Open amsiglan opened 7 months ago
The error comes from a frontend validation here: https://github.com/opensearch-project/security-analytics-dashboards-plugin/blob/main/public/pages/Rules/components/RuleEditor/RuleEditorForm.tsx#L80-L92
I removed this validation and tested the following:
cve.exfiltration
)All of these worked with no errors on the backend.
@sbcd90 do you have any context on why the frontend validation would have been added? I don't see any context in the PR that introduced it: https://github.com/opensearch-project/security-analytics-dashboards-plugin/pull/622
I would like to shine more light on this issue. This is a decent issue with porting SIGMA rules from other sources as they do not follow this, what seems arbitrary, restriction.
I currently automate our loading of SIGMA rules from a repo to OS via API and having to scrub tag names and add attack. to the start of them is not ideal, and is misleading for a lot of tags. For example if we tag a rule winlogbeat as it works on that dataset, it will have to be attack.winlogbeat in the tag which does not make sense for a rule looking for sysmon configuration changes.
I will also note that the preloaded rules in OS do not follow this restriction.
Example: title: UAC Bypass via Sdclt id: 5b872a46-3b90-45c1-8419-f675db8053aa status: experimental description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) references:
This is a preloaded rule in OS and one of the tags does not follow the restriction placed on users.
Any update on this issue?
Wondering if a fix might be coming for this in 2.15? Thanks
What is the bug? When creating a detection rule, an exception is thrown by the create/update rule API if a tag does not start with
attack
.How can one reproduce the bug? Steps to reproduce the behavior:
Detection rules
pageWhat is the expected behavior? Rule gets created but instead it shows error that tag must start with
attack
What is your host/environment?
Do you have any screenshots?![image](https://github.com/opensearch-project/security-analytics/assets/114732919/1a85e94b-e7f4-4399-a87d-2bd447690711)
Do you have any additional context? N/A