Skip to content

Update cardinality field in schema for threshold rules#1349

Merged
brokensound77 merged 13 commits into
elastic:mainfrom
brokensound77:host-masquerading-rule
Jul 21, 2021
Merged

Update cardinality field in schema for threshold rules#1349
brokensound77 merged 13 commits into
elastic:mainfrom
brokensound77:host-masquerading-rule

Conversation

@brokensound77

Copy link
Copy Markdown
Contributor

Issues

No issue for schema update
rules related to elastic/security-team#944

Summary

When the schema was updated to include cardinality, it was not added as an array field, which should have been. From the Kibana change:

The cardinality field has been normalized to be an array to avoid a future migration when we support multiple cardinality fields.

This also limits it to a max of 3 strings to reflect the client side validation enforced within Kibana.

This also adds a couple of rules which depended on the field.

@brokensound77 brokensound77 added bug Something isn't working python Internal python for the repository schema labels Jul 16, 2021
Comment thread detection_rules/schemas/definitions.py Outdated
Comment thread detection_rules/schemas/definitions.py Outdated
Comment thread detection_rules/rule.py
Comment thread etc/stack-schema-map.yaml
Comment thread detection_rules/rule_formatter.py Outdated
@brokensound77 brokensound77 force-pushed the host-masquerading-rule branch from fec8a23 to 9ba3c3b Compare July 19, 2021 19:51
brokensound77 and others added 2 commits July 19, 2021 12:01
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Comment thread detection_rules/rule.py
Comment thread detection_rules/schemas/definitions.py Outdated
Comment thread etc/api_schemas/7.12/7.12.threshold.json
Comment thread detection_rules/schemas/definitions.py Outdated
Comment thread etc/stack-schema-map.yaml
Comment thread detection_rules/rule.py

@rw-access rw-access left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:soclose1:
:soclose2:

Comment thread detection_rules/schemas/definitions.py Outdated
Comment thread detection_rules/schemas/definitions.py Outdated
Comment thread detection_rules/rule.py Outdated
@brokensound77

Copy link
Copy Markdown
Contributor Author

:soclose1:
:soclose2:

should be good to go now

@rw-access rw-access left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just rebuild and inspect the JSON, then LGTM.

Comment thread etc/api_schemas/7.12/7.12.threshold.json
@brokensound77 brokensound77 merged commit 163d9e3 into elastic:main Jul 21, 2021
@brokensound77 brokensound77 deleted the host-masquerading-rule branch July 21, 2021 16:32
protectionsmachine pushed a commit that referenced this pull request Jul 21, 2021
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array

* Add two new rules to detect agent spoofing

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 163d9e3)
protectionsmachine pushed a commit that referenced this pull request Jul 21, 2021
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array

* Add two new rules to detect agent spoofing

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

(cherry picked from commit 163d9e3)
"""
false_positives = [
"""
This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One reason the security app never used host.id for identifying hosts is that it wasn't reliably unique (for beats) in environments where VM images are cloned without resetting /etc/machine-id. I would recommend mentioning this as a false positive.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

backport: auto bug Something isn't working python Internal python for the repository schema

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants