[New Rule] AWS EC2 LOLBin Execution via SSM #766
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ES|QL Validation | |
| on: | |
| pull_request: | |
| branches: [ "*" ] | |
| jobs: | |
| build-and-validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup Detection Rules | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| fetch-depth: 0 | |
| path: detection-rules | |
| - name: Check if new or modified rule files are ESQL rules | |
| id: check-esql | |
| run: | | |
| cd detection-rules | |
| # Check if the event is a push | |
| if [ "${{ github.event_name }}" = "push" ]; then | |
| echo "Triggered by a push event. Setting run_esql=true." | |
| echo "run_esql=true" >> $GITHUB_ENV | |
| exit 0 | |
| fi | |
| MODIFIED_FILES=$(git diff --name-only --diff-filter=AM HEAD~1 | grep '^rules/.*\.toml$' || true) | |
| if [ -z "$MODIFIED_FILES" ]; then | |
| echo "No modified or new .toml files found. Skipping workflow." | |
| echo "run_esql=false" >> $GITHUB_ENV | |
| exit 0 | |
| fi | |
| if ! grep -q 'type = "esql"' $MODIFIED_FILES; then | |
| echo "No 'type = \"esql\"' found in the modified .toml files. Skipping workflow." | |
| echo "run_esql=false" >> $GITHUB_ENV | |
| exit 0 | |
| fi | |
| echo "run_esql=true" >> $GITHUB_ENV | |
| - name: Check out repository | |
| env: | |
| DR_CLOUD_ID: ${{ secrets.dr_cloud_id }} | |
| DR_API_KEY: ${{ secrets.dr_api_key }} | |
| if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY && env.run_esql == 'true' }} | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| with: | |
| path: elastic-container | |
| repository: peasead/elastic-container | |
| - name: Build and run containers | |
| env: | |
| DR_CLOUD_ID: ${{ secrets.dr_cloud_id }} | |
| DR_API_KEY: ${{ secrets.dr_api_key }} | |
| if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY && env.run_esql == 'true' }} | |
| run: | | |
| cd elastic-container | |
| GENERATED_PASSWORD=$(openssl rand -base64 16) | |
| sed -i "s|changeme|$GENERATED_PASSWORD|" .env | |
| echo "::add-mask::$GENERATED_PASSWORD" | |
| echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV | |
| set -x | |
| bash elastic-container.sh start | |
| - name: Get API Key and setup auth | |
| env: | |
| DR_CLOUD_ID: ${{ secrets.dr_cloud_id }} | |
| DR_API_KEY: ${{ secrets.dr_api_key }} | |
| DR_ELASTICSEARCH_URL: "https://localhost:9200" | |
| ES_USER: "elastic" | |
| ES_PASSWORD: ${{ env.GENERATED_PASSWORD }} | |
| if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY && env.run_esql == 'true' }} | |
| run: | | |
| cd detection-rules | |
| response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{ | |
| "name": "tmp-api-key", | |
| "expiration": "1d" | |
| }' "$DR_ELASTICSEARCH_URL/_security/api_key") | |
| DR_API_KEY=$(echo "$response" | jq -r '.encoded') | |
| echo "::add-mask::$DR_API_KEY" | |
| echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV | |
| - name: Set up Python 3.13 | |
| if: ${{ env.run_esql == 'true' }} | |
| uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6 | |
| with: | |
| python-version: '3.13' | |
| - name: Install dependencies | |
| if: ${{ env.run_esql == 'true' }} | |
| run: | | |
| cd detection-rules | |
| python -m pip install --upgrade pip | |
| pip cache purge | |
| pip install .[dev] | |
| - name: Remote Test ESQL Rules | |
| if: ${{ env.run_esql == 'true' }} | |
| env: | |
| DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }} | |
| DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }} | |
| DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }} | |
| DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }} | |
| DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }} | |
| run: | | |
| cd detection-rules | |
| python -m detection_rules dev test esql-remote-validation |