security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ee1b2ffd477ebb5c267ea6527bfadddee7cbbca
sigma-rules/detection_rules/schemas/v7_11.py
T
Ross Wolf c0af222e7e Move Rule into a dataclass (#1029) 
* WIP: Convert Rule to a dataclass
* Fix make release
* Lint fixes
* Remove dead code
* Fix lint and tests
* Use Python 3.8 in GitHub actions
* Update README to 3.8+
* Add Python 3.8 assertion
* Fix is_dirty property
* Remove incorrect pop from contents
* Add mixin with from_dict() and to_dict() methods
* Bypass validation for deprecated rules
* Fix rule_prompt
* Fix dict_hash usage
* Fix rule_event_search
* Switch to definitions.Date
* Fix toml-lint command, ignoring 'unneeded defaults'
* Moved severity Literal to definitions.Severity
* Remove BaseMarshmallowDataclass
* Fix lint and tests
* Add maturity to metadata for rule prompt loop
* Fix typo in devtools
* Use rule loader to load single rule in toml-lint
* Add Schema hint to __schema method
* Add MITREAttackURL definition
* Fix is_dirty to compare sha<-->sha
* Normalize the autoformatted rule output for API and toml-lint
* Make the package hash match
* Make the rule object mutable but not rule contents
* Restore the rules
2021-03-24 10:24:32 -06:00

70 lines
2.4 KiB
Python
Raw Blame History

# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
"""Definitions for rule metadata and schemas."""
import jsl
from .v7_8 import Threat as Threat78
from .definitions import SUBTECHNIQUE_URL
from .v7_10 import ApiSchema710
from ..attack import sub_technique_id_list
class Threat711(Threat78):
"""Threat framework mapping such as MITRE ATT&CK."""
class ThreatTechnique(Threat78.ThreatTechnique):
"""Patched threat.technique to add threat.technique.subtechnique."""
class ThreatSubTechnique(jsl.Document):
id = jsl.StringField(enum=sub_technique_id_list, required=True)
name = jsl.StringField(required=True)
reference = jsl.StringField(pattern=SUBTECHNIQUE_URL)
subtechnique = jsl.ArrayField(jsl.DocumentField(ThreatSubTechnique), required=False)
# override the `technique` field definition
technique = jsl.ArrayField(jsl.DocumentField(ThreatTechnique), required=False)
class ApiSchema711(ApiSchema710):
"""Schema for siem rule in API format."""
STACK_VERSION = "7.11"
threat = jsl.ArrayField(jsl.DocumentField(Threat711))
@classmethod
def downgrade(cls, target_cls, document, role=None):
"""Remove 7.11 additions from the rule."""
# ignore when this method is inherited by subclasses
if cls in (ApiSchema711, ApiSchema711.versioned()) and "threat" in document:
v711_threats = document.get("threat", [])
v710_threats = []
for threat in v711_threats:
# drop tactic without threat
if "technique" not in threat:
continue
threat = threat.copy()
threat["technique"] = [t.copy() for t in threat["technique"]]
# drop subtechniques
for technique in threat["technique"]:
technique.pop("subtechnique", None)
v710_threats.append(threat)
document = document.copy()
document.pop("threat")
# only add if the array is not empty
if len(v710_threats) > 0:
document["threat"] = v710_threats
# now strip any any unrecognized properties
return target_cls.strip_additional_properties(document, role)
Reference in New Issue View Git Blame Copy Permalink