Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Add support to decouple actions and exceptions #5

Merged
merged 1 commit into from
Mar 13, 2024
Merged

[FR] Add support to decouple actions and exceptions #5

merged 1 commit into from
Mar 13, 2024

Conversation

brokensound77
Copy link
Owner

@brokensound77 brokensound77 commented Feb 21, 2024
edited
Loading

Issues

part of elastic/ia-trade-team/issues/258

Summary

Details forthcoming

TODO

  • helper methods from within TomlRuleContents to help associate rule <=> exceptions
    • this includes the "build time" functionality from # 2 above

brokensound77
brokensound77 commented Feb 21, 2024
View reviewed changes
detection_rules/action.py


@dataclass
class Action(MarshmallowDataclassMixin):
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODo: update with https://www.elastic.co/guide/en/security/current/bulk-actions-rules-api.html#actions-object-schema-bulk

Mikaayenson
Mikaayenson reviewed Feb 21, 2024
View reviewed changes
detection_rules/action.py
class ActionMeta(MarshmallowDataclassMixin):
"""Data stored in an exception's [metadata] section of TOML."""
creation_date: definitions.Date
rule_id: definitions.UUIDString
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should action list be associated to only one rule or multiple rules?

@Mikaayenson
Copy link

Mikaayenson commented Feb 21, 2024
edited
Loading

@brokensound77 here is an example toml file based on the actions:

[metadata]
creation_date = "2024-02-21"
rule_id = "5d1e96c6-1ee8-4f19-9416-1d8d81428f59"
rule_name = "Example Rule Name"
updated_date = "2024-02-22"
deprecation_date = "2025-01-01"      # optional
comments = "This is an example action list" # optional
maturity = "beta"                    # optional

[[actions]]
action_type_id = ".email"
group = "default"
params.message = "Action triggered: Example Rule Name"
id = "action_001"                    # optional
frequency = { "throttle": "5m" }     # optional  

[[actions]]
action_type_id = ".slack"
group = "default"
params.message = "Some other notification"

I noticed that ActionParams may need to be updated and alerts_filter added.

@Mikaayenson
Copy link

Mikaayenson commented Feb 21, 2024
edited
Loading

Sample exception list file:

[metadata]
creation_date = "2024-02-21"
rule_id = "5d1e96c6-1ee8-4f19-9416-1d8d81428f59"
rule_name = "Example Rule Name"
updated_date = "2024-02-22"
comments = "This is an example exception list."
maturity = "development"

[[exceptions]]
description = "Example exception container"
list_id = "exception_list_01"
name = "Sample Exception List"
namespace_type = "single"
tags = ["tag1", "tag2"]
type = "detection"

  [[exceptions.items]]
  description = "Exception item description"
  list_id = "item_list_01"
  name = "Exception Item Name"
  namespace_type = "single"
  tags = ["exception_item_tag1"]
  type = "simple"
  expire_time = "2024-12-31T23:59:59Z"

    [[exceptions.items.entries]]
    field = "process.name"
    type = "match_any"
    operator = "included"
    value = ["malicious_process", "another_process"]

    [[exceptions.items.entries]]
    field = "nested.field.example"
    type = "nested"
    operator = "included"

      [[exceptions.items.entries.entries]]
      field = "nested.inside"
      type = "match"
      operator = "included"
      value = "specific_value"

Mikaayenson
Mikaayenson reviewed Feb 21, 2024
View reviewed changes
detection_rules/generic_loader.py
self.frozen = True

@classmethod
def default(cls) -> 'GenericCollection':
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will there be unit tests that load this Generic Collection? Just thinking about how a user will test this prior to trying to push to kibana and loading everything.

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not built in - but if they wanted to unit test similar to how we do rules, they would just need to load and test

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you mean use the loader to "test" in terms of schema validation, but no unit testing explicitly for field validation?

@Mikaayenson
Copy link

Do we need all the same metadata like rule information if a user wants to directly add schemas to the toml file?

@brokensound77 brokensound77 marked this pull request as ready for review March 13, 2024 03:36
@brokensound77 brokensound77 merged commit 1c327bd into add-configurable-testing-and-validation Mar 13, 2024
3 of 13 checks passed
@Mikaayenson Mikaayenson mentioned this pull request Jul 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mikaayenson Mikaayenson Mikaayenson left review comments

Assignees
No one assigned
Labels
community
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brokensound77 @Mikaayenson