description for generate-markdown command * updated README * adjusted YAML index, adjusted code for index changes * adjusted relative imports; updated CODEOWNERS * adding updates; moving to different branch for main dependencies * finished run-query command; made some code adjustments * removed some comments * revised makefile; fixed unit tests; adjusted detection rules pyproject * updated README * updated README * adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands * adjusted package to be more object-oriented * removed unused variable * Add simple breakdown stats * addressed feedback; added keyword option for search * Update hunting/README.md Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update detection_rules/etc/test_hunting_cli.bash Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com> * addressing feedback * addressed feedback * added message for unknown index; fixed function call * fixed search command * fixed flake error --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com>
31 lines
1.7 KiB
Markdown
31 lines
1.7 KiB
Markdown
## Hunt: New - Guidelines
|
|
|
|
Welcome to the `hunting` folder within the `detection-rules` repository! This directory houses a curated collection of threat hunting queries designed to enhance security monitoring and threat detection capabilities using the Elastic Stack.
|
|
|
|
### Documentation and Context
|
|
|
|
- [ ] Detailed description of the Hunt.
|
|
- [ ] Link related issues or PRs.
|
|
- [ ] Include references.
|
|
- [ ] Field Usage: Ensure standardized fields for compatibility across different data environments and sources.
|
|
|
|
### Hunt Metadata Checks
|
|
|
|
- [ ] `author`: The name of the individual or organization authoring the rule.
|
|
- [ ] `uuid`: Unique UUID.
|
|
- [ ] `name` and `description` are descriptive and typo-free.
|
|
- [ ] `language`: The query language(s) used in the rule, such as `KQL`, `EQL`, `ES|QL`, `OsQuery`, or `YARA`.
|
|
- [ ] `query` is inclusive, not overly exclusive, considering performance for diverse environments.
|
|
- [ ] `integration` aligns with the `index`. Ensure updates if the integration is newly introduced.
|
|
- [ ] `notes` includes additional information regarding data collected from the hunting query.
|
|
- [ ] `mitre` matches appropriate technique and sub-technique IDs that hunting query collect's data for.
|
|
- [ ] `references` are valid URL links that include information relevenat to the hunt or threat.
|
|
- [ ] `license`
|
|
|
|
### Testing and Validation
|
|
|
|
- [ ] Evidence of testing and valid query usage.
|
|
- [ ] Markdown Generated: Run `python -m hunting generate-markdown` with specific parameters to ensure a markdown version of the hunting TOML files is created.
|
|
- [ ] Index Refreshed: Run `python -m hunting refresh-index` to refresh indexes.
|
|
- [ ] Run Unit Tests: Run `pytest tests/test_hunt_data.py` to run unit tests.
|