Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DaC] [FR] End to end testing and feedback improvements #3949

Merged
merged 25 commits into from
Aug 5, 2024
Merged

[DaC] [FR] End to end testing and feedback improvements #3949

merged 25 commits into from
Aug 5, 2024

Conversation

eric-forte-elastic
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic commented Aug 1, 2024
edited
Loading

Pull Request

Issue link(s):

Summary - What I changed

Please merge #3955 into this PR before merging to main

This PR adds the ability to specify a config variable to auto generate a custom schema file for any missing non-ecs fields. To trigger this behavior add the following line to your _config.yaml

auto_gen_schema_file: <path_to_schema_json_file>

I addition, there are a number of other minor fixes/updates to the import-rules-to-repo process including:

  • Added error skipping for rule-prompt and import-rules-to-repo.
  • Modified --require-only behavior in import-rules-to-repo to populate all fields but only prompt for required ones.
  • Improved extract_error_field function to handle non alpha-numeric characters.
  • Introduced CLI argument to remove null values from TOML rule files.
  • Added support for rule.actions.frequency.throttle field, required in Kibana.
  • Implemented a _add_known_nulls function to handle null fields in TOML files.
  • Added support for action connectors.
  • Enhanced rule prompt with skip errors support.
  • Included rule name in error.txt output for easier debugging.
  • Updated config file initialization to include directories for actions, action connectors, and exceptions.
  • Added helper functions for auto-generating schema.
  • Made Exception List optional within an Exception Container.
  • Cleaned up exceptions and action connectors build and parse functions.
  • Updated Generic Loader to support Action Connectors and fixed a bug.
  • Added support for endpoint integration.
  • Fixed formatting issue with single lines ending in a double quote in a TOML file.
  • Improved formatting support for threat query, setup, and description.
  • Fixed a bug in extract_error_field function related to quotes around the field value.
  • Fixed version printing bug in all_versions function.
  • Updated rule name definitions for customer rules to provide less restriction.
  • Implemented minor bug fixes.

How To Test

Autogen Custom Schema

To test this, first add the appropriate config variable. Next, run view-rule on a rule that has fields that are not currently present in a schema. The rule should validate successfully and your schema file should be updated.

Example: python -m detection_rules view-rule custom_rules/rules/dac_demo_dev_rule_1.toml

Details 

[metadata]
creation_date = "2024/07/29"
maturity = "production"
updated_date = "2024/07/29"

[rule]
actions = []
author = ["DAC User"]
description = "Test Rule"
enabled = true
exceptions_list = []
false_positives = []
from = "now-6m"
index = ["the-best-integration-ever*"]
interval = "5m"
language = "eql"
max_signals = 100
name = "DAC Demo Dev Rule 1"
references = []
risk_score = 47
risk_score_mapping = []
rule_id = "794d2fc0-ecd0-4963-99da-fd587666b80d"
setup = "Test Setup"
severity = "medium"
severity_mapping = []
tags = []
threat = []
to = "now"
type = "eql"

query = '''
process where host.os.type.fakeData == "linux" and process.name.okta.thread == "updated"
'''
[[rule.related_integrations]]
package = "endpoint"
version = "^8.2.0"

[[rule.required_fields]]
ecs = true
name = "host.os.type"
type = "keyword"

[[rule.required_fields]]
ecs = true
name = "process.name"
type = "keyword"

auto_gen_schema

This will occur in any command where rule contents are validated against a schema, including import-rules-to-repo, kibana export-rules and others.

Additionally added, is the --skip-errors flag to import-rules-to-repo to follow similar functionality from this same flag for the kibana export-rules command. With this flag one should expect output similar to the following when importing rules.

1347 results exported
1099 rules converted
248 exceptions exported
49 errors saved to /home/forteea1/Code/clean_mains/detection-rules/custom_rules/rules/_errors.txt

Also, rule names will no longer be validated against our naming conversions for custom rules. Any valid string name will now validate.

Testing support for a required field rule.actions.frequency.throttle

Use the following example rule file to import from ndjson and export back to a kibana instance. You will get a connector id is missing error but this is expected and as far of an implmentation of actions as this PR expects. If the desired result is not working you would see a throttle error instead.

test_action_export.ndjson.txt

Example Rule 

[metadata]
creation_date = "2024/08/03"
maturity = "development"
updated_date = "2024/08/03"

[rule]
author = ["INFOSEC_TEST"]
description = "Test"
filters = []
from = "now-360s"
index = [
    "apm-*-transaction*",
    "auditbeat-*",
    "endgame-*",
    "filebeat-*",
    "logs-*",
    "packetbeat-*",
    "traces-apm*",
    "winlogbeat-*",
    "-*elastic-cloud-logs-*",
]
interval = "5m"
language = "kuery"
max_signals = 100
name = "TestActionRule"
note = "None"
revision = 3
risk_score = 21
rule_id = "e818bf1b-dcc8-4746-80fa-a155a94a7f6b"
setup = "None"
severity = "low"
to = "now"
type = "query"
version = 1

query = '''
process.command_line : "FakeRoot"
'''


[[rule.actions]]
action_type_id = ".email"
group = "default"
id = "elastic-cloud-email"
uuid = "c405d3e6-f47d-4ee2-bfc2-9fa786051c66"

[rule.actions.frequency]
notifyWhen = "onActiveAlert"
summary = true
[rule.actions.params]
message = "Rule {{context.rule.name}} generated {{state.signals_count}} alerts"
subject = "TestEmail"
to = ["[email protected]"]
[[rule.actions]]
action_type_id = ".webhook"
group = "default"
id = "478b2165-83fb-480d-8a4a-bb47cfcafd4c"
uuid = "fd2c83b6-414b-4e31-939a-27f399c06203"

[rule.actions.frequency]
notifyWhen = "onActiveAlert"
summary = true
[rule.actions.params]
body = "{}"

[rule.meta]
from = "1m"
kibana_siem_app_url = "https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/s/infosec/app/security"

Note you may have to download this to watch the example, needed it to be mp4 due to length and not sure how well github renders mp4.

test_action_gif.mp4

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@eric-forte-elastic eric-forte-elastic added enhancement New feature or request python Internal python for the repository detections-as-code meta:rapid-merge labels Aug 1, 2024
@eric-forte-elastic eric-forte-elastic self-assigned this Aug 1, 2024
@botelastic botelastic bot added the schema label Aug 1, 2024
@protectionsmachine
Copy link
Collaborator

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Code changes do not introduce new warnings or errors.
  • Variables and functions are well-named and descriptive.
  • Any unnecessary / commented-out code is removed.
  • Ensure that the code is modular and reusable where applicable.
  • Check for proper exception handling and messaging.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.

Additional Checks

  • Ensure that the enhancement does not break existing functionality.
  • Review the enhancement with a peer or team member for additional insights.
  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that all dependencies are up-to-date and compatible with the changes.

@eric-forte-elastic eric-forte-elastic mentioned this pull request Aug 2, 2024
Merged
5 tasks
Mikaayenson
Mikaayenson reviewed Aug 2, 2024
View reviewed changes
detection_rules/integrations.py Outdated Show resolved Hide resolved
detection_rules/rule_validators.py Show resolved Hide resolved
detection_rules/rule_validators.py Outdated Show resolved Hide resolved
detection_rules/rule_formatter.py
Comment on lines 258 to 260
if threat_query:
formatted_threat_query = "\nthreat_query = '''\n{}\n'''{}".format(threat_query, '\n\n' if bottom else '')
top = top.replace('threat_query = "XXxXX"', formatted_threat_query)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have an example for this?

Copy link
Contributor Author

@eric-forte-elastic eric-forte-elastic Aug 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, a rule without this formatting will appear like this, invalid toml string:

threat_query = '@timestamp >= "now-24h"
'

with the formatting it will appear like this:

threat_query = '''
@timestamp >= "now-24h"
'''
Example Rule File 

[metadata]
creation_date = "2024/08/02"
maturity = "development"
updated_date = "2024/08/02"

[rule]
author = ["INFOSEC_TEST"]
description = "Test Threat Query"
enabled = true
from = "now-5400s"
index = ["logs-okta*"]
interval = "1h"
language = "kuery"
max_signals = 100
name = "Test User Threat Query"
note = "Test threat query."
references = ["https://github.com/elastic"]
revision = 28
risk_score = 73
rule_id = "58be7d5b-f8bf-4666-83c6-251ceefea562"
severity = "high"
tags = ["Okta"]
threat_index = ["test_cluster:okta_users"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
timestamp_override = "event.ingested"
to = "now"
type = "threat_match"
version = 24

query = '''
user.email:*
'''



threat_query = '''
@timestamp >= "now-24h"
'''


[[rule.required_fields]]
ecs = true
name = "user.email"
type = "keyword"

[[rule.threat_mapping]]

[[rule.threat_mapping.entries]]
field = "user.email"
type = "mapping"
value = "user.email"

Ndjson version of above rule:

test_threat_query_rule.ndjson.txt

detection_rules/custom_schemas.py Show resolved Hide resolved
detection_rules/config.py Show resolved Hide resolved
@eric-forte-elastic eric-forte-elastic mentioned this pull request Aug 5, 2024
Merged
5 tasks
@botelastic botelastic bot added bbr Building Block Rules Domain: Cloud Domain: Endpoint Integration: AWS AWS related rules OS: Linux OS: Windows windows related rules labels Aug 5, 2024
eric-forte-elastic and others added 6 commits August 5, 2024 15:22
@eric-forte-elastic @imays11
@Aegrah @w0rk3r @Mikaayenson
[DaC] [FR] Ndjson support for action connectors (#3955)
90643bf 
* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User (#3910)

* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User

* increased severity score

Co-authored-by: Ruben Groenewoud <78494512 [email protected]>

---------

Co-authored-by: Ruben Groenewoud <78494512 [email protected]>

* [Rule Tuning] System Binary Moved or Copied (#3933)

* [Rule Tuning] Sensitive Registry Hive Access via RegBack (#3947)

Co-authored-by: Mika Ayenson <[email protected]>

* [New Rule] Potential Relay Attack against a Domain Controller (#3928)

* [New Rule] Potential Relay Attack against a Domain Controller

* Update credential_access_dollar_account_relay.toml

* Move to the correct folder

* [Rule Tuning] AWS S3 Object Versioning Suspended (#3953)

* [Tuning] Executable Bit Set for Potential Persistence Script (#3929)

* [Rule Tuning] Microsoft IIS Service Account Password Dumped (#3935)

* [Rule Tuning] Accepted Default Telnet Port Connection (#3954)

Co-authored-by: Mika Ayenson <[email protected]>

* ndjson support for action connectors

* Add kibana API support for actions

* Minor typo

* Add actions connector support

* update rule formatter

* Fix typo

* [New Rule] Outlook Home Page Registry Modification (#3946)

* Fix typos

* Update docs and generated config

* Update all_versions

* Fix comments

---------

Co-authored-by: Isai <59296946 [email protected]>
Co-authored-by: Ruben Groenewoud <78494512 [email protected]>
Co-authored-by: Jonhnathan <26856693 [email protected]>
Co-authored-by: Mika Ayenson <[email protected]>
@eric-forte-elastic
Create build object methods
098974e
@eric-forte-elastic
Make exception items optional
a50fc81
@eric-forte-elastic
Add rule name to error message
a313fb2
@eric-forte-elastic
Iterative instead
bcabcf1
@eric-forte-elastic
Add type
e9a0e4e
@eric-forte-elastic eric-forte-elastic changed the base branch from DAC-feature to main August 5, 2024 22:57
@eric-forte-elastic eric-forte-elastic changed the base branch from main to DAC-feature August 5, 2024 22:57
@eric-forte-elastic eric-forte-elastic changed the title [DaC] [FR] Autogenerate Custom Schema [DaC] [FR] End to end testing and customer feedback improvements Aug 5, 2024
@eric-forte-elastic eric-forte-elastic changed the title [DaC] [FR] End to end testing and customer feedback improvements [DaC] [FR] End to end testing and feedback improvements Aug 5, 2024
Mikaayenson
Mikaayenson approved these changes Aug 5, 2024
View reviewed changes
Copy link
Contributor

@Mikaayenson Mikaayenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The number of other minor fixes/updates definitely helps clean up a bunch of issues/gaps/assumptions.

Walkthrough code review final testing together looks good. 🚀

@eric-forte-elastic eric-forte-elastic merged commit 346beb1 into DAC-feature Aug 5, 2024
9 checks passed
@eric-forte-elastic eric-forte-elastic deleted the autogen_custom_schemas branch August 5, 2024 23:13
@eric-forte-elastic eric-forte-elastic mentioned this pull request Aug 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@traut traut traut approved these changes

Assignees

@eric-forte-elastic eric-forte-elastic

Labels
bbr Building Block Rules detections-as-code Domain: Cloud Domain: Endpoint enhancement New feature or request Integration: AWS AWS related rules meta:rapid-merge OS: Linux OS: Windows windows related rules python Internal python for the repository schema
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@eric-forte-elastic @protectionsmachine @traut @Mikaayenson @terrancedejesus