[FR] Add support for Kibana Rule Type rule_default #3863

eric-forte-elastic · 2024-07-03T14:53:11Z

Summary

When making a rule in Kibana, in certain cases, EQL type rules can now be considered of type rules_default instead of just EQL. We should add support for handling import/exporting this rule type.

Currently, when trying to import a rule of this type, a ValueError: Unknown rule type rule_default is thrown.

Output

detection-rules on  3674-frdac-add-exceptions-importing-from-ndjson [!?] is  v0.1.0 via  v3.12.4 (detection-rules-build) on  eric.forte 
❯ python -m detection_rules import-rules-to-repo ~/Downloads/rules_export_exception_list.ndjson -s custom_rules/rules --required-only
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building rule for custom_rules/rules/test_exception_list.toml
[+] Building rule for custom_rules/rules/exceptions_for_rule_test_exception_list.toml
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 35, in <module>
    main()
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/__main__.py", line 32, in main
    root(prog_name="detection_rules")
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1688, in invoke
    return _process_result(sub_ctx.command.invoke(sub_ctx))
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/main.py", line 122, in import_rules_into_repo
    rule_prompt(rule_path, required_only=required_only, save=True, verbose=True,
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/cli_utils.py", line 122, in rule_prompt
    target_data_subclass = TOMLRuleContents.get_data_subclass(rule_type)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/forteea1/Code/clean_mains/detection-rules/detection_rules/rule.py", line 1113, in get_data_subclass
    raise ValueError(f"Unknown rule type {rule_type}")
ValueError: Unknown rule type rule_default

Example Rule ndjson

{"id":"77260f65-d17e-468b-8fe9-305048404e95","updated_at":"2024-07-01T17:50:10.160Z","updated_by":"3610252053","created_at":"2024-07-01T17:49:37.594Z","created_by":"3610252053","name":"Test Exception List","tags":[],"interval":"5h","enabled":true,"revision":1,"description":"Test Exception List","risk_score":21,"severity":"low","license":"","output_index":"","meta":{"from":"1m","kibana_siem_app_url":"https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/app/security"},"author":["Elastic"],"false_positives":[],"from":"now-18060s","rule_id":"7c22a9d2-5910-4da2-92af-7ff7481bd0f7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"222e1466-6dee-49ed-bb40-b7791891dc90","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","type":"rule_default","namespace_type":"single"}],"immutable":false,"related_integrations":[],"required_fields":[],"setup":"","type":"eql","language":"eql","index":["apm-*-transaction*","auditbeat-*","endgame-*","filebeat-*","logs-*","packetbeat-*","traces-apm*","winlogbeat-*","-*elastic-cloud-logs-*"],"query":"process where true","filters":[],"actions":[]}
{"_version":"WzQ3NTYzLDJd","created_at":"2024-07-01T17:50:08.726Z","created_by":"3610252053","description":"Exception list containing exceptions for rule with id: 77260f65-d17e-468b-8fe9-305048404e95","id":"222e1466-6dee-49ed-bb40-b7791891dc90","immutable":false,"list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"Exceptions for rule - Test Exception List","namespace_type":"single","os_types":[],"tags":["default_rule_exception_list"],"tie_breaker_id":"dc3357a1-0f43-4476-b113-11d683dd5fe5","type":"rule_default","updated_at":"2024-07-01T17:50:08.727Z","updated_by":"3610252053","version":1}
{"_version":"WzQ3NTY1LDJd","comments":[],"created_at":"2024-07-01T19:35:20.071Z","created_by":"3610252053","description":"Exception list item","entries":[{"field":"Effective_process.pid","operator":"included","type":"match","value":"1"}],"id":"49f9966c-9fb4-4d8a-8bed-8e7bfcdafbc5","item_id":"970945dd-71d5-4128-89a8-7e8689326a19","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"Pid not One","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"db323af7-5564-4a42-8d8e-81f933c5cef1","type":"simple","updated_at":"2024-07-01T19:35:20.071Z","updated_by":"3610252053"}
{"_version":"WzQ3NTY0LDJd","comments":[],"created_at":"2024-07-01T17:50:11.181Z","created_by":"3610252053","description":"Exception list item","entries":[{"field":"process.name","operator":"included","type":"match","value":"FakeRoot"}],"id":"8d1c6de2-12bf-442d-9b52-00bc99bfcea2","item_id":"d6a0e21c-bf41-4758-a522-cca5df3a2332","list_id":"ad78032a-6730-44c1-8ec3-129ff1dc2ad9","name":"FakeRoot","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"e1e84f62-b36f-4608-9778-1e4ca29539ae","type":"simple","updated_at":"2024-07-01T17:50:11.181Z","updated_by":"3610252053"}
{"exported_count":4,"exported_rules_count":1,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":1,"exported_exception_list_item_count":2,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":0,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]}

The text was updated successfully, but these errors were encountered:

eric-forte-elastic · 2024-08-07T16:34:54Z

Rules Default is not a rule type, it is an exception type and now has support via #3889.

eric-forte-elastic added enhancement New feature or request python Internal python for the repository labels Jul 3, 2024

eric-forte-elastic mentioned this issue Jul 3, 2024

[FR] [DAC] Add exceptions importing from ndjson #3862

Closed

Mikaayenson added the backlog label Jul 3, 2024

eric-forte-elastic mentioned this issue Jul 7, 2024

[FR] [DAC] Import Exceptions from API Export and ndjson #3869

Merged

eric-forte-elastic closed this as completed Aug 7, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[FR] Add support for Kibana Rule Type rule_default #3863

[FR] Add support for Kibana Rule Type rule_default #3863

eric-forte-elastic commented Jul 3, 2024

eric-forte-elastic commented Aug 7, 2024

[FR] Add support for Kibana Rule Type rule_default #3863

[FR] Add support for Kibana Rule Type rule_default #3863

Comments

eric-forte-elastic commented Jul 3, 2024

Summary

eric-forte-elastic commented Aug 7, 2024