Merge branch 'elastic:DAC-feature' into DAC-feature

eric-forte-elastic · Jul 3, 2024 · 6131231 · 6131231
2 parents 6220961 + f1fb010
commit 6131231
Show file tree

Hide file tree

Showing 272 changed files with 8,814 additions and 2,937 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,15 +1,14 @@
 # detection-rules code owners
 # POC: Elastic Security Intelligence and Analytics Team
 
-tests/**/*.py     @brokensound77 @mikaayenson @eric-forte-elastic
-detection_rules/  @brokensound77 @mikaayenson @eric-forte-elastic
-tests/            @brokensound77 @mikaayenson @eric-forte-elastic
-lib/              @brokensound77 @mikaayenson @eric-forte-elastic
-rta/              @brokensound77 @mikaayenson @eric-forte-elastic
+tests/**/*.py     @mikaayenson @eric-forte-elastic @terrancedejesus 
+detection_rules/  @mikaayenson @eric-forte-elastic @terrancedejesus 
+tests/            @mikaayenson @eric-forte-elastic @terrancedejesus 
+lib/              @mikaayenson @eric-forte-elastic @terrancedejesus 
+rta/              @mikaayenson @eric-forte-elastic @terrancedejesus 
 
 # skip rta-mapping to avoid the spam
-detection_rules/etc/packages.yaml  @brokensound77 @mikaayenson @eric-forte-elastic
-detection_rules/etc/*.json        @brokensound77 @mikaayenson @eric-forte-elastic
-detection_rules/etc/*.json        @brokensound77 @mikaayenson @eric-forte-elastic
-detection_rules/etc/*/*           @brokensound77 @mikaayenson @eric-forte-elastic
-
+detection_rules/etc/packages.yaml @mikaayenson @eric-forte-elastic @terrancedejesus 
+detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @terrancedejesus 
+detection_rules/etc/*.json        @mikaayenson @eric-forte-elastic @terrancedejesus 
+detection_rules/etc/*/*           @mikaayenson @eric-forte-elastic @terrancedejesus 
diff --git a/detection_rules/devtools.py b/detection_rules/devtools.py
@@ -122,15 +122,15 @@ def build_release(ctx: click.Context, config_file, update_version_lock: bool, ge
                                                            registry_data['conditions']['kibana.version'].strip("^"))
     sde = SecurityDetectionEngine()
     historical_rules = sde.load_integration_assets(previous_pkg_version)
-    historical_rules = sde.transform_legacy_assets(historical_rules)
-    package.add_historical_rules(historical_rules, registry_data['version'])
+    limited_historical_rules = sde.keep_latest_versions(historical_rules)
+    package.add_historical_rules(limited_historical_rules, registry_data['version'])
     click.echo(f'[+] Adding historical rules from {previous_pkg_version} package')
 
     # NOTE: stopgap solution until security doc migration
     if generate_docs:
         click.echo(f'[+] Generating security docs for {registry_data["version"]} package')
         docs = IntegrationSecurityDocsMDX(registry_data['version'], Path(f'releases/{config["name"]}-docs'),
-                                          True, historical_rules, package, note=update_message)
+                                          True, limited_historical_rules, package, note=update_message)
         docs.generate()
 
     if verbose:

diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz
diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz
diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
@@ -148,5 +148,12 @@
   "logs-aws.cloudtrail-*": {
     "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
     "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword"
+  },
+  "logs-azure.signinlogs-*": {
+    "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"
+  },
+  "logs-azure.activitylogs-*": {
+    "azure.activitylogs.properties.authentication_protocol": "keyword",
+    "azure.activitylogs.properties.appId": "keyword"
   }
 }