search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.86k stars 464 forks source link

[Bug] Missing Spaces Between Logic Operators Does Not Raise Error #2700

Open terrancedejesus opened 1 year ago

terrancedejesus commented 1 year ago

Describe the bug

Related to https://github.com/elastic/detection-rules/pull/2692, it appears the original query passed validation from KQLValidator class methods when the rule was loaded. It should have failed because one of the logic operators was missing a space which is invalid for KQL.

"Test-ServiceDaclPermission" or"Update-ExeFunctions"

Testing

We should take the rule as it was before the fix locally and set a breakpoint in KQLValidator.validate within rule_validators.py. This should allow us to trace the parsing and validation to determine why it did not explicitly raise an error.

Mikaayenson commented 1 month ago

@eric-forte-elastic can you link a PR if you created one for this already?