Skip to content

Add new required_fields as a build-time restricted field #2059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Jul 6, 2022
Merged

Add new required_fields as a build-time restricted field #2059

merged 19 commits into from
Jul 6, 2022

Conversation

Mikaayenson
Copy link
Contributor

@Mikaayenson Mikaayenson commented Jun 27, 2022
edited
Loading

Issues

Resolves #2056

Summary

  • Add unique_fields in the post build
  • Adds the new rule field required_fields to the rule post build.
  • Sets the value to None as a default.

@Mikaayenson Mikaayenson added v8.3.0 Rules for 8.3.0 v8.4.0 labels Jun 27, 2022
@Mikaayenson Mikaayenson self-assigned this Jun 27, 2022
@botelastic botelastic bot added the python Internal python for the repository label Jun 27, 2022
Mikaayenson
Mikaayenson commented Jun 27, 2022
View reviewed changes
@brokensound77 brokensound77 changed the title Add new require_field restricted field Add new required_fields as a build-time restricted field Jun 27, 2022
brokensound77
brokensound77 reviewed Jun 28, 2022
View reviewed changes
terrancedejesus
terrancedejesus approved these changes Jun 28, 2022
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed and tested with @Mikaayenson

brokensound77
brokensound77 reviewed Jun 29, 2022
View reviewed changes
@brokensound77
Copy link
Contributor

brokensound77 commented Jun 30, 2022
edited
Loading

c59f224 I expanded the schema and values to include the additional fields. I had to do additional checks on ECS and beats schema to make the determination.

For lucene rules, this will be skipped since they are not parsed (empty array). Until we add integration schemas, it has the potential to not be perfect on field type determination (#1994). It also does not parse into winlog data. (should be exposed in #1776). These fields will add unknown for the type.

I successfully uploaded the full rule set to an 8.3 stack (the error is unrelated)

image

brokensound77
brokensound77 approved these changes Jul 5, 2022
View reviewed changes
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few small changes then LGTM. Thanks for diving into this. We should pay special attention on this backport and before the next lock.

@brokensound77 brokensound77 mentioned this pull request Jul 6, 2022
Merged
@Mikaayenson Mikaayenson merged commit c76a397 into main Jul 6, 2022
@Mikaayenson Mikaayenson deleted the 2056-add-required_fields-to-post-transform-build-process branch July 6, 2022 15:49
protectionsmachine pushed a commit that referenced this pull request Jul 6, 2022
@Mikaayenson @github-actions
Add new required_fields as a build-time restricted field (#2059)
06ce001 
* Add new `require_field` restricted field
* validate new fields against BaseRuleData schema and global constant

Co-authored-by: Terrance DeJesus <[email protected]>
Co-authored-by: brokensound77 <[email protected]>

(cherry picked from commit c76a397)
protectionsmachine pushed a commit that referenced this pull request Jul 6, 2022
@Mikaayenson @github-actions
Add new required_fields as a build-time restricted field (#2059)
6a649b4 
* Add new `require_field` restricted field
* validate new fields against BaseRuleData schema and global constant

Co-authored-by: Terrance DeJesus <[email protected]>
Co-authored-by: brokensound77 <[email protected]>

(cherry picked from commit c76a397)
protectionsmachine pushed a commit that referenced this pull request Jul 6, 2022
@Mikaayenson @github-actions
Add new required_fields as a build-time restricted field (#2059)
e019148 
* Add new `require_field` restricted field
* validate new fields against BaseRuleData schema and global constant

Co-authored-by: Terrance DeJesus <[email protected]>
Co-authored-by: brokensound77 <[email protected]>

(cherry picked from commit c76a397)
protectionsmachine pushed a commit that referenced this pull request Jul 6, 2022
@Mikaayenson @github-actions
Add new required_fields as a build-time restricted field (#2059)
f287dce 
* Add new `require_field` restricted field
* validate new fields against BaseRuleData schema and global constant

Co-authored-by: Terrance DeJesus <[email protected]>
Co-authored-by: brokensound77 <[email protected]>

(cherry picked from commit c76a397)
protectionsmachine pushed a commit that referenced this pull request Jul 6, 2022
@Mikaayenson @github-actions
Add new required_fields as a build-time restricted field (#2059)
52add60 
* Add new `require_field` restricted field
* validate new fields against BaseRuleData schema and global constant

Co-authored-by: Terrance DeJesus <[email protected]>
Co-authored-by: brokensound77 <[email protected]>

(cherry picked from commit c76a397)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brokensound77 brokensound77 brokensound77 approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

Assignees

@Mikaayenson Mikaayenson

@terrancedejesus terrancedejesus

Labels
backport: auto python Internal python for the repository v8.3.0 Rules for 8.3.0 v8.4.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add required_fields to post transform build process
3 participants
@Mikaayenson @brokensound77 @terrancedejesus