Closed shashank-elastic closed 1 month ago
These guidelines serve as a reminder set of considerations when addressing adding a new schema feature to the code.
make test-cli
)make test-remote-cli
)Left a few questions. Did we attempt to refresh MITRE ATT&CK mapping?
Left a few questions. Did we attempt to refresh MITRE ATT&CK mapping?
We dont have any latest versions for MITRE - https://attack.mitre.org/resources/versions/
For the Unit Test Failures Debugging
Error in both stack and integrations checks: {'stack': KqlParseError('Error at line:1,column:1\nUnknown field\nml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\nstack: 8.16.0, beats: 8.15.0, ecs: 8.11.0'), 'integrations': KqlParseError("Error at line:1,column:1\nUnknown field\nml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n\tTry adding event.module or event.dataset to specify integration module\n\tWill check against integrations ['dga', 'endpoint', 'network_traffic'] combined.\n\tpackage='network_traffic', integration=None, integration_schema_data['package_version']='1.31.0', integration_schema_data['stack_version']='8.10.0', integration_schema_data['ecs_version']='8.10.0'")}
Rule in Question : https://github.com/elastic/detection-rules/blob/main/rules/integrations/dga/command_and_control_ml_dga_activity_using_sunburst_domain.toml
Query
ml_is_dga.malicious_prediction:1 and dns.question.registered_domain:avsvmcloud.com
When we load the schemas these fields are present
>>> from detection_rules.integrations import load_integrations_manifests, load_integrations_schemas
>>> schemas = load_integrations_schemas()
>>> 'dns.question.registered_domain' in schemas['network_traffic']['1.9.3']['dns'].keys()
True
>>> schemas['dga']['2.0.2']
{'dga-2.0.2': {'data_stream.type': 'constant_keyword', 'data_stream.dataset': 'constant_keyword', 'data_stream.namespace': 'constant_keyword', '@timestamp': 'date', 'ml_is_dga.malicious_prediction': 'long', 'ml_is_dga.malicious_probability': 'float'}, 'jobs': ['dga_high_sum_probability']}
>>>
DAC has touched rule_validators, so initial suspect would be to debug from there
cc @eric-forte-elastic
Interestingly we have a new DGA version 2.0.3
And the field have massively changed for 2.0.3
{
"1.0.0": {
"jobs": [
"dga_high_sum_probability"
]
},
"1.0.1": {
"jobs": [
"dga_high_sum_probability"
]
},
"1.1.0": {
"jobs": [
"dga_high_sum_probability"
]
},
"2.0.0": {
"dga-2.0.0": {
"data_stream.type": "constant_keyword",
"data_stream.dataset": "constant_keyword",
"data_stream.namespace": "constant_keyword",
"@timestamp": "date",
"ml_is_dga.malicious_prediction": "long",
"ml_is_dga.malicious_probability": "float"
},
"jobs": [
"dga_high_sum_probability"
]
},
"2.0.1": {
"dga-2.0.1": {
"data_stream.type": "constant_keyword",
"data_stream.dataset": "constant_keyword",
"data_stream.namespace": "constant_keyword",
"@timestamp": "date",
"ml_is_dga.malicious_prediction": "long",
"ml_is_dga.malicious_probability": "float"
},
"jobs": [
"dga_high_sum_probability"
]
},
"2.0.2": {
"dga-2.0.2": {
"data_stream.type": "constant_keyword",
"data_stream.dataset": "constant_keyword",
"data_stream.namespace": "constant_keyword",
"@timestamp": "date",
"ml_is_dga.malicious_prediction": "long",
"ml_is_dga.malicious_probability": "float"
},
"jobs": [
"dga_high_sum_probability"
]
},
"2.0.3": {
"jobs": [
"dga_high_sum_probability"
]
}
}
The issue is changes in upstream Refer - https://github.com/elastic/integrations/pull/10476
Pull Request
Issue link(s): Monthly Refresh as part of Release https://github.com/elastic/ia-trade-team/issues/430
Summary - What I changed
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
loading rules to determine all integration tags loaded sentinel_one_cloud_funnel manifests from the following package versions: ['1.3.0', '1.2.1', '1.2.0', '1.1.0', '1.0.0', '0.14.2', '0.14.1', '0.14.0', '0.13.0', '0.12.0', '0.11.0', '0.10.1', '0.10.0', '0.9.0', '0.7.1', '0.7.0', '0.6.0', '0.5.0', '0.4.0', '0.3.0', '0.2.0', '0.1.0'] final integrations manifests dumped: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/integration-manifests.json.gz (.venv) detection-rules on refresh_schema [$!?] is 📦 v0.1.0 via 🐍 v3.12.5 (.venv) on ☁️ shashank.suryanarayana@elastic.co ❯ python -m detection_rules dev integrations build-schemas -o -i sentinel_one_cloud_funnel
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
Building integration schemas... processing sentinel_one_cloud_funnel final integrations manifests dumped: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/integration-schemas.json.gz