protectionsmachine
commented
1 month ago Enhancement - Guidelines
These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.
Documentation and Context
- [ ] Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
- [ ] Include additional context or screenshots.
- [ ] Ensure the enhancement includes necessary updates to the documentation and versioning.
Code Standards and Practices
- [ ] Code follows established design patterns within the repo and avoids duplication.
- [ ] Code changes do not introduce new warnings or errors.
- [ ] Variables and functions are well-named and descriptive.
- [ ] Any unnecessary / commented-out code is removed.
- [ ] Ensure that the code is modular and reusable where applicable.
- [ ] Check for proper exception handling and messaging.
Testing
- [ ] New unit tests have been added to cover the enhancement.
- [ ] Existing unit tests have been updated to reflect the changes.
- [ ] Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
- [ ] Validate that any rules affected by the enhancement are correctly updated.
- [ ] Ensure that performance is not negatively impacted by the changes.
- [ ] Verify that any release artifacts are properly generated and tested.
Additional Checks
- [ ] Ensure that the enhancement does not break existing functionality.
- [ ] Review the enhancement with a peer or team member for additional insights.
- [ ] Verify that the enhancement works across all relevant environments (e.g., different OS versions).
- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
Pull Request
Issue link(s):
Summary - What I changed
This PR adds support for creating nested directories for the automatic schema generation schema file. Previously it would not created nested directories.
How To Test
To test this, first add the appropriate config variable. Also make sure that this variable used a nested directory that does not already exist. E.g.
auto_gen_schema_file: "etc/schemas/auto_gen.json"where schemas does not already exist. Also make sure yourstack-schema-map.yamldoes not already have any custom schemas supplied (or at least not any that have the fields in the test rule). Next, run view-rule on a rule that has fields that are not currently present in a schema. The rule should validate successfully and your schema file should be updated, and the directory should be created.Example:
python -m detection_rules view-rule custom_rules/rules/dac_demo_dev_rule_1.tomlDetails
```toml [metadata] creation_date = "2024/07/29" maturity = "production" updated_date = "2024/07/29" [rule] actions = [] author = ["DAC User"] description = "Test Rule" enabled = true exceptions_list = [] false_positives = [] from = "now-6m" index = ["the-best-integration-ever*"] interval = "5m" language = "eql" max_signals = 100 name = "DAC Demo Dev Rule 1" references = [] risk_score = 47 risk_score_mapping = [] rule_id = "794d2fc0-ecd0-4963-99da-fd587666b80d" setup = "Test Setup" severity = "medium" severity_mapping = [] tags = [] threat = [] to = "now" type = "eql" query = ''' process where host.os.type.fakeData == "linux" and process.name.okta.thread == "updated" ''' [[rule.related_integrations]] package = "endpoint" version = "^8.2.0" [[rule.required_fields]] ecs = true name = "host.os.type" type = "keyword" [[rule.required_fields]] ecs = true name = "process.name" type = "keyword" ```
Checklist
bug,enhancement,schema,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist