[FR] Adapt PyPi semver Library and Remove Custom #2503
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terrancedejesus
added
enhancement
terrancedejesus
requested review from
brokensound77 and
Mikaayenson
as code owners
Update: 1-29-2023All Notes:
There is a lot more functionality that can be read in the docs. |
Certainly, I'll review the comments and re-formatting this morning! Thanks for the review. By chance, do we have a specific preference when sorting imports? I assumed as long as they are sorted (which I do via VSCode) then there is no harm done as it follows the standard pythonic import hygiene. |
Mikaayenson
reviewed
Feb 7, 2023
Co-authored-by: Mika Ayenson <[email protected]>
Mikaayenson
approved these changes
Feb 7, 2023
There was a problem hiding this comment.
🥇 Fantastic work @terrancedejesus
Here's a summary of the tests I replicated in addition to the code review.
🟢 : python -m detection_rules dev build-release --update-version-lock
🟢 : python -m detection_rules view-rule /Users/stryker/workspace/Elastic/detection-rules/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
🟢 : pytest tests
🟢 : python -m detection_rules dev bump-pkg-versions --major-release --maturity="ga"
🟢 : Download ECS Schemas
🟢 : Downgrade Functions
🟢 : python -m detection_rules dev attack refresh-data
|
Looks great! 🥳 ✔️ In addition to considerable peer review and manual review of code also performed the following checks Tested✔️ Build Release Packages and Update Rule Versions Output
✔️ View Rule with Integration Tag Outputdetection-rules on 2502-fr-adapt-pypi-semver-library-and-remove-custom [!] is v0.1.0 via v3.8.10 (detection-rules-build) on eric.forte took 24s
❯ python -m detection_rules view-rule rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
{
"author": [
"Elastic"
],
"description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.",
"from": "now-9m",
"index": [
"logs-endpoint.events.*"
],
"language": "eql",
"license": "Elastic License v2",
"name": "Elastic Agent Service Terminated",
"note": "",
"query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n",
"related_integrations": [
{
"package": "endpoint",
"version": "^8.2.0"
}
],
"required_fields": [
{
"ecs": true,
"name": "event.action",
"type": "keyword"
},
{
"ecs": true,
"name": "event.type",
"type": "keyword"
},
{
"ecs": true,
"name": "process.args",
"type": "keyword"
},
{
"ecs": true,
"name": "process.name",
"type": "keyword"
}
],
"risk_score": 47,
"rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd",
"setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.",
"severity": "medium",
"tags": [
"Elastic",
"Host",
"Linux",
"Windows",
"macOS",
"Threat Detection",
"Defense Evasion"
],
"threat": [
{
"framework": "MITRE ATT&CK",
"tactic": {
"id": "TA0005",
"name": "Defense Evasion",
"reference": "https://attack.mitre.org/tactics/TA0005/"
},
"technique": [
{
"id": "T1562",
"name": "Impair Defenses",
"reference": "https://attack.mitre.org/techniques/T1562/",
"subtechnique": [
{
"id": "T1562.001",
"name": "Disable or Modify Tools",
"reference": "https://attack.mitre.org/techniques/T1562/001/"
}
]
}
]
}
],
"timestamp_override": "event.ingested",
"type": "eql",
"version": 101
}
✔️ Unit Tests OutputLINTING
./env/detection-rules-build/bin/python -m flake8 tests detection_rules --ignore D203 --max-line-length 120
./env/detection-rules-build/bin/python -m detection_rules test
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
============================== test session starts ===============================
platform linux -- Python 3.8.10, pytest-7.2.0, pluggy-1.0.0 -- /home/forteea1/Code/elastic/detection-rules/env/detection-rules-build/bin/python
cachedir: .pytest_cache
rootdir: /home/forteea1/Code/elastic/detection-rules, configfile: pyproject.toml
plugins: typeguard-2.13.3
collected 117 items
tests/test_all_rules.py::TestValidRules::test_all_rule_queries_optimized PASSED [ 0%]
tests/test_all_rules.py::TestValidRules::test_duplicate_file_names PASSED [ 1%]
tests/test_all_rules.py::TestValidRules::test_file_names PASSED [ 2%]
tests/test_all_rules.py::TestValidRules::test_production_rules_have_rta PASSED [ 3%]
tests/test_all_rules.py::TestValidRules::test_rule_type_changes PASSED [ 4%]
tests/test_all_rules.py::TestValidRules::test_schema_and_dupes PASSED [ 5%]
tests/test_all_rules.py::TestThreatMappings::test_duplicated_tactics PASSED [ 5%]
tests/test_all_rules.py::TestThreatMappings::test_tactic_to_technique_correlations PASSED [ 6%]
tests/test_all_rules.py::TestThreatMappings::test_technique_deprecations PASSED [ 7%]
tests/test_all_rules.py::TestRuleTags::test_casing_and_spacing PASSED [ 8%]
tests/test_all_rules.py::TestRuleTags::test_primary_tactic_as_tag PASSED [ 9%]
tests/test_all_rules.py::TestRuleTags::test_required_tags PASSED [ 10%]
tests/test_all_rules.py::TestRuleTimelines::test_timeline_has_title PASSED [ 11%]
tests/test_all_rules.py::TestRuleFiles::test_rule_file_name_tactic PASSED [ 11%]
tests/test_all_rules.py::TestRuleMetadata::test_deprecated_rules PASSED [ 12%]
tests/test_all_rules.py::TestRuleMetadata::test_integration_tag PASSED [ 13%]
tests/test_all_rules.py::TestRuleMetadata::test_updated_date_newer_than_creation PASSED [ 14%]
tests/test_all_rules.py::TestIntegrationRules::test_all_min_stack_rules_have_comment PASSED [ 15%]
tests/test_all_rules.py::TestIntegrationRules::test_integration_guide SKIPPED [ 16%]
tests/test_all_rules.py::TestIntegrationRules::test_rule_demotions PASSED [ 17%]
tests/test_all_rules.py::TestRuleTiming::test_eql_interval_to_maxspan PASSED [ 17%]
tests/test_all_rules.py::TestRuleTiming::test_eql_lookback PASSED [ 18%]
tests/test_all_rules.py::TestRuleTiming::test_event_override PASSED [ 19%]
tests/test_all_rules.py::TestRuleTiming::test_required_lookback PASSED [ 20%]
tests/test_all_rules.py::TestLicense::test_elastic_license_only_v2 PASSED [ 21%]
tests/test_all_rules.py::TestIncompatibleFields::test_rule_backports_for_restricted_fields PASSED [ 22%]
tests/test_all_rules.py::TestBuildTimeFields::test_build_fields_min_stack PASSED [ 23%]
tests/test_all_rules.py::TestRiskScoreMismatch::test_rule_risk_score_severity_mismatch PASSED [ 23%]
tests/test_all_rules.py::TestOsqueryPluginNote::test_note_guide PASSED [ 24%]
tests/test_gh_workflows.py::TestWorkflows::test_matrix_to_lock_version_defaults PASSED [ 25%]
tests/test_mappings.py::TestMappings::test_false_positives PASSED [ 26%]
tests/test_mappings.py::TestMappings::test_true_positives PASSED [ 27%]
tests/test_mappings.py::TestRTAs::test_rtas_with_triggered_rules_have_uuid PASSED [ 28%]
tests/test_packages.py::TestPackages::test_package_loader_default_configs PASSED [ 29%]
tests/test_packages.py::TestPackages::test_package_loader_production_config PASSED [ 29%]
tests/test_packages.py::TestPackages::test_package_summary PASSED [ 30%]
tests/test_packages.py::TestPackages::test_rule_versioning PASSED [ 31%]
tests/test_packages.py::TestRegistryPackage::test_registry_package_config PASSED [ 32%]
tests/test_schemas.py::TestSchemas::test_eql_validation PASSED [ 33%]
tests/test_schemas.py::TestSchemas::test_query_downgrade_7_x PASSED [ 34%]
tests/test_schemas.py::TestSchemas::test_query_downgrade_8_x PASSED [ 35%]
tests/test_schemas.py::TestSchemas::test_threshold_downgrade_7_x PASSED [ 35%]
tests/test_schemas.py::TestSchemas::test_threshold_downgrade_8_x PASSED [ 36%]
tests/test_schemas.py::TestSchemas::test_versioned_downgrade_7_x PASSED [ 37%]
tests/test_schemas.py::TestSchemas::test_versioned_downgrade_8_x PASSED [ 38%]
tests/test_schemas.py::TestVersionLockSchema::test_version_lock_has_nested_previous PASSED [ 39%]
tests/test_schemas.py::TestVersionLockSchema::test_version_lock_no_previous PASSED [ 40%]
tests/test_schemas.py::TestVersions::test_stack_schema_map PASSED [ 41%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_formatter_deep PASSED [ 41%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_formatter_rule PASSED [ 42%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_normalization PASSED [ 43%]
tests/test_utils.py::TestTimeUtils::test_caching PASSED [ 44%]
tests/test_utils.py::TestTimeUtils::test_event_class_normalization PASSED [ 45%]
tests/test_utils.py::TestTimeUtils::test_schema_multifields PASSED [ 46%]
tests/test_utils.py::TestTimeUtils::test_time_normalize PASSED [ 47%]
tests/test_version_locking.py::TestVersionLock::test_previous_entries_gte_current_min_stack PASSED [ 47%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_and_query PASSED [ 48%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_exists PASSED [ 49%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_inequality PASSED [ 50%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_match PASSED [ 51%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_not_query PASSED [ 52%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_optimizations PASSED [ 52%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_or_query PASSED [ 53%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_and_query PASSED [ 54%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_boolean_precedence PASSED [ 55%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_field_equals PASSED [ 56%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_field_inequality PASSED [ 57%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_ip_checks PASSED [ 58%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_list_of_values PASSED [ 58%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_not_query PASSED [ 59%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_or_query PASSED [ 60%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_wildcard_field PASSED [ 61%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_and_expr PASSED [ 62%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_and_values PASSED [ 63%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_cidr_match PASSED [ 64%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_field_exists PASSED [ 64%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_flattening PASSED [ 65%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_list_value PASSED [ 66%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_not_value PASSED [ 67%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_or_expr PASSED [ 68%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_or_values PASSED [ 69%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_quoted_wildcard PASSED [ 70%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_range PASSED [ 70%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_single_value PASSED [ 71%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_wildcard PASSED [ 72%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_and_query PASSED [ 73%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_boolean_precedence PASSED [ 74%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_field_equals PASSED [ 75%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_field_inequality PASSED [ 76%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_list_of_values PASSED [ 76%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_lone_value PASSED [ 77%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_nested_query PASSED [ 78%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_not_query PASSED [ 79%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_or_query PASSED [ 80%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_schema PASSED [ 81%]
tests/kuery/test_lint.py::LintTests::test_and_not PASSED [ 82%]
tests/kuery/test_lint.py::LintTests::test_compound PASSED [ 82%]
tests/kuery/test_lint.py::LintTests::test_double_negate PASSED [ 83%]
tests/kuery/test_lint.py::LintTests::test_extract_not PASSED [ 84%]
tests/kuery/test_lint.py::LintTests::test_ip PASSED [ 85%]
tests/kuery/test_lint.py::LintTests::test_lint_field PASSED [ 86%]
tests/kuery/test_lint.py::LintTests::test_lint_precedence PASSED [ 87%]
tests/kuery/test_lint.py::LintTests::test_merge_fields PASSED [ 88%]
tests/kuery/test_lint.py::LintTests::test_mixed_demorgans PASSED [ 88%]
tests/kuery/test_lint.py::LintTests::test_not_demorgans PASSED [ 89%]
tests/kuery/test_lint.py::LintTests::test_not_or PASSED [ 90%]
tests/kuery/test_lint.py::LintTests::test_upper_tokens PASSED [ 91%]
tests/kuery/test_parser.py::ParserTests::test_conversion PASSED [ 92%]
tests/kuery/test_parser.py::ParserTests::test_date PASSED [ 93%]
tests/kuery/test_parser.py::ParserTests::test_keyword PASSED [ 94%]
tests/kuery/test_parser.py::ParserTests::test_list_equals PASSED [ 94%]
tests/kuery/test_parser.py::ParserTests::test_multiple_types_fail PASSED [ 95%]
tests/kuery/test_parser.py::ParserTests::test_multiple_types_success PASSED [ 96%]
tests/kuery/test_parser.py::ParserTests::test_number_exists PASSED [ 97%]
tests/kuery/test_parser.py::ParserTests::test_number_wildcard_fail PASSED [ 98%]
tests/kuery/test_parser.py::ParserTests::test_type_family_fail PASSED [ 99%]
tests/kuery/test_parser.py::ParserTests::test_type_family_success PASSED [100%]
================================ warnings summary ================================
env/detection-rules-build/lib/python3.8/site-packages/_pytest/config/__init__.py:1171
/home/forteea1/Code/elastic/detection-rules/env/detection-rules-build/lib/python3.8/site-packages/_pytest/config/__init__.py:1171: PytestAssertRewriteWarning: Module already imported so cannot be rewritten: typeguard
self._mark_plugins_for_rewrite(hook)
-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
=================== 116 passed, 1 skipped, 1 warning in 22.76s ===================
✔️ Bump Package Versions Outputdetection-rules on 2502-fr-adapt-pypi-semver-library-and-remove-custom is v0.1.0 via v3.8.10 (detection-rules-build) on eric.forte
❯ python -m detection_rules dev bump-pkg-versions --minor-release --maturity="ga"
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
Kibana version: 8.8
Package Kibana version: ^8.8.0
Package version: 8.8.0-beta.1
detection-rules on 2502-fr-adapt-pypi-semver-library-and-remove-custom [!] is v0.1.0 via v3.8.10 (detection-rules-build) on eric.forte
❯ python -m detection_rules dev bump-pkg-versions --major-release --maturity="ga"
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
Kibana version: 9
Package Kibana version: ^9.0.0
Package version: 9.0.0-beta.1
detection-rules on 2502-fr-adapt-pypi-semver-library-and-remove-custom [!] is v0.1.0 via v3.8.10 (detection-rules-build) on eric.forte
❯ python -m detection_rules dev bump-pkg-versions --patch-release --maturity="ga"
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
Traceback (most recent call last):
File "/usr/lib/python3.8/runpy.py", line 194, in _run_module_as_main
return _run_code(code, main_globals, None,
File "/usr/lib/python3.8/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/home/forteea1/Code/elastic/detection-rules/detection_rules/__main__.py", line 34, in <module>
main()
File "/home/forteea1/Code/elastic/detection-rules/detection_rules/__main__.py", line 31, in main
root(prog_name="detection_rules")
File "/home/forteea1/Code/elastic/detection-rules/env/detection-rules-build/lib/python3.8/site-packages/click/core.py", line 1130, in __call__
return self.main(*args, **kwargs)
File "/home/forteea1/Code/elastic/detection-rules/env/detection-rules-build/lib/python3.8/site-packages/click/core.py", line 1055, in main
rv = self.invoke(ctx)
File "/home/forteea1/Code/elastic/detection-rules/env/detection-rules-build/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/forteea1/Code/elastic/detection-rules/env/detection-rules-build/lib/python3.8/site-packages/click/core.py", line 1657, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
File "/home/forteea1/Code/elastic/detection-rules/env/detection-rules-build/lib/python3.8/site-packages/click/core.py", line 1404, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/home/forteea1/Code/elastic/detection-rules/env/detection-rules-build/lib/python3.8/site-packages/click/core.py", line 760, in invoke
return __callback(*args, **kwargs)
File "/home/forteea1/Code/elastic/detection-rules/detection_rules/devtools.py", line 181, in bump_versions
latest_patch_release_ver = find_latest_integration_version("security_detection_engine",
File "/home/forteea1/Code/elastic/detection-rules/detection_rules/integrations.py", line 243, in find_latest_integration_version
existing_pkgs = get_integration_manifests(integration, prerelease, str(stack_version))
File "/home/forteea1/Code/elastic/detection-rules/detection_rules/integrations.py", line 232, in get_integration_manifests
raise ValueError(f"EPR search for {integration} integration package returned empty list")
ValueError: EPR search for security_detection_engine integration package returned empty list
✔️ Refresh ATT&CK Mappings Outputdetection-rules on 2502-fr-adapt-pypi-semver-library-and-remove-custom [✘?] is v0.1.0 via v3.8.10 (detection-rules-build) on eric.forte took 3m39s
❯ python -m detection_rules dev attack refresh-data
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
Replaced file: /home/forteea1/Code/elastic/detection-rules/detection_rules/etc/attack-v11.1.json.gz with /home/forteea1/Code/elastic/detection-rules/detection_rules/etc/attack-v12.1.0.json.gz
|
eric-forte-elastic
approved these changes
Feb 7, 2023
terrancedejesus
deleted the
2502-fr-adapt-pypi-semver-library-and-remove-custom
branch
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 7, 2023
* removed custom semver and replaced with pypi * updated beats.py version references * updated bump-versions CLI command to use semver and change logic * updated schemas __init__, test_version_lock and unstage incompatible rules CLI * updated test_stack_schema_map in TestVersions unittest * updated test_all_rules unit testing Version() references * updated stack_compat.py for get_restricted_field references) * updated version_lock.py Version() references * updated docs.py Version() reference for parse_registry * updated devtools.py Version() reference for trim-version-lock * updated mixins.py Version() reference in validate_field_compatibility * adjusted schemas.__init__ Version() reference in get_stack_schemas * adjusted ecs.py Version() references * adjusted integrations.py Version() references * adjusted rule.py Version() references * sorted imports * replaced custom semver with pypi semver in unit test files * addressed unit test and flake errors * changed semver strings casted to version_lock.py * fixed sorting in integrations.py * updated bump-pkgs-versions CLI command * adjusted semantic version in unstage-incompatible-rules command * adjusted semver import to VersionInfo * added semver 3 and adjusted import names * added option_minor_and_patch parameter where version is major.minor * updated bump-pkg-versions to always save to packages.yml * removed leftover split call & updated find latest compatible version command * updated integrations.py, version_lock.py and schemas.__init__.py * changed fstring reference in downgrade function * reverted formatting changes for detection_rules __init__.py * added newline to detection_rules __init__.py * adjusted finding latest_release for attack package logic * adjusted unstage-incompatible-rules command logic comparing versions * removing changes from misc.py related to auto-formatting * adding newline to misc.py * fixed bug in downgrade function calling decorators * added semantic version validation on migrate decorator function * added expected type returned from find_latest_integration_version in integrations.py * add comment about stripped versions for version lock file Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit fb2b452)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 7, 2023
* removed custom semver and replaced with pypi * updated beats.py version references * updated bump-versions CLI command to use semver and change logic * updated schemas __init__, test_version_lock and unstage incompatible rules CLI * updated test_stack_schema_map in TestVersions unittest * updated test_all_rules unit testing Version() references * updated stack_compat.py for get_restricted_field references) * updated version_lock.py Version() references * updated docs.py Version() reference for parse_registry * updated devtools.py Version() reference for trim-version-lock * updated mixins.py Version() reference in validate_field_compatibility * adjusted schemas.__init__ Version() reference in get_stack_schemas * adjusted ecs.py Version() references * adjusted integrations.py Version() references * adjusted rule.py Version() references * sorted imports * replaced custom semver with pypi semver in unit test files * addressed unit test and flake errors * changed semver strings casted to version_lock.py * fixed sorting in integrations.py * updated bump-pkgs-versions CLI command * adjusted semantic version in unstage-incompatible-rules command * adjusted semver import to VersionInfo * added semver 3 and adjusted import names * added option_minor_and_patch parameter where version is major.minor * updated bump-pkg-versions to always save to packages.yml * removed leftover split call & updated find latest compatible version command * updated integrations.py, version_lock.py and schemas.__init__.py * changed fstring reference in downgrade function * reverted formatting changes for detection_rules __init__.py * added newline to detection_rules __init__.py * adjusted finding latest_release for attack package logic * adjusted unstage-incompatible-rules command logic comparing versions * removing changes from misc.py related to auto-formatting * adding newline to misc.py * fixed bug in downgrade function calling decorators * added semantic version validation on migrate decorator function * added expected type returned from find_latest_integration_version in integrations.py * add comment about stripped versions for version lock file Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit fb2b452)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 7, 2023
* removed custom semver and replaced with pypi * updated beats.py version references * updated bump-versions CLI command to use semver and change logic * updated schemas __init__, test_version_lock and unstage incompatible rules CLI * updated test_stack_schema_map in TestVersions unittest * updated test_all_rules unit testing Version() references * updated stack_compat.py for get_restricted_field references) * updated version_lock.py Version() references * updated docs.py Version() reference for parse_registry * updated devtools.py Version() reference for trim-version-lock * updated mixins.py Version() reference in validate_field_compatibility * adjusted schemas.__init__ Version() reference in get_stack_schemas * adjusted ecs.py Version() references * adjusted integrations.py Version() references * adjusted rule.py Version() references * sorted imports * replaced custom semver with pypi semver in unit test files * addressed unit test and flake errors * changed semver strings casted to version_lock.py * fixed sorting in integrations.py * updated bump-pkgs-versions CLI command * adjusted semantic version in unstage-incompatible-rules command * adjusted semver import to VersionInfo * added semver 3 and adjusted import names * added option_minor_and_patch parameter where version is major.minor * updated bump-pkg-versions to always save to packages.yml * removed leftover split call & updated find latest compatible version command * updated integrations.py, version_lock.py and schemas.__init__.py * changed fstring reference in downgrade function * reverted formatting changes for detection_rules __init__.py * added newline to detection_rules __init__.py * adjusted finding latest_release for attack package logic * adjusted unstage-incompatible-rules command logic comparing versions * removing changes from misc.py related to auto-formatting * adding newline to misc.py * fixed bug in downgrade function calling decorators * added semantic version validation on migrate decorator function * added expected type returned from find_latest_integration_version in integrations.py * add comment about stripped versions for version lock file Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit fb2b452)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 7, 2023
* removed custom semver and replaced with pypi * updated beats.py version references * updated bump-versions CLI command to use semver and change logic * updated schemas __init__, test_version_lock and unstage incompatible rules CLI * updated test_stack_schema_map in TestVersions unittest * updated test_all_rules unit testing Version() references * updated stack_compat.py for get_restricted_field references) * updated version_lock.py Version() references * updated docs.py Version() reference for parse_registry * updated devtools.py Version() reference for trim-version-lock * updated mixins.py Version() reference in validate_field_compatibility * adjusted schemas.__init__ Version() reference in get_stack_schemas * adjusted ecs.py Version() references * adjusted integrations.py Version() references * adjusted rule.py Version() references * sorted imports * replaced custom semver with pypi semver in unit test files * addressed unit test and flake errors * changed semver strings casted to version_lock.py * fixed sorting in integrations.py * updated bump-pkgs-versions CLI command * adjusted semantic version in unstage-incompatible-rules command * adjusted semver import to VersionInfo * added semver 3 and adjusted import names * added option_minor_and_patch parameter where version is major.minor * updated bump-pkg-versions to always save to packages.yml * removed leftover split call & updated find latest compatible version command * updated integrations.py, version_lock.py and schemas.__init__.py * changed fstring reference in downgrade function * reverted formatting changes for detection_rules __init__.py * added newline to detection_rules __init__.py * adjusted finding latest_release for attack package logic * adjusted unstage-incompatible-rules command logic comparing versions * removing changes from misc.py related to auto-formatting * adding newline to misc.py * fixed bug in downgrade function calling decorators * added semantic version validation on migrate decorator function * added expected type returned from find_latest_integration_version in integrations.py * add comment about stripped versions for version lock file Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit fb2b452)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 7, 2023
* removed custom semver and replaced with pypi * updated beats.py version references * updated bump-versions CLI command to use semver and change logic * updated schemas __init__, test_version_lock and unstage incompatible rules CLI * updated test_stack_schema_map in TestVersions unittest * updated test_all_rules unit testing Version() references * updated stack_compat.py for get_restricted_field references) * updated version_lock.py Version() references * updated docs.py Version() reference for parse_registry * updated devtools.py Version() reference for trim-version-lock * updated mixins.py Version() reference in validate_field_compatibility * adjusted schemas.__init__ Version() reference in get_stack_schemas * adjusted ecs.py Version() references * adjusted integrations.py Version() references * adjusted rule.py Version() references * sorted imports * replaced custom semver with pypi semver in unit test files * addressed unit test and flake errors * changed semver strings casted to version_lock.py * fixed sorting in integrations.py * updated bump-pkgs-versions CLI command * adjusted semantic version in unstage-incompatible-rules command * adjusted semver import to VersionInfo * added semver 3 and adjusted import names * added option_minor_and_patch parameter where version is major.minor * updated bump-pkg-versions to always save to packages.yml * removed leftover split call & updated find latest compatible version command * updated integrations.py, version_lock.py and schemas.__init__.py * changed fstring reference in downgrade function * reverted formatting changes for detection_rules __init__.py * added newline to detection_rules __init__.py * adjusted finding latest_release for attack package logic * adjusted unstage-incompatible-rules command logic comparing versions * removing changes from misc.py related to auto-formatting * adding newline to misc.py * fixed bug in downgrade function calling decorators * added semantic version validation on migrate decorator function * added expected type returned from find_latest_integration_version in integrations.py * add comment about stripped versions for version lock file Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit fb2b452)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 7, 2023
* removed custom semver and replaced with pypi * updated beats.py version references * updated bump-versions CLI command to use semver and change logic * updated schemas __init__, test_version_lock and unstage incompatible rules CLI * updated test_stack_schema_map in TestVersions unittest * updated test_all_rules unit testing Version() references * updated stack_compat.py for get_restricted_field references) * updated version_lock.py Version() references * updated docs.py Version() reference for parse_registry * updated devtools.py Version() reference for trim-version-lock * updated mixins.py Version() reference in validate_field_compatibility * adjusted schemas.__init__ Version() reference in get_stack_schemas * adjusted ecs.py Version() references * adjusted integrations.py Version() references * adjusted rule.py Version() references * sorted imports * replaced custom semver with pypi semver in unit test files * addressed unit test and flake errors * changed semver strings casted to version_lock.py * fixed sorting in integrations.py * updated bump-pkgs-versions CLI command * adjusted semantic version in unstage-incompatible-rules command * adjusted semver import to VersionInfo * added semver 3 and adjusted import names * added option_minor_and_patch parameter where version is major.minor * updated bump-pkg-versions to always save to packages.yml * removed leftover split call & updated find latest compatible version command * updated integrations.py, version_lock.py and schemas.__init__.py * changed fstring reference in downgrade function * reverted formatting changes for detection_rules __init__.py * added newline to detection_rules __init__.py * adjusted finding latest_release for attack package logic * adjusted unstage-incompatible-rules command logic comparing versions * removing changes from misc.py related to auto-formatting * adding newline to misc.py * fixed bug in downgrade function calling decorators * added semantic version validation on migrate decorator function * added expected type returned from find_latest_integration_version in integrations.py * add comment about stripped versions for version lock file Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit fb2b452)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 7, 2023
* removed custom semver and replaced with pypi * updated beats.py version references * updated bump-versions CLI command to use semver and change logic * updated schemas __init__, test_version_lock and unstage incompatible rules CLI * updated test_stack_schema_map in TestVersions unittest * updated test_all_rules unit testing Version() references * updated stack_compat.py for get_restricted_field references) * updated version_lock.py Version() references * updated docs.py Version() reference for parse_registry * updated devtools.py Version() reference for trim-version-lock * updated mixins.py Version() reference in validate_field_compatibility * adjusted schemas.__init__ Version() reference in get_stack_schemas * adjusted ecs.py Version() references * adjusted integrations.py Version() references * adjusted rule.py Version() references * sorted imports * replaced custom semver with pypi semver in unit test files * addressed unit test and flake errors * changed semver strings casted to version_lock.py * fixed sorting in integrations.py * updated bump-pkgs-versions CLI command * adjusted semantic version in unstage-incompatible-rules command * adjusted semver import to VersionInfo * added semver 3 and adjusted import names * added option_minor_and_patch parameter where version is major.minor * updated bump-pkg-versions to always save to packages.yml * removed leftover split call & updated find latest compatible version command * updated integrations.py, version_lock.py and schemas.__init__.py * changed fstring reference in downgrade function * reverted formatting changes for detection_rules __init__.py * added newline to detection_rules __init__.py * adjusted finding latest_release for attack package logic * adjusted unstage-incompatible-rules command logic comparing versions * removing changes from misc.py related to auto-formatting * adding newline to misc.py * fixed bug in downgrade function calling decorators * added semantic version validation on migrate decorator function * added expected type returned from find_latest_integration_version in integrations.py * add comment about stripped versions for version lock file Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit fb2b452)
protectionsmachine
pushed a commit
that referenced
this pull request
Feb 7, 2023
* removed custom semver and replaced with pypi * updated beats.py version references * updated bump-versions CLI command to use semver and change logic * updated schemas __init__, test_version_lock and unstage incompatible rules CLI * updated test_stack_schema_map in TestVersions unittest * updated test_all_rules unit testing Version() references * updated stack_compat.py for get_restricted_field references) * updated version_lock.py Version() references * updated docs.py Version() reference for parse_registry * updated devtools.py Version() reference for trim-version-lock * updated mixins.py Version() reference in validate_field_compatibility * adjusted schemas.__init__ Version() reference in get_stack_schemas * adjusted ecs.py Version() references * adjusted integrations.py Version() references * adjusted rule.py Version() references * sorted imports * replaced custom semver with pypi semver in unit test files * addressed unit test and flake errors * changed semver strings casted to version_lock.py * fixed sorting in integrations.py * updated bump-pkgs-versions CLI command * adjusted semantic version in unstage-incompatible-rules command * adjusted semver import to VersionInfo * added semver 3 and adjusted import names * added option_minor_and_patch parameter where version is major.minor * updated bump-pkg-versions to always save to packages.yml * removed leftover split call & updated find latest compatible version command * updated integrations.py, version_lock.py and schemas.__init__.py * changed fstring reference in downgrade function * reverted formatting changes for detection_rules __init__.py * added newline to detection_rules __init__.py * adjusted finding latest_release for attack package logic * adjusted unstage-incompatible-rules command logic comparing versions * removing changes from misc.py related to auto-formatting * adding newline to misc.py * fixed bug in downgrade function calling decorators * added semantic version validation on migrate decorator function * added expected type returned from find_latest_integration_version in integrations.py * add comment about stripped versions for version lock file Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit fb2b452)
This was referenced Feb 7, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues
Summary
Remove custom semver library from Detection Rules and replace with 3rd-party semver library. Review all uses of custom library and adjust logic to pypi library.
Additional Information
Versionwithsemver.VersionInfoVersionwithsemver.VersionInfoorsemver.VersionInfo.parsewhere applicable and necessarybump-versionstobump-pkg-versionsin alignment with new detection rules releasefind_latest_integration_versionfunction tointegrations.py- Used to dynamically determine what is bumped for patch releases (OOB)lstripand splitting to create the expected variables when passing parameters for some parts of the code. While adjustments are made, we will need to revisit the version.lock.json file and it's associating schema at a later date to be fully semantic versioned for consistency.Testing
Build Release Packages and Update Rule Versions
Importance: The
build-release --update-version-lockcommand tests our pre-built rules package building workflow. This workflow relies onversion_lock.py,rule.py, schema validation,version.lock.jsonfile references and more. It is expected that when running this release, theversion.lock.jsonfile will have changes that reflect expected rule updates with no double bumps, no forked rules adjustments and if versions are changed, the SHA256 was different.Command:
python -m detection_rules dev build-release --update-version-lockExpected Results:
View Rule with Integration Tag
Importance: The
view-rulecommand touches several parts of the code includingto_api_format,related_integrations,version_lock.pyand more. Parts of this code rely on semantic versioning to do related integration build time field comparisons, correctly load and interpret theversion.lock.filefile and convert a TOML rule to the Kibana API format which is necessary for package building and rule loading.Command:
python -m detection_rules view-rule /Users/tdejesus/code/src/detection-rules/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.tomlExpected Results
{ "author": [ "Elastic" ], "description": "Identifies the Elastic endpoint agent has stopped and is no longer running on the host. Adversaries may attempt to disable security monitoring tools in an attempt to evade detection or prevention capabilities during an intrusion. This may also indicate an issue with the agent itself and should be addressed to ensure defensive measures are back in a stable state.", "from": "now-9m", "index": [ "logs-endpoint.events.*" ], "language": "eql", "license": "Elastic License v2", "name": "Elastic Agent Service Terminated", "note": "", "query": "process where\n/* net, sc or wmic stopping or deleting Elastic Agent on Windows */\n(event.type == \"start\" and\n process.name : (\"net.exe\", \"sc.exe\", \"wmic.exe\",\"powershell.exe\",\"taskkill.exe\",\"PsKill.exe\",\"ProcessHacker.exe\") and\n process.args : (\"stopservice\",\"uninstall\", \"stop\", \"disabled\",\"Stop-Process\",\"terminate\",\"suspend\") and\n process.args : (\"elasticendpoint\", \"Elastic Agent\",\"elastic-agent\",\"elastic-endpoint\"))\nor\n/* service or systemctl used to stop Elastic Agent on Linux */\n(event.type == \"end\" and\n (process.name : (\"systemctl\", \"service\") and\n process.args : \"elastic-agent\" and\n process.args : \"stop\")\n or\n /* Unload Elastic Agent extension on MacOS */\n (process.name : \"kextunload\" and\n process.args : \"com.apple.iokit.EndpointSecurity\" and\n event.action : \"end\"))\n", "related_integrations": [ { "package": "endpoint", "version": "^8.2.0" } ], "required_fields": [ { "ecs": true, "name": "event.action", "type": "keyword" }, { "ecs": true, "name": "event.type", "type": "keyword" }, { "ecs": true, "name": "process.args", "type": "keyword" }, { "ecs": true, "name": "process.name", "type": "keyword" } ], "risk_score": 47, "rule_id": "b627cd12-dac4-11ec-9582-f661ea17fbcd", "setup": "If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.", "severity": "medium", "tags": [ "Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion" ], "threat": [ { "framework": "MITRE ATT&CK", "tactic": { "id": "TA0005", "name": "Defense Evasion", "reference": "https://attack.mitre.org/tactics/TA0005/" }, "technique": [ { "id": "T1562", "name": "Impair Defenses", "reference": "https://attack.mitre.org/techniques/T1562/", "subtechnique": [ { "id": "T1562.001", "name": "Disable or Modify Tools", "reference": "https://attack.mitre.org/techniques/T1562/001/" } ] } ] } ], "timestamp_override": "event.ingested", "type": "eql", "version": 101 }Unit Tests
Importance: Unit testing is important for this PR to touch several parts of the code that could potentially rely on semantic versioning.
Command:
pytest testsExpected Results
Find Latest Integration Version
Importance: The
find_latest_integration_versionfunction was added tointegrations.pyto identify the latest integration version, either ga or beta depending on parameters passed. This is important for updating theintegrations-prcommand and eventually therelease-fleetworkflow. It is directly referenced in thebump-pkg-versionsCLI command to help dynamically identify what the next beta or ga patch release version is by referencing EPR.Commands:
Expected Results:
Bump Package Versions
Importance: The
bump-pkg-versionswill update the packages.yaml file contents and make necessary updates if major, minor or patch releases. Major and minor releases will save the changes to the packages.yaml as this will be used in theprep-for-next-releaseworkflow so this file will be updated and then the packages.yaml file saved. Additionally it will be used for theintegrations-prto dynamically determine the correct package versionCommand:
-
python -m detection_rules dev bump-pkg-versions --minor-release --maturity="ga"(updates packages.yml)-
python -m detection_rules dev bump-pkg-versions --major-release --maturity="ga"(updates packages.yml)-
python -m detection_rules dev bump-pkg-versions --patch-release --maturity="ga"Expected Results
Build Integrations PR
Importance: The
integrations-prcommand is used to make the necessary changes to the security_detection_engine package in your local integrations repository and create a PR. First a release package must exist locally in Detection Rules.Command:
python -m detection_rules dev build-release --update-version-lockpython -m detection_rules dev integrations-pr /Users/tdejesus/code/src/integrations --assign terrancedejesusExpected Results: [Testing][Security Rules] Update security rules package to v8.7.0-beta.1 - DO NOT MERGE integrations#5176
Download ECS Schemas
Importance: ECS and beats schemas are important to doing rule validation. The
ecs.pylibrary now uses semver for version comparisons and downloading certain ECS packages.Command:
Expected Results
Downgrade Functions
Importance: Downgrading allows a rule to be converted to the appropriate format depending on the stack version. This functionality exists in
schemas.__init__.pywhere multiplemigratefunctions exist for each stack version. We add these functions at each "Prep for Next Branch" PR. The API format of the rule is passed in along with the target stack version and existing stack version which returns the appropriate API format of the rule at that target stack version.Commands:
Expected Results
{'author': ['Elastic'], 'description': 'Identifies the deletion of diagnostic settings in Azure, which send platform logs and metrics to different destinations. An adversary may delete diagnostic settings in an attempt to evade defenses.', 'false_positives': ['Deletion of diagnostic settings may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Diagnostic settings deletion from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.'], 'from': 'now-25m', 'index': ['filebeat-*', 'logs-azure*'], 'language': 'kuery', 'license': 'Elastic License v2', 'name': 'Azure Diagnostic Settings Deletion', 'note': '', 'query': 'event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success)\n', 'references': ['https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings'], 'risk_score': 47, 'rule_id': '5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de', 'severity': 'medium', 'tags': ['Elastic', 'Cloud', 'Azure', 'Continuous Monitoring', 'SecOps', 'Monitoring'], 'threat': [{'technique': [{'name': 'Impair Defenses', 'subtechnique': [{'name': 'Disable or Modify Tools', 'reference': 'https://attack.mitre.org/techniques/T1562/001/', 'id': 'T1562.001'}], 'reference': 'https://attack.mitre.org/techniques/T1562/', 'id': 'T1562'}], 'framework': 'MITRE ATT&CK', 'tactic': {'name': 'Defense Evasion', 'reference': 'https://attack.mitre.org/tactics/TA0005/', 'id': 'TA0005'}}], 'timestamp_override': 'event.ingested', 'type': 'query'}Refresh ATT&CK Mappings
Importance: The semver library is used to compare ATT&CK package versions.
Command:
Rename
detection_rules/etc/attack-v12.1.json.gz->attack-v11.1.json.gzpython -m detection_rules dev attack refresh-datapython -m detection_rules dev attack refresh-redirect-mappingsExpected Results