security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
3fc34b86f215319039ee46bed42d987d671a1101
sigma-rules/detection_rules/schemas/v7_11.py
T
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944)
2021-03-03 22:12:11 -09:00

69 lines
2.4 KiB
Python
Raw Blame History

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
"""Definitions for rule metadata and schemas."""
import jsl
from .v7_8 import Threat as Threat78, MITRE_URL_PATTERN
from .v7_10 import ApiSchema710
from ..attack import sub_technique_id_list
class Threat711(Threat78):
"""Threat framework mapping such as MITRE ATT&CK."""
class ThreatTechnique(Threat78.ThreatTechnique):
"""Patched threat.technique to add threat.technique.subtechnique."""
class ThreatSubTechnique(jsl.Document):
id = jsl.StringField(enum=sub_technique_id_list, required=True)
name = jsl.StringField(required=True)
reference = jsl.StringField(MITRE_URL_PATTERN.format(type='techniques') + r"[0-9]+/")
subtechnique = jsl.ArrayField(jsl.DocumentField(ThreatSubTechnique), required=False)
# override the `technique` field definition
technique = jsl.ArrayField(jsl.DocumentField(ThreatTechnique), required=False)
class ApiSchema711(ApiSchema710):
"""Schema for siem rule in API format."""
STACK_VERSION = "7.11"
threat = jsl.ArrayField(jsl.DocumentField(Threat711))
@classmethod
def downgrade(cls, target_cls, document, role=None):
"""Remove 7.11 additions from the rule."""
# ignore when this method is inherited by subclasses
if cls in (ApiSchema711, ApiSchema711.versioned()) and "threat" in document:
v711_threats = document.get("threat", [])
v710_threats = []
for threat in v711_threats:
# drop tactic without threat
if "technique" not in threat:
continue
threat = threat.copy()
threat["technique"] = [t.copy() for t in threat["technique"]]
# drop subtechniques
for technique in threat["technique"]:
technique.pop("subtechnique", None)
v710_threats.append(threat)
document = document.copy()
document.pop("threat")
# only add if the array is not empty
if len(v710_threats) > 0:
document["threat"] = v710_threats
# now strip any any unrecognized properties
return target_cls.strip_additional_properties(document, role)
Reference in New Issue View Git Blame Copy Permalink