Isai
bf1dc2547f
* [Rule Tunings] AWS SSM Command Document Created by Rare User ## AWS SSM Command Document Created by Rare User Rule executes as expected and has very few alerts in telemetry. However, it is one of the rules timing out occasionally. - reduced execution window - reduced new terms history window - replaced wildcards with the flattened field in the query, which should improve performance - replaced `aws.cloudtrail.user_identity.arn` with combination of `cloud.account.id` and `user.name` to account for Assumed Roles. This will only evaluate the role instead of each individual role session, which will improve performance. - added investigation fields - corrected tags - added mitre technique ## AWS SSM `SendCommand` Execution by Rare User" - added investigation fields - added tag * update pyproject.toml update pyproject.toml version
68 lines
2.3 KiB
TOML
68 lines
2.3 KiB
TOML
[project]
|
||
name = "detection_rules"
|
||
version = "1.2.26"
|
||
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
|
||
readme = "README.md"
|
||
requires-python = ">=3.12"
|
||
license = {file = "LICENSE.txt"}
|
||
keywords = ["Detection Rules", "Continuous Monitoring", "Data Protection", "Elastic", "Elastic Endgame", "Endpoint Security"]
|
||
classifiers = [
|
||
"Topic :: Software Development :: Build Tools",
|
||
"Operating System :: OS Independent",
|
||
"Programming Language :: Python :: 3",
|
||
"Programming Language :: Python :: 3.12",
|
||
"Topic :: Security",
|
||
"Topic :: Software Development :: Libraries :: Python Modules",
|
||
"Topic :: Software Development :: Libraries",
|
||
"Topic :: Software Development :: Testing",
|
||
"Topic :: Software Development",
|
||
"Topic :: Utilities"
|
||
]
|
||
dependencies = [
|
||
"Click~=8.1.7",
|
||
"elasticsearch~=8.12.1",
|
||
"eql==0.9.19",
|
||
"jsl==0.2.4",
|
||
"jsonschema>=4.21.1",
|
||
"marko==2.0.3",
|
||
"marshmallow-dataclass[union]~=8.6.0",
|
||
"marshmallow-jsonschema~=0.13.0",
|
||
"marshmallow-union~=0.1.15",
|
||
"marshmallow~=3.21.1",
|
||
"pywin32 ; platform_system=='Windows'",
|
||
"pytoml==0.1.21",
|
||
"PyYAML~=6.0.1",
|
||
"requests~=2.31.0",
|
||
"toml==0.10.2",
|
||
"typing-inspect==0.9.0",
|
||
"typing-extensions==4.10.0",
|
||
"XlsxWriter~=3.2.0",
|
||
"semver==3.0.2",
|
||
"PyGithub==2.2.0",
|
||
"detection-rules-kql @ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kql",
|
||
"detection-rules-kibana @ git+https://github.com/elastic/detection-rules.git#subdirectory=lib/kibana",
|
||
"setuptools==75.2.0"
|
||
]
|
||
[project.optional-dependencies]
|
||
dev = ["pep8-naming==0.13.0", "flake8==7.0.0", "pyflakes==3.2.0", "pytest>=8.1.1", "nodeenv==1.8.0", "pre-commit==3.6.2"]
|
||
hunting = ["tabulate==0.9.0"]
|
||
|
||
[project.urls]
|
||
"Homepage" = "https://github.com/elastic/detection-rules"
|
||
"Bug Reports" = "https://github.com/elastic/detection-rules/issues"
|
||
"Research" = "https://www.elastic.co/security-labs"
|
||
"Elastic" = "https://www.elastic.co"
|
||
|
||
[tool.setuptools]
|
||
package-data = {"kql" = ["*.g"]}
|
||
packages = ["detection_rules", "hunting"]
|
||
|
||
[tool.pytest.ini_options]
|
||
filterwarnings = [
|
||
"ignore::DeprecationWarning"
|
||
]
|
||
|
||
[build-system]
|
||
requires = ["setuptools", "wheel", "setuptools_scm"]
|
||
build-backend = "setuptools.build_meta"
|