From 5bdf70e72c6cd4547624c521108189af994af449 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Tue, 19 Oct 2021 20:52:53 -0800 Subject: [PATCH] Add min_stack_comments to metadata schema (#1573) * Add min_stack_comments to metadata schema --- detection_rules/rule.py | 1 + ...efense_evasion_agent_spoofing_mismatched_id.toml | 1 + ...fense_evasion_agent_spoofing_multiple_hosts.toml | 1 + ...ion_cyberarkpas_error_audit_event_promotion.toml | 1 + ...pas_recommended_events_to_monitor_promotion.toml | 1 + .../linux/defense_evasion_hidden_file_dir_tmp.toml | 1 + rules/ml/ml_auth_rare_hour_for_a_user_to_logon.toml | 1 + rules/ml/ml_auth_rare_source_ip_for_a_user.toml | 1 + rules/ml/ml_auth_rare_user_logon.toml | 1 + rules/ml/ml_auth_spike_in_failed_logon_events.toml | 1 + rules/ml/ml_auth_spike_in_logon_events.toml | 1 + ...auth_spike_in_logon_events_from_a_source_ip.toml | 1 + .../credential_access_cmdline_dump_tool.toml | 1 + ...efense_evasion_file_creation_mult_extension.toml | 1 + .../execution_suspicious_powershell_imgload.toml | 1 + ...persistence_evasion_registry_ifeo_injection.toml | 1 + tests/test_all_rules.py | 13 +++++++++++++ 17 files changed, 29 insertions(+) diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 0670d0b89b6..51c053ad214 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -40,6 +40,7 @@ class RuleMeta(MarshmallowDataclassMixin): integration: Optional[str] maturity: Optional[definitions.Maturity] min_stack_version: Optional[definitions.SemVer] + min_stack_comments: Optional[str] os_type_list: Optional[List[definitions.OSType]] query_schema_validation: Optional[bool] related_endpoint_rules: Optional[List[str]] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 484819cbf38..78411e447df 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -2,6 +2,7 @@ creation_date = "2021/07/14" maturity = "production" updated_date = "2021/07/14" +min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 5caecf3a49b..a66ceee8263 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -2,6 +2,7 @@ creation_date = "2021/07/14" maturity = "production" updated_date = "2021/07/14" +min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 8f9409a5442..019430820a4 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -3,6 +3,7 @@ creation_date = "2021/06/23" maturity = "production" updated_date = "2021/07/20" integration = "cyberarkpas" +min_stack_comments = "The integration was not introduced until 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index d9285d9b1d5..f8bfe2945ef 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -3,6 +3,7 @@ creation_date = "2021/06/23" maturity = "production" updated_date = "2021/07/20" integration = "cyberarkpas" +min_stack_comments = "The integration was not introduced until 7.14" min_stack_version = '7.14.0' [rule] diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 631dc5ddb47..f44f5e41e9a 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,6 +2,7 @@ creation_date = "2020/04/29" maturity = "production" updated_date = "2021/03/03" +min_stack_comments = "EQL regex syntax introduced in 7.12" min_stack_version = "7.12.0" [rule] diff --git a/rules/ml/ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/ml_auth_rare_hour_for_a_user_to_logon.toml index dddd7aa051b..1e152405978 100644 --- a/rules/ml/ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/ml_auth_rare_hour_for_a_user_to_logon.toml @@ -2,6 +2,7 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2021/06/10" +min_stack_comments = "ML job introduced in 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/ml/ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/ml_auth_rare_source_ip_for_a_user.toml index 04dabb0ef7c..400624fe877 100644 --- a/rules/ml/ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/ml_auth_rare_source_ip_for_a_user.toml @@ -2,6 +2,7 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2021/06/10" +min_stack_comments = "ML job introduced in 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/ml/ml_auth_rare_user_logon.toml b/rules/ml/ml_auth_rare_user_logon.toml index 2f5721b52f5..83c808e9c4c 100644 --- a/rules/ml/ml_auth_rare_user_logon.toml +++ b/rules/ml/ml_auth_rare_user_logon.toml @@ -2,6 +2,7 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2021/06/10" +min_stack_comments = "ML job introduced in 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/ml/ml_auth_spike_in_failed_logon_events.toml b/rules/ml/ml_auth_spike_in_failed_logon_events.toml index cdd3fb0ee8b..13f2081a130 100644 --- a/rules/ml/ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/ml_auth_spike_in_failed_logon_events.toml @@ -2,6 +2,7 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2021/06/10" +min_stack_comments = "ML job introduced in 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/ml/ml_auth_spike_in_logon_events.toml b/rules/ml/ml_auth_spike_in_logon_events.toml index 6493aa2b7e8..62b611e9906 100644 --- a/rules/ml/ml_auth_spike_in_logon_events.toml +++ b/rules/ml/ml_auth_spike_in_logon_events.toml @@ -2,6 +2,7 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2021/06/10" +min_stack_comments = "ML job introduced in 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/ml/ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/ml_auth_spike_in_logon_events_from_a_source_ip.toml index fe173f762de..4f668f57414 100644 --- a/rules/ml/ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -2,6 +2,7 @@ creation_date = "2021/06/10" maturity = "production" updated_date = "2021/09/14" +min_stack_comments = "ML job introduced in 7.14" min_stack_version = "7.14.0" [rule] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 00470193410..3141f7a5acb 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -2,6 +2,7 @@ creation_date = "2020/11/24" maturity = "production" updated_date = "2021/07/20" +min_stack_comments = "EQL regex syntax introduced in 7.12" min_stack_version = "7.12.0" [rule] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index ad2f8e8e1e9..b0759c49ae4 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -2,6 +2,7 @@ creation_date = "2021/01/19" maturity = "production" updated_date = "2021/09/23" +min_stack_comments = "EQL regex syntax introduced in 7.12" min_stack_version = "7.12.0" [rule] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index dc751a67688..91ed2d2f486 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -2,6 +2,7 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2021/07/20" +min_stack_comments = "EQL regex syntax introduced in 7.12" min_stack_version = "7.12.0" [rule] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 5b087f69298..5eb2b79d821 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -2,6 +2,7 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2021/07/20" +min_stack_comments = "EQL regex syntax introduced in 7.12" min_stack_version = "7.12.0" [rule] diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index f92976a9af2..96701ef7269 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -422,6 +422,19 @@ def test_deprecated_rules(self): rule_str = f'{rule_id} - {entry["rule_name"]} ->' self.assertIn(rule_id, deprecated_rules, f'{rule_str} is logged in "deprecated_rules.json" but is missing') + def test_all_min_stack_rules_have_comment(self): + failures = [] + + for rule in self.all_rules: + if rule.contents.metadata.min_stack_version and not rule.contents.metadata.min_stack_comments: + failures.append(f'{self.rule_str(rule)} missing `metadata.min_stack_comments`. min_stack_version: ' + f'{rule.contents.metadata.min_stack_version}') + + if failures: + err_msg = '\n'.join(failures) + self.fail(f'The following ({len(failures)}) rules have a `min_stack_version` defined but missing comments:' + f'\n{err_msg}') + class TestRuleTiming(BaseRuleTest): """Test rule timing and timestamps."""