Add min_stack_comments to metadata schema (elastic#1573)

* Add min_stack_comments to metadata schema

detection_rules/rule.py

@@ -40,6 +40,7 @@ class RuleMeta(MarshmallowDataclassMixin):
     integration: Optional[str]
     maturity: Optional[definitions.Maturity]
     min_stack_version: Optional[definitions.SemVer]
+    min_stack_comments: Optional[str]
     os_type_list: Optional[List[definitions.OSType]]
     query_schema_validation: Optional[bool]
     related_endpoint_rules: Optional[List[str]]

rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/07/14"
 maturity = "production"
 updated_date = "2021/07/14"
+min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/07/14"
 maturity = "production"
 updated_date = "2021/07/14"
+min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml

@@ -3,6 +3,7 @@ creation_date = "2021/06/23"
 maturity = "production"
 updated_date = "2021/07/20"
 integration = "cyberarkpas"
+min_stack_comments = "The integration was not introduced until 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml

@@ -3,6 +3,7 @@ creation_date = "2021/06/23"
 maturity = "production"
 updated_date = "2021/07/20"
 integration = "cyberarkpas"
+min_stack_comments = "The integration was not introduced until 7.14"
 min_stack_version = '7.14.0'
 
 [rule]

rules/linux/defense_evasion_hidden_file_dir_tmp.toml

@@ -2,6 +2,7 @@
 creation_date = "2020/04/29"
 maturity = "production"
 updated_date = "2021/03/03"
+min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
 
 [rule]

rules/ml/ml_auth_rare_hour_for_a_user_to_logon.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/06/10"
 maturity = "production"
 updated_date = "2021/06/10"
+min_stack_comments = "ML job introduced in 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/ml/ml_auth_rare_source_ip_for_a_user.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/06/10"
 maturity = "production"
 updated_date = "2021/06/10"
+min_stack_comments = "ML job introduced in 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/ml/ml_auth_rare_user_logon.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/06/10"
 maturity = "production"
 updated_date = "2021/06/10"
+min_stack_comments = "ML job introduced in 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/ml/ml_auth_spike_in_failed_logon_events.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/06/10"
 maturity = "production"
 updated_date = "2021/06/10"
+min_stack_comments = "ML job introduced in 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/ml/ml_auth_spike_in_logon_events.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/06/10"
 maturity = "production"
 updated_date = "2021/06/10"
+min_stack_comments = "ML job introduced in 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/ml/ml_auth_spike_in_logon_events_from_a_source_ip.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/06/10"
 maturity = "production"
 updated_date = "2021/09/14"
+min_stack_comments = "ML job introduced in 7.14"
 min_stack_version = "7.14.0"
 
 [rule]

rules/windows/credential_access_cmdline_dump_tool.toml

@@ -2,6 +2,7 @@
 creation_date = "2020/11/24"
 maturity = "production"
 updated_date = "2021/07/20"
+min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
 
 [rule]

rules/windows/defense_evasion_file_creation_mult_extension.toml

@@ -2,6 +2,7 @@
 creation_date = "2021/01/19"
 maturity = "production"
 updated_date = "2021/09/23"
+min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
 
 [rule]

rules/windows/execution_suspicious_powershell_imgload.toml

@@ -2,6 +2,7 @@
 creation_date = "2020/11/17"
 maturity = "production"
 updated_date = "2021/07/20"
+min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
 
 [rule]

rules/windows/persistence_evasion_registry_ifeo_injection.toml

@@ -2,6 +2,7 @@
 creation_date = "2020/11/17"
 maturity = "production"
 updated_date = "2021/07/20"
+min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"
 
 [rule]

tests/test_all_rules.py

@@ -422,6 +422,19 @@ def test_deprecated_rules(self):
             rule_str = f'{rule_id} - {entry["rule_name"]} ->'
             self.assertIn(rule_id, deprecated_rules, f'{rule_str} is logged in "deprecated_rules.json" but is missing')
 
+    def test_all_min_stack_rules_have_comment(self):
+        failures = []
+
+        for rule in self.all_rules:
+            if rule.contents.metadata.min_stack_version and not rule.contents.metadata.min_stack_comments:
+                failures.append(f'{self.rule_str(rule)} missing `metadata.min_stack_comments`. min_stack_version: '
+                                f'{rule.contents.metadata.min_stack_version}')
+
+        if failures:
+            err_msg = '\n'.join(failures)
+            self.fail(f'The following ({len(failures)}) rules have a `min_stack_version` defined but missing comments:'
+                      f'\n{err_msg}')
+
 
 class TestRuleTiming(BaseRuleTest):
     """Test rule timing and timestamps."""