Closed eric-forte-elastic closed 2 months ago
These guidelines serve as a reminder set of considerations when addressing a bug in the code.
This is not needed, this check should apply for all rules not just Elastic Authored rules, erroneous comment.
Pull Request
Issue link(s): https://github.com/elastic/ia-trade-team/issues/345
Summary - What I changed
Minor potential bug in Validates Data function where it is supposed to only fire against Elastic authored rules but currently fires against all rules regardless of author.
How To Test
Try exporting a rule from Kibana with version and revision where the author is not Elastic. This should pass schema validation.
Example TOML Rule
``` [metadata] creation_date = "2024/07/24" maturity = "production" updated_date = "2024/07/24" [rule] actions = [] author = ["sigma", "Some User"] data_view_id = "any-hosts" description = "Zdarzenie wykrycia dodania do wyjątków ścieżki, która może być potencjalnie nadużyta." enabled = true exceptions_list = [] false_positives = ["Testy penetracyjne"] from = "now-540s" interval = "5m" language = "kuery" license = "" max_signals = 100 name = "H-DEFENSEEVASION-266 - Windows Defender Exclusions Added" note = """Sprawdź nazwę stacji - host.name Sprawdź jaki wyjątek został dodany - winlog.event_data.New Value Sprawdź czy może być to związane z testami penetracyjnymi prowadzonymi w ramach SI. """ references = [ "https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/windefend/win_defender_config_change_exclusion_added.yml", ] related_integrations = [] required_fields = [] revision = 0 risk_score = 47 risk_score_mapping = [] rule_id = "c7249101-0ea3-4ded-8e65-0d46295eac54" setup = "Wymaga logów z Microsoft-Windows-Windows Defender\n" severity = "medium" severity_mapping = [] tags = ["Windows", "Q2-24", "Windows Defender", "sigma"] threat = [] to = "now" type = "query" version = 1 query = ''' event.code : 5007 and "winlog.event_data.New Value" : (*\\Users\\* or *\\AppData\\Local\\Temp\\* or *\\Desktop\\* or *\\PerfLogs\\* or *\\Windows\\Temp\\*) ''' [[rule.filters]] [rule.filters."$state"] store = "appState" [rule.filters.meta] disabled = false field = "event.provider" index = "any-hosts" key = "event.provider" negate = false type = "phrase" [rule.filters.meta.params] query = "Microsoft-Windows-Windows Defender" [rule.filters.query.match_phrase] "event.provider" = "Microsoft-Windows-Windows Defender" [rule.investigation_fields] field_names = ["event.code", "event.provider", "winlog.event_data.New Value", "host.name", "winlog.user.name"] [rule.meta] from = "4m" kibana_siem_app_url = "https://mordor.szperacz.lynx.net/s/soc/app/security" ```
Checklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hoursContributor checklist