search

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html
Other
1.92k stars 492 forks source link

[FR] Add support for Kibana Rule Type rule_default #3863

Closed eric-forte-elastic closed 2 months ago

eric-forte-elastic commented 3 months ago

Summary

When making a rule in Kibana, in certain cases, EQL type rules can now be considered of type rules_default instead of just EQL. We should add support for handling import/exporting this rule type.

Currently, when trying to import a rule of this type, a ValueError: Unknown rule type rule_default is thrown.

Output

```shell detection-rules on  3674-frdac-add-exceptions-importing-from-ndjson [!?] is  v0.1.0 via  v3.12.4 (detection-rules-build) on  eric.forte ❯ python -m detection_rules import-rules-to-repo ~/Downloads/rules_export_exception_list.ndjson -s custom_rules/rules --required-only Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ [+] Building rule for custom_rules/rules/test_exception_list.toml [+] Building rule for custom_rules/rules/exceptions_for_rule_test_exception_list.toml Traceback (most recent call last): File "", line 198, in _run_module_as_main File "", line 88, in _run_code File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 35, in main() File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 32, in main root(prog_name="detection_rules") File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1157, in __call__ return self.main(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1078, in main rv = self.invoke(ctx) ^^^^^^^^^^^^^^^^ File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1688, in invoke return _process_result(sub_ctx.command.invoke(sub_ctx)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1434, in invoke return ctx.invoke(self.callback, **ctx.params) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 783, in invoke return __callback(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/main.py", line 122, in import_rules_into_repo rule_prompt(rule_path, required_only=required_only, save=True, verbose=True, File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/cli_utils.py", line 122, in rule_prompt target_data_subclass = TOMLRuleContents.get_data_subclass(rule_type) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule.py", line 1113, in get_data_subclass raise ValueError(f"Unknown rule type {rule_type}") ValueError: Unknown rule type rule_default ```

Example Rule ndjson

```ndjson {"id":"77260f65-d17e-468b-8fe9-305048404e95","updated_at":"2024-07-01T17:50:10.160Z","updated_by":"3610252053","created_at":"2024-07-01T17:49:37.594Z","created_by":"3610252053","name":"Test Exception List","tags":[],"interval":"5h","enabled":true,"revision":1,"description":"Test Exception List","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/app/security"},"author":["Elastic"],"false_positives":[],"from":"now-18060s","rule_id":"7c22a9d2-5910-4da2-92af-7ff7481bd0f7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"222e1466-6dee-49ed-bb40-b7791891dc90","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","type":"rule_default","namespace_type":"single"}],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"process where true","filters":[],"actions":[]} {"_version":"WzQ3NTYzLDJd","created_at":"2024-07-01T17:50:08.726Z","created_by":"3610252053","description":"Exception list containing exceptions for rule with id: 77260f65-d17e-468b-8fe9-305048404e95","id":"222e1466-6dee-49ed-bb40-b7791891dc90","immutable":false,"list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"Exceptions for rule - Test Exception List","namespace_type":"single","os_types":[],"tags":["default_rule_exception_list"],"tie_breaker_id":"dc3357a1-0f43-4476-b113-11d683dd5fe5","type":"rule_default","updated_at":"2024-07-01T17:50:08.727Z","updated_by":"3610252053","version":1} {"_version":"WzQ3NTY1LDJd","comments":[],"created_at":"2024-07-01T19:35:20.071Z","created_by":"3610252053","description":"Exception list item","entries":[{"field":"Effective_process.pid","operator":"included","type":"match","value":"1"}],"id":"49f9966c-9fb4-4d8a-8bed-8e7bfcdafbc5","item_id":"970945dd-71d5-4128-89a8-7e8689326a19","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"Pid not One","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"db323af7-5564-4a42-8d8e-81f933c5cef1","type":"simple","updated_at":"2024-07-01T19:35:20.071Z","updated_by":"3610252053"} {"_version":"WzQ3NTY0LDJd","comments":[],"created_at":"2024-07-01T17:50:11.181Z","created_by":"3610252053","description":"Exception list item","entries":[{"field":"process.name","operator":"included","type":"match","value":"FakeRoot"}],"id":"8d1c6de2-12bf-442d-9b52-00bc99bfcea2","item_id":"d6a0e21c-bf41-4758-a522-cca5df3a2332","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"FakeRoot","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"e1e84f62-b36f-4608-9778-1e4ca29539ae","type":"simple","updated_at":"2024-07-01T17:50:11.181Z","updated_by":"3610252053"} {"exported_count":4,"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":1,"exported_exception_list_item_count":2,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":0,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]} ```

eric-forte-elastic commented 2 months ago

Rules Default is not a rule type, it is an exception type and now has support via https://github.com/elastic/detection-rules/pull/3889.