From 15ad8e9875d90acef10184229c9a22864f18e417 Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Fri, 16 Jul 2021 11:04:06 -0800 Subject: [PATCH 1/9] Make cardinality array in schema for threshold rules --- detection_rules/rule.py | 4 +- detection_rules/rule_formatter.py | 2 +- detection_rules/schemas/definitions.py | 11 +++- etc/stack-schema-map.yaml | 2 +- requirements.txt | 2 +- ...evasion_agent__spoofing_mismatched_id.toml | 48 ++++++++++++++++ ...evasion_agent_spoofing_multiple_hosts.toml | 56 +++++++++++++++++++ 7 files changed, 118 insertions(+), 7 deletions(-) create mode 100644 rules/cross-platform/defense_evasion_agent__spoofing_mismatched_id.toml create mode 100644 rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 2aad2b49a9b..e1b6aed2856 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -255,9 +255,9 @@ class ThresholdCardinality: field: str value: definitions.ThresholdValue - field: List[definitions.NonEmptyStr] + field: definitions.StringListMaxSizeThree value: definitions.ThresholdValue - cardinality: Optional[ThresholdCardinality] + cardinality: Optional[List[ThresholdCardinality]] type: Literal["threshold"] threshold: ThresholdMapping diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py index ff43dab9791..d8c1527c697 100644 --- a/detection_rules/rule_formatter.py +++ b/detection_rules/rule_formatter.py @@ -206,5 +206,5 @@ def _do_write(_data, _contents): _do_write(data, _contents) finally: - if needs_close: + if needs_close and isinstance(outfile, io.IOBase): outfile.close() diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 9d4bcb3c2d9..1c26c0ae791 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -5,7 +5,7 @@ """Custom shared definitions for schemas.""" -from typing import Literal, Final +from typing import List, Literal, Final from marshmallow import validate from marshmallow_dataclass import NewType @@ -44,19 +44,26 @@ } +def string_only_list(obj: List[str]): + """Validate all records in a list are strings.""" + return all([type(r) == str for r in obj]) + + BranchVer = NewType('BranchVer', str, validate=validate.Regexp(BRANCH_PATTERN)) CodeString = NewType("CodeString", str) ConditionSemVer = NewType('ConditionSemVer', str, validate=validate.Regexp(CONDITION_VERSION_PATTERN)) Date = NewType('Date', str, validate=validate.Regexp(DATE_PATTERN)) FilterLanguages = Literal["kuery", "lucene"] Interval = NewType('Interval', str, validate=validate.Regexp(INTERVAL_PATTERN)) -PositiveInteger = NewType('PositiveInteger', int, validate=validate.Range(min=1)) +StringListMaxSizeThree = NewType('StringListMaxSizeThree', list, + validate=validate.And(validate.Length(min=0, max=3), string_only_list)) Markdown = NewType("MarkdownField", CodeString) Maturity = Literal['development', 'experimental', 'beta', 'production', 'deprecated'] MaxSignals = NewType("MaxSignals", int, validate=validate.Range(min=1)) NonEmptyStr = NewType('NonEmptyStr', str, validate=validate.Length(min=1)) Operator = Literal['equals'] OSType = Literal['windows', 'linux', 'macos'] +PositiveInteger = NewType('PositiveInteger', int, validate=validate.Range(min=1)) RiskScore = NewType("MaxSignals", int, validate=validate.Range(min=1, max=100)) RuleType = Literal['query', 'saved_query', 'machine_learning', 'eql', 'threshold', 'threat_match'] SemVer = NewType('SemVer', str, validate=validate.Regexp(VERSION_PATTERN)) diff --git a/etc/stack-schema-map.yaml b/etc/stack-schema-map.yaml index e992786fa37..871ca3764a8 100644 --- a/etc/stack-schema-map.yaml +++ b/etc/stack-schema-map.yaml @@ -9,4 +9,4 @@ "7.14.0": beats: "master" # TODO: 7.14.x - ecs: "1.10.0" + ecs: "master" # TODO: master came out after 7.13.0 release diff --git a/requirements.txt b/requirements.txt index 64138b25a84..55369f68f12 100644 --- a/requirements.txt +++ b/requirements.txt @@ -8,7 +8,7 @@ PyYAML~=5.3 eql==0.9.9 elasticsearch~=7.9 XlsxWriter~=1.3.6 -marshmallow~=3.10.0 +marshmallow~=3.12.2 marshmallow-dataclass[union]~=8.3.1 # test deps diff --git a/rules/cross-platform/defense_evasion_agent__spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent__spoofing_mismatched_id.toml new file mode 100644 index 00000000000..8548daa00ce --- /dev/null +++ b/rules/cross-platform/defense_evasion_agent__spoofing_mismatched_id.toml @@ -0,0 +1,48 @@ +[metadata] +creation_date = "2021/07/14" +maturity = "production" +updated_date = "2021/07/14" +min_stack_version = "7.14.0" + +[rule] +author = ["Elastic"] +description = """Detects events which have a mismatch on the expected event agent ID. The status "agent_id_mismatch" +occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could +indicate attempts to spoof events in order to masquerade actual activity to evade detection. +""" +false_positives = [ + """ + This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the + necessary field, resulting in false positives. + """, +] +from = "now-9m" +index = ["logs-endpoint.*", "apm-*-transaction*", "filebeat-*", "auditbeat-*", "winlogbeat-*", "packetbeat-*"] +language = "kuery" +license = "Elastic License v2" +name = "Agent Spoofing - Mismatched Agent ID" +risk_score = 73 +rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93" +severity = "high" +tags = ["Elastic", "Windows", "Network", "Host", "APM", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.agent_id_status:agent_id_mismatch +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml new file mode 100644 index 00000000000..7b513e39236 --- /dev/null +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2021/07/14" +maturity = "production" +updated_date = "2021/07/14" +min_stack_version = "7.14.0" + +[rule] +author = ["Elastic"] +description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent +being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to +masquerade actual activity to evade detection. +""" +false_positives = [ + """ + This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the + necessary field, resulting in false positives. + """, +] +from = "now-9m" +index = ["logs-endpoint.*", "apm-*-transaction*", "filebeat-*", "auditbeat-*", "winlogbeat-*", "packetbeat-*"] +language = "kuery" +license = "Elastic License v2" +name = "Agent Spoofing - Multiple Hosts Using Same Agent" +risk_score = 73 +rule_id = "493834ca-f861-414c-8602-150d5505b777" +severity = "high" +tags = ["Elastic", "Windows", "Network", "Host", "APM", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" +type = "threshold" + +query = ''' +event.agent_id_status:* +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + + +[rule.threshold] +field = ["agent.id"] +value = 2 + +[[rule.threshold.cardinality]] +field = "host.id" +value = 1 From 3a8eaa4bea18622755f8d91ad9cc8f682b0ae865 Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Fri, 16 Jul 2021 12:57:39 -0800 Subject: [PATCH 2/9] update index and tags --- ...ml => defense_evasion_agent_spoofing_mismatched_id.toml} | 4 ++-- .../defense_evasion_agent_spoofing_multiple_hosts.toml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) rename rules/cross-platform/{defense_evasion_agent__spoofing_mismatched_id.toml => defense_evasion_agent_spoofing_mismatched_id.toml} (86%) diff --git a/rules/cross-platform/defense_evasion_agent__spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml similarity index 86% rename from rules/cross-platform/defense_evasion_agent__spoofing_mismatched_id.toml rename to rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 8548daa00ce..484819cbf38 100644 --- a/rules/cross-platform/defense_evasion_agent__spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -17,14 +17,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.*", "apm-*-transaction*", "filebeat-*", "auditbeat-*", "winlogbeat-*", "packetbeat-*"] +index = ["logs-*", "metrics-*", "traces-*"] language = "kuery" license = "Elastic License v2" name = "Agent Spoofing - Mismatched Agent ID" risk_score = 73 rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93" severity = "high" -tags = ["Elastic", "Windows", "Network", "Host", "APM", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Threat Detection", "Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 7b513e39236..5caecf3a49b 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -17,14 +17,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["logs-endpoint.*", "apm-*-transaction*", "filebeat-*", "auditbeat-*", "winlogbeat-*", "packetbeat-*"] +index = ["logs-*", "metrics-*", "traces-*"] language = "kuery" license = "Elastic License v2" name = "Agent Spoofing - Multiple Hosts Using Same Agent" risk_score = 73 rule_id = "493834ca-f861-414c-8602-150d5505b777" severity = "high" -tags = ["Elastic", "Windows", "Network", "Host", "APM", "Threat Detection", "Defense Evasion"] +tags = ["Elastic", "Threat Detection", "Defense Evasion"] timestamp_override = "event.ingested" type = "threshold" @@ -53,4 +53,4 @@ value = 2 [[rule.threshold.cardinality]] field = "host.id" -value = 1 +value = 2 From 0022f2d0a9e8a583d15827f0f11df3bfc5fde47d Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Fri, 16 Jul 2021 13:17:27 -0800 Subject: [PATCH 3/9] alphabetize definitions --- detection_rules/schemas/definitions.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 1c26c0ae791..a54517138d4 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -46,7 +46,7 @@ def string_only_list(obj: List[str]): """Validate all records in a list are strings.""" - return all([type(r) == str for r in obj]) + return all([isinstance(r, str) for r in obj]) BranchVer = NewType('BranchVer', str, validate=validate.Regexp(BRANCH_PATTERN)) @@ -55,8 +55,6 @@ def string_only_list(obj: List[str]): Date = NewType('Date', str, validate=validate.Regexp(DATE_PATTERN)) FilterLanguages = Literal["kuery", "lucene"] Interval = NewType('Interval', str, validate=validate.Regexp(INTERVAL_PATTERN)) -StringListMaxSizeThree = NewType('StringListMaxSizeThree', list, - validate=validate.And(validate.Length(min=0, max=3), string_only_list)) Markdown = NewType("MarkdownField", CodeString) Maturity = Literal['development', 'experimental', 'beta', 'production', 'deprecated'] MaxSignals = NewType("MaxSignals", int, validate=validate.Range(min=1)) @@ -69,6 +67,8 @@ def string_only_list(obj: List[str]): SemVer = NewType('SemVer', str, validate=validate.Regexp(VERSION_PATTERN)) Severity = Literal['low', 'medium', 'high', 'critical'] Sha256 = NewType('Sha256', str, validate=validate.Regexp(SHA256_PATTERN)) +StringListMaxSizeThree = NewType('StringListMaxSizeThree', list, + validate=validate.And(validate.Length(min=0, max=3), string_only_list)) SubTechniqueURL = NewType('SubTechniqueURL', str, validate=validate.Regexp(SUBTECHNIQUE_URL)) TacticURL = NewType('TacticURL', str, validate=validate.Regexp(TACTIC_URL)) TechniqueURL = NewType('TechniqueURL', str, validate=validate.Regexp(TECHNIQUE_URL)) From 9ba3c3b50255a8f1a5ea690e4a1e86cffd136611 Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Mon, 19 Jul 2021 11:49:44 -0800 Subject: [PATCH 4/9] update master, 7.13, and 7.14 schemas with cardinality fix --- detection_rules/rule.py | 2 +- etc/api_schemas/7.13/7.13.threshold.json | 48 +++++++++++++------- etc/api_schemas/7.14/7.14.threshold.json | 36 ++++++++------- etc/api_schemas/master/master.threshold.json | 36 ++++++++------- 4 files changed, 70 insertions(+), 52 deletions(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 06aebccdc8b..82eeebacdf2 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -183,7 +183,7 @@ class BaseRuleData(MarshmallowDataclassMixin): def save_schema(cls): """Save the schema as a jsonschema.""" fields: List[dataclasses.Field] = dataclasses.fields(cls) - type_field = next(field for field in fields if field.name == "type") + type_field = next(f for f in fields if f.name == "type") rule_type = typing.get_args(type_field.type)[0] if cls != BaseRuleData else "base" schema = cls.jsonschema() version_dir = SCHEMA_DIR / "master" diff --git a/etc/api_schemas/7.13/7.13.threshold.json b/etc/api_schemas/7.13/7.13.threshold.json index 724d46ccee9..459a19d4ef1 100644 --- a/etc/api_schemas/7.13/7.13.threshold.json +++ b/etc/api_schemas/7.13/7.13.threshold.json @@ -112,6 +112,9 @@ "type": "string" }, "operator": { + "enum": [ + "equals" + ], "type": "string" }, "value": { @@ -151,6 +154,9 @@ "type": "string" }, "operator": { + "enum": [ + "equals" + ], "type": "string" }, "severity": { @@ -178,6 +184,9 @@ "additionalProperties": false, "properties": { "framework": { + "enum": [ + "MITRE ATT&CK" + ], "type": "string" }, "tactic": { @@ -265,28 +274,30 @@ "additionalProperties": false, "properties": { "cardinality": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } }, - "value": { - "description": "ThresholdValue", - "format": "integer", - "minimum": 1, - "type": "number" - } + "required": [ + "field", + "value" + ], + "type": "object" }, - "required": [ - "field", - "value" - ], - "type": "object" + "type": "array" }, "field": { + "description": "StringListMaxSizeThree", "items": { - "description": "NonEmptyStr", - "minLength": 1, "type": "string" }, "type": "array" @@ -336,6 +347,9 @@ "type": "string" }, "type": { + "enum": [ + "threshold" + ], "type": "string" } }, diff --git a/etc/api_schemas/7.14/7.14.threshold.json b/etc/api_schemas/7.14/7.14.threshold.json index e0715120611..459a19d4ef1 100644 --- a/etc/api_schemas/7.14/7.14.threshold.json +++ b/etc/api_schemas/7.14/7.14.threshold.json @@ -274,28 +274,30 @@ "additionalProperties": false, "properties": { "cardinality": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } }, - "value": { - "description": "ThresholdValue", - "format": "integer", - "minimum": 1, - "type": "number" - } + "required": [ + "field", + "value" + ], + "type": "object" }, - "required": [ - "field", - "value" - ], - "type": "object" + "type": "array" }, "field": { + "description": "StringListMaxSizeThree", "items": { - "description": "NonEmptyStr", - "minLength": 1, "type": "string" }, "type": "array" diff --git a/etc/api_schemas/master/master.threshold.json b/etc/api_schemas/master/master.threshold.json index e0715120611..459a19d4ef1 100644 --- a/etc/api_schemas/master/master.threshold.json +++ b/etc/api_schemas/master/master.threshold.json @@ -274,28 +274,30 @@ "additionalProperties": false, "properties": { "cardinality": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } }, - "value": { - "description": "ThresholdValue", - "format": "integer", - "minimum": 1, - "type": "number" - } + "required": [ + "field", + "value" + ], + "type": "object" }, - "required": [ - "field", - "value" - ], - "type": "object" + "type": "array" }, "field": { + "description": "StringListMaxSizeThree", "items": { - "description": "NonEmptyStr", - "minLength": 1, "type": "string" }, "type": "array" From a0f46fe90dd2d1844652df11c761426e47a42423 Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Mon, 19 Jul 2021 12:01:51 -0800 Subject: [PATCH 5/9] fix 7.12 downgrade to handle cardinality as an array --- detection_rules/schemas/__init__.py | 2 +- etc/api_schemas/7.12/7.12.threshold.json | 31 ++++++++++++++---------- tests/test_schemas.py | 4 +-- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index f20eb1b30ca..2787dcf199f 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -123,7 +123,7 @@ def downgrade_threshold_to_7_11(version: Version, api_contents: dict) -> dict: if len(threshold_field) > 1: raise ValueError('Cannot downgrade a threshold rule that has multiple threshold fields defined') - if threshold.get('cardinality', {}).get('field') or threshold.get('cardinality', {}).get('value'): + if threshold.get('cardinality'): raise ValueError('Cannot downgrade a threshold rule that has a defined cardinality') api_contents = api_contents.copy() diff --git a/etc/api_schemas/7.12/7.12.threshold.json b/etc/api_schemas/7.12/7.12.threshold.json index d426ff86832..e7c9d55b23e 100644 --- a/etc/api_schemas/7.12/7.12.threshold.json +++ b/etc/api_schemas/7.12/7.12.threshold.json @@ -919,21 +919,26 @@ "additionalProperties": false, "properties": { "cardinality": { - "additionalProperties": false, - "properties": { - "field": { - "type": "string" + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } }, - "value": { - "minimum": 1, - "type": "integer" - } + "required": [ + "field", + "value" + ], + "type": "object" }, - "required": [ - "field", - "value" - ], - "type": "object" + "type": "array" }, "field": { "items": { diff --git a/tests/test_schemas.py b/tests/test_schemas.py index e78c8326535..68ed2a3d1d0 100644 --- a/tests/test_schemas.py +++ b/tests/test_schemas.py @@ -86,10 +86,10 @@ def setUpClass(cls): cls.v712_threshold_rule = dict(copy.deepcopy(cls.v79_threshold_contents), threshold={ 'field': ['destination.bytes', 'process.args'], 'value': 75, - 'cardinality': { + 'cardinality': [{ 'field': 'user.name', 'value': 2 - } + }] }) def test_query_downgrade(self): From db8c4b62b11cc3dfcb35deabebe28c02f992bdbf Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Mon, 19 Jul 2021 12:04:02 -0800 Subject: [PATCH 6/9] toml formatter close if hasattr "close" Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> --- detection_rules/rule_formatter.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection_rules/rule_formatter.py b/detection_rules/rule_formatter.py index d8c1527c697..bb4cb485d21 100644 --- a/detection_rules/rule_formatter.py +++ b/detection_rules/rule_formatter.py @@ -206,5 +206,5 @@ def _do_write(_data, _contents): _do_write(data, _contents) finally: - if needs_close and isinstance(outfile, io.IOBase): + if needs_close and hasattr(outfile, "close"): outfile.close() From 5a39e2cd211169a1945d3760a071962b8706c4f7 Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Tue, 20 Jul 2021 15:56:12 -0800 Subject: [PATCH 7/9] use NonEmptyStr in type validation for StringListMaxSizeThree --- detection_rules/schemas/definitions.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index a54517138d4..6b4454af10b 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -67,7 +67,7 @@ def string_only_list(obj: List[str]): SemVer = NewType('SemVer', str, validate=validate.Regexp(VERSION_PATTERN)) Severity = Literal['low', 'medium', 'high', 'critical'] Sha256 = NewType('Sha256', str, validate=validate.Regexp(SHA256_PATTERN)) -StringListMaxSizeThree = NewType('StringListMaxSizeThree', list, +StringListMaxSizeThree = NewType('StringListMaxSizeThree', List[NonEmptyStr], validate=validate.And(validate.Length(min=0, max=3), string_only_list)) SubTechniqueURL = NewType('SubTechniqueURL', str, validate=validate.Regexp(SUBTECHNIQUE_URL)) TacticURL = NewType('TacticURL', str, validate=validate.Regexp(TACTIC_URL)) From de04b8d09c3049391c0dc3d7ab97cf0e28990199 Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Tue, 20 Jul 2021 21:14:03 -0800 Subject: [PATCH 8/9] rename definition to CardinalityFields --- detection_rules/rule.py | 2 +- detection_rules/schemas/definitions.py | 9 ++------- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 82eeebacdf2..99df1d95480 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -256,7 +256,7 @@ class ThresholdCardinality: field: str value: definitions.ThresholdValue - field: definitions.StringListMaxSizeThree + field: definitions.CardinalityFields value: definitions.ThresholdValue cardinality: Optional[List[ThresholdCardinality]] diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 6b4454af10b..1fb005e2915 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -44,12 +44,10 @@ } -def string_only_list(obj: List[str]): - """Validate all records in a list are strings.""" - return all([isinstance(r, str) for r in obj]) - +NonEmptyStr = NewType('NonEmptyStr', str, validate=validate.Length(min=1)) BranchVer = NewType('BranchVer', str, validate=validate.Regexp(BRANCH_PATTERN)) +CardinalityFields = NewType('CardinalityFields', List[NonEmptyStr], validate=validate.Length(min=0, max=3)) CodeString = NewType("CodeString", str) ConditionSemVer = NewType('ConditionSemVer', str, validate=validate.Regexp(CONDITION_VERSION_PATTERN)) Date = NewType('Date', str, validate=validate.Regexp(DATE_PATTERN)) @@ -58,7 +56,6 @@ def string_only_list(obj: List[str]): Markdown = NewType("MarkdownField", CodeString) Maturity = Literal['development', 'experimental', 'beta', 'production', 'deprecated'] MaxSignals = NewType("MaxSignals", int, validate=validate.Range(min=1)) -NonEmptyStr = NewType('NonEmptyStr', str, validate=validate.Length(min=1)) Operator = Literal['equals'] OSType = Literal['windows', 'linux', 'macos'] PositiveInteger = NewType('PositiveInteger', int, validate=validate.Range(min=1)) @@ -67,8 +64,6 @@ def string_only_list(obj: List[str]): SemVer = NewType('SemVer', str, validate=validate.Regexp(VERSION_PATTERN)) Severity = Literal['low', 'medium', 'high', 'critical'] Sha256 = NewType('Sha256', str, validate=validate.Regexp(SHA256_PATTERN)) -StringListMaxSizeThree = NewType('StringListMaxSizeThree', List[NonEmptyStr], - validate=validate.And(validate.Length(min=0, max=3), string_only_list)) SubTechniqueURL = NewType('SubTechniqueURL', str, validate=validate.Regexp(SUBTECHNIQUE_URL)) TacticURL = NewType('TacticURL', str, validate=validate.Regexp(TACTIC_URL)) TechniqueURL = NewType('TechniqueURL', str, validate=validate.Regexp(TECHNIQUE_URL)) From 2972157621098f82226cb684f07adda01ee22f26 Mon Sep 17 00:00:00 2001 From: brokensound77 Date: Wed, 21 Jul 2021 08:23:42 -0800 Subject: [PATCH 9/9] regenerate API schemas to pull in changes --- etc/api_schemas/7.12/7.12.threshold.json | 10 ++++++++-- etc/api_schemas/7.13/7.13.threshold.json | 5 ++++- etc/api_schemas/7.14/7.14.threshold.json | 5 ++++- etc/api_schemas/master/master.threshold.json | 5 ++++- 4 files changed, 20 insertions(+), 5 deletions(-) diff --git a/etc/api_schemas/7.12/7.12.threshold.json b/etc/api_schemas/7.12/7.12.threshold.json index e7c9d55b23e..f5c606b1643 100644 --- a/etc/api_schemas/7.12/7.12.threshold.json +++ b/etc/api_schemas/7.12/7.12.threshold.json @@ -941,18 +941,24 @@ "type": "array" }, "field": { + "description": "CardinalityFields", "items": { - "default": "", + "description": "NonEmptyStr", + "minLength": 1, "type": "string" }, + "maxItems": 3, "type": "array" }, "value": { + "description": "ThresholdValue", + "format": "integer", "minimum": 1, - "type": "integer" + "type": "number" } }, "required": [ + "field", "value" ], "type": "object" diff --git a/etc/api_schemas/7.13/7.13.threshold.json b/etc/api_schemas/7.13/7.13.threshold.json index 459a19d4ef1..aeb982b1912 100644 --- a/etc/api_schemas/7.13/7.13.threshold.json +++ b/etc/api_schemas/7.13/7.13.threshold.json @@ -296,10 +296,13 @@ "type": "array" }, "field": { - "description": "StringListMaxSizeThree", + "description": "CardinalityFields", "items": { + "description": "NonEmptyStr", + "minLength": 1, "type": "string" }, + "maxItems": 3, "type": "array" }, "value": { diff --git a/etc/api_schemas/7.14/7.14.threshold.json b/etc/api_schemas/7.14/7.14.threshold.json index 459a19d4ef1..aeb982b1912 100644 --- a/etc/api_schemas/7.14/7.14.threshold.json +++ b/etc/api_schemas/7.14/7.14.threshold.json @@ -296,10 +296,13 @@ "type": "array" }, "field": { - "description": "StringListMaxSizeThree", + "description": "CardinalityFields", "items": { + "description": "NonEmptyStr", + "minLength": 1, "type": "string" }, + "maxItems": 3, "type": "array" }, "value": { diff --git a/etc/api_schemas/master/master.threshold.json b/etc/api_schemas/master/master.threshold.json index 459a19d4ef1..aeb982b1912 100644 --- a/etc/api_schemas/master/master.threshold.json +++ b/etc/api_schemas/master/master.threshold.json @@ -296,10 +296,13 @@ "type": "array" }, "field": { - "description": "StringListMaxSizeThree", + "description": "CardinalityFields", "items": { + "description": "NonEmptyStr", + "minLength": 1, "type": "string" }, + "maxItems": 3, "type": "array" }, "value": {