[FR] Add support for New Terms Fields and Window Start History #2360
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terrancedejesus
added
enhancement
terrancedejesus
requested review from
brokensound77 and
Mikaayenson
as code owners
terrancedejesus
commented
Oct 17, 2022
Mikaayenson
reviewed
Oct 20, 2022
|
@brokensound77 the following marshmallow error appears when attempting to run the following command (TOML rule is in the original comment). Command: marshmallow.exceptions.ValidationError: {'rule': [ValidationError({'type': ['Must be equal to eql.'], 'language': ['Must be equal to eql.'], 'new_terms': ['Unknown field.']}), ValidationError({'threshold': ['Missing data for required field.'], 'type': ['Must be equal to threshold.'], 'new_terms': ['Unknown field.']}), ValidationError({'type': ['Must be equal to threat_match.'], 'threat_mapping': ['Missing data for required field.'], 'threat_index': ['Missing data for required field.'], 'new_terms': ['Unknown field.']}), ValidationError({'type': ['Must be equal to machine_learning.'], 'machine_learning_job_id': ['Missing data for required field.'], 'anomaly_threshold': ['Missing data for required field.'], 'index': ['Unknown field.'], 'new_terms': ['Unknown field.'], 'query': ['Unknown field.'], 'language': ['Unknown field.']}), ValidationError({'type': ['Must be equal to query.'], 'new_terms': ['Unknown field.']}), ValidationError({'new_terms': ['Unknown field.']})]}I assume it is related to the |
|
I have identified the issue with the Results❯ python -m detection_rules view-rule rules/network/command_and_control_new_terms_destination_port.toml
Loaded config file: /Users/tdejesus/code/src/detection-rules/.detection-rules-cfg.json
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
{
"author": [
"Elastic"
],
"description": "This rule detects outbound network connections to a well known port that has not been seen within the last 30 days.",
"false_positives": [
"Introducing new services that used well-known ports may cause outbound traffic to specific ports that would meet the criteria of this rule."
],
"from": "now-9m",
"index": [
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Outbound Traffic to Uncommon Well Known Port",
"new_terms": {
"field": "new_terms_field",
"history_window_start": [
{
"field": "history_window_start",
"value": "now-30d"
}
],
"value": [
"destination.port"
]
},
"query": "event.category:(network or network_traffic) and destination.port < 1024\n",
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "34fde489-94b0-4500-a76f-b8a157cf9269",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1021",
"name": "Remote Services",
"reference": "https://attack.mitre.org/techniques/T1021/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "new_terms",
"version": 101
}
|
terrancedejesus
commented
Dec 2, 2022
| @@ -51,7 +51,7 @@ | |||
|
|
|||
| "8.4.0": | |||
| beats: "main" | |||
| ecs: "8.3.1" | |||
| ecs: "8.4.0" | |||
There was a problem hiding this comment.
Updated this to be current and match the stack version.
eric-forte-elastic
approved these changes
Dec 5, 2022
There was a problem hiding this comment.
Great walk-through and discussion from @terrancedejesus and @Mikaayenson about this on Friday 12/02. Local test results on my machine match expected output. All looks good to me!
Local Test Output
detection-rules on 2346-fr-add-support-for-new-terms-field-in-rules [?] via v3.8.10 (venv) on eric.forte
❯ python -m detection_rules view-rule test_rule.toml
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
{
"author": [
"Elastic"
],
"description": "This rule detects outbound network connections to a well known port that has not been seen within the last 30 days.",
"false_positives": [
"Introducing new services that used well-known ports may cause outbound traffic to specific ports that would meet the criteria of this rule."
],
"from": "now-9m",
"history_window_start": "now-30d",
"index": [
"logs-endpoint.events.*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Outbound Traffic to Uncommon Well Known Port",
"new_terms_fields": [
"destination.port"
],
"query": "event.category:(network or network_traffic) and destination.port < 1024\n",
"required_fields": [
{
"ecs": true,
"name": "destination.port",
"type": "long"
},
{
"ecs": true,
"name": "event.category",
"type": "keyword"
}
],
"risk_score": 21,
"rule_id": "ecaa877a-6abc-11ed-82c5-f661ea17fbcd",
"severity": "low",
"tags": [
"Elastic",
"Host",
"Network",
"Threat Detection",
"Command and Control",
"Host"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0011",
"name": "Command and Control",
"reference": "https://attack.mitre.org/tactics/TA0011/"
},
"technique": [
{
"id": "T1021",
"name": "Remote Services",
"reference": "https://attack.mitre.org/techniques/T1021/"
}
]
}
],
"timestamp_override": "event.ingested",
"type": "new_terms",
"version": 1
}
Mikaayenson
reviewed
Dec 5, 2022
There was a problem hiding this comment.
- tested with sample rule new_terms load as expected
- tested field name is correct (recommending add an assert)
- tested schemas with no min_stack (recommending add a default)
- tested the values (no validation on window)
- tested number of new terms for 8.4.0
- tested duplicated of terms
- tested number of terms (more than 3, less than 1)
- observed new_terms_field added to root of output.
Left a couple small recommendations.
| @dataclass(frozen=True) | ||
| class HistoryWindowStart: | ||
| field: definitions.NonEmptyStr | ||
| value: definitions.NonEmptyStr |
There was a problem hiding this comment.
Nit: It's a shame that we don't add validation to the value.
There was a problem hiding this comment.
Digging into this at the moment. In L188 in rule.py we only ensure that the value of this field is a string.
In reference to L478 of rule.py, it seems that we have some additional logic for EQL rules because the possibility of conflicts between maxspax, lookback, and interval fields which is why they are methods of the EQLRuleData class and not inside QueryRuleData.
The look_back method of the EQLRuleData class is only called in the unit test test_all_rules.test_eql_lookback and converts, for example now-9m into milliseconds, ultimately to compare it with the maxspan value of an EQL rule to ensure it is greater than.
So in all, it appears we have no validation of the from field for rules, but we have comparison logic to ensure rule devs have entered maxspan and interval ranges that would not conflict. It is up to the rule developer to determine. If we do add logic, it should probably be in another PR where we determine what is compatible with Kibana, cover test/edge cases, etc while referencing https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math.
There was a problem hiding this comment.
Added new issue for this -> #2416
Mikaayenson
reviewed
Dec 5, 2022
Mikaayenson
reviewed
Dec 5, 2022
Co-authored-by: Mika Ayenson <[email protected]>
Co-authored-by: Mika Ayenson <[email protected]>
terrancedejesus
deleted the
2346-fr-add-support-for-new-terms-field-in-rules
branch
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 5, 2022
* adding support new_terms_fields and window_start_history * adjusted rule.py to address flake errors * added assertion error if history_window_start does not exist * removed sample rule * removed self.rule_id from DataValidator * added new_terms to RuleType * changed new terms to its own class in rule.py * removed nonexisting function call in DataValidator class * adjusted new_terms field value in dataclass * changed literal type for history_window_start; view-rule working * removing test TOML rule * addressed flake errors for missing newlines * added validation option and adjusted object referencing * adjusted validation method call in post_validation * addressed flake errors for multiple spaces * added transform method to NewTermsRuleData class * added validation for min stack version and new terms array length restraints * added validation for unique new terms array * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * removed historywindowstart definition and adjusted subclass * removed test rule from commit * adjusted if/else for data transform method check * adjusted stack-schema-map; validation method name * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * added assertion for history_window_start field value * added variables for feature min stack and extended field min stack * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * addressed flake errors for continuation line with same indent Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 7e459dd)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 5, 2022
* adding support new_terms_fields and window_start_history * adjusted rule.py to address flake errors * added assertion error if history_window_start does not exist * removed sample rule * removed self.rule_id from DataValidator * added new_terms to RuleType * changed new terms to its own class in rule.py * removed nonexisting function call in DataValidator class * adjusted new_terms field value in dataclass * changed literal type for history_window_start; view-rule working * removing test TOML rule * addressed flake errors for missing newlines * added validation option and adjusted object referencing * adjusted validation method call in post_validation * addressed flake errors for multiple spaces * added transform method to NewTermsRuleData class * added validation for min stack version and new terms array length restraints * added validation for unique new terms array * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * removed historywindowstart definition and adjusted subclass * removed test rule from commit * adjusted if/else for data transform method check * adjusted stack-schema-map; validation method name * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * added assertion for history_window_start field value * added variables for feature min stack and extended field min stack * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * addressed flake errors for continuation line with same indent Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 7e459dd)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 5, 2022
* adding support new_terms_fields and window_start_history * adjusted rule.py to address flake errors * added assertion error if history_window_start does not exist * removed sample rule * removed self.rule_id from DataValidator * added new_terms to RuleType * changed new terms to its own class in rule.py * removed nonexisting function call in DataValidator class * adjusted new_terms field value in dataclass * changed literal type for history_window_start; view-rule working * removing test TOML rule * addressed flake errors for missing newlines * added validation option and adjusted object referencing * adjusted validation method call in post_validation * addressed flake errors for multiple spaces * added transform method to NewTermsRuleData class * added validation for min stack version and new terms array length restraints * added validation for unique new terms array * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * removed historywindowstart definition and adjusted subclass * removed test rule from commit * adjusted if/else for data transform method check * adjusted stack-schema-map; validation method name * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * added assertion for history_window_start field value * added variables for feature min stack and extended field min stack * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * addressed flake errors for continuation line with same indent Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 7e459dd)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 5, 2022
* adding support new_terms_fields and window_start_history * adjusted rule.py to address flake errors * added assertion error if history_window_start does not exist * removed sample rule * removed self.rule_id from DataValidator * added new_terms to RuleType * changed new terms to its own class in rule.py * removed nonexisting function call in DataValidator class * adjusted new_terms field value in dataclass * changed literal type for history_window_start; view-rule working * removing test TOML rule * addressed flake errors for missing newlines * added validation option and adjusted object referencing * adjusted validation method call in post_validation * addressed flake errors for multiple spaces * added transform method to NewTermsRuleData class * added validation for min stack version and new terms array length restraints * added validation for unique new terms array * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * removed historywindowstart definition and adjusted subclass * removed test rule from commit * adjusted if/else for data transform method check * adjusted stack-schema-map; validation method name * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * added assertion for history_window_start field value * added variables for feature min stack and extended field min stack * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * addressed flake errors for continuation line with same indent Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 7e459dd)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 5, 2022
* adding support new_terms_fields and window_start_history * adjusted rule.py to address flake errors * added assertion error if history_window_start does not exist * removed sample rule * removed self.rule_id from DataValidator * added new_terms to RuleType * changed new terms to its own class in rule.py * removed nonexisting function call in DataValidator class * adjusted new_terms field value in dataclass * changed literal type for history_window_start; view-rule working * removing test TOML rule * addressed flake errors for missing newlines * added validation option and adjusted object referencing * adjusted validation method call in post_validation * addressed flake errors for multiple spaces * added transform method to NewTermsRuleData class * added validation for min stack version and new terms array length restraints * added validation for unique new terms array * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * removed historywindowstart definition and adjusted subclass * removed test rule from commit * adjusted if/else for data transform method check * adjusted stack-schema-map; validation method name * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * added assertion for history_window_start field value * added variables for feature min stack and extended field min stack * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * addressed flake errors for continuation line with same indent Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 7e459dd)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 5, 2022
* adding support new_terms_fields and window_start_history * adjusted rule.py to address flake errors * added assertion error if history_window_start does not exist * removed sample rule * removed self.rule_id from DataValidator * added new_terms to RuleType * changed new terms to its own class in rule.py * removed nonexisting function call in DataValidator class * adjusted new_terms field value in dataclass * changed literal type for history_window_start; view-rule working * removing test TOML rule * addressed flake errors for missing newlines * added validation option and adjusted object referencing * adjusted validation method call in post_validation * addressed flake errors for multiple spaces * added transform method to NewTermsRuleData class * added validation for min stack version and new terms array length restraints * added validation for unique new terms array * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * removed historywindowstart definition and adjusted subclass * removed test rule from commit * adjusted if/else for data transform method check * adjusted stack-schema-map; validation method name * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * added assertion for history_window_start field value * added variables for feature min stack and extended field min stack * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * addressed flake errors for continuation line with same indent Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 7e459dd)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 5, 2022
* adding support new_terms_fields and window_start_history * adjusted rule.py to address flake errors * added assertion error if history_window_start does not exist * removed sample rule * removed self.rule_id from DataValidator * added new_terms to RuleType * changed new terms to its own class in rule.py * removed nonexisting function call in DataValidator class * adjusted new_terms field value in dataclass * changed literal type for history_window_start; view-rule working * removing test TOML rule * addressed flake errors for missing newlines * added validation option and adjusted object referencing * adjusted validation method call in post_validation * addressed flake errors for multiple spaces * added transform method to NewTermsRuleData class * added validation for min stack version and new terms array length restraints * added validation for unique new terms array * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * removed historywindowstart definition and adjusted subclass * removed test rule from commit * adjusted if/else for data transform method check * adjusted stack-schema-map; validation method name * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * added assertion for history_window_start field value * added variables for feature min stack and extended field min stack * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * addressed flake errors for continuation line with same indent Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 7e459dd)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 5, 2022
* adding support new_terms_fields and window_start_history * adjusted rule.py to address flake errors * added assertion error if history_window_start does not exist * removed sample rule * removed self.rule_id from DataValidator * added new_terms to RuleType * changed new terms to its own class in rule.py * removed nonexisting function call in DataValidator class * adjusted new_terms field value in dataclass * changed literal type for history_window_start; view-rule working * removing test TOML rule * addressed flake errors for missing newlines * added validation option and adjusted object referencing * adjusted validation method call in post_validation * addressed flake errors for multiple spaces * added transform method to NewTermsRuleData class * added validation for min stack version and new terms array length restraints * added validation for unique new terms array * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * removed historywindowstart definition and adjusted subclass * removed test rule from commit * adjusted if/else for data transform method check * adjusted stack-schema-map; validation method name * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * added assertion for history_window_start field value * added variables for feature min stack and extended field min stack * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * Update detection_rules/rule.py Co-authored-by: Mika Ayenson <[email protected]> * addressed flake errors for continuation line with same indent Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit 7e459dd)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
Summary
Adds support for
new_terms_fieldandwindow_start_historyfields in detection rules. These rules are compatible with stack versions 8.4+. The following needs to be completed for this PR.Definitions.pyto include new fields and minimum stack requirementsNewTermsRuleDatadata class inrule.pyfor the new rule typevalidatemethod inNewTermsRuleDataclass to add specific validation for New Terms rule typestransformmethod inNewTermsRuleDataclass to pop new terms key:value to root of JSON after validationvalidatemethodTesting
The following rule was made locally to test this by using the command ->
python -m detection_rules view-rule /Users/tdejesus/code/src/detection-rules/rules/network/command_and_control_uncommon_well_known_port.tomlExample Rule
The
view-ruleCLI command from devtools was used to view this rule which will then transform it to API format and produce the expected JSON ouput. This process calls on existing data validators and schemas which would fail if the new fields were unrecognized or did not follow proper schema.View Rule Output