When rules with MITRE ATT&CK information are exported from Kibana, the URLs for the reference links are missing a trailing /. For instance Kibana returns https://attack.mitre.org/tactics/TA0002 instead of the desired https://attack.mitre.org/tactics/TA0002/. As such, our current schema formatting for the URL validation fails on these rule exports as it expects the trailing / to be present.
To address this issue, we may want to add support in detection-rules for URLs with or without the trailing /. In prior Kibana rule exports, there historically have been the / and we would not want to loose support for rules exported under this previous format.
To reproduce
Create a new rule in Kibana and add MITRE ATT&CK information (tactic, etc.). Then attempt to export the new rule using the export-rules command
One possibility for accomplishing this is to modify the BaseThreatEntry class in rule.py to have a pre-load function to modify the reference url if needed.
@dataclass(frozen=True)
class BaseThreatEntry:
id: str
name: str
reference: str
@pre_load()
def modify_url(self, data, **kwargs):
"""Modify the URL."""
if not data["reference"].endswith("/"):
data["reference"] += "/"
return data
Summary
When rules with MITRE ATT&CK information are exported from Kibana, the URLs for the reference links are missing a trailing
/
. For instance Kibana returnshttps://attack.mitre.org/tactics/TA0002
instead of the desiredhttps://attack.mitre.org/tactics/TA0002/
. As such, our current schema formatting for the URL validation fails on these rule exports as it expects the trailing/
to be present.To address this issue, we may want to add support in detection-rules for URLs with or without the trailing
/
. In prior Kibana rule exports, there historically have been the/
and we would not want to loose support for rules exported under this previous format.To reproduce
Create a new rule in Kibana and add MITRE ATT&CK information (tactic, etc.). Then attempt to export the new rule using the
export-rules
commande.g.
python -m detection_rules kibana --space customer export-rules -d custom_rules/rules -s -sv -r 6559f7d2-56d9-49b1-9426-76caf2f8ab04
This should result in a schema failure.
One possibility for accomplishing this is to modify the
BaseThreatEntry
class in rule.py to have a pre-load function to modify the reference url if needed.