Account for CCS '::' index pattern

[shashank-elastic]

Pull Request

Issue link(s): #4158

Summary - What I changed

• Consider CCS index patterns with :: delimiter
• Changes made to get_index_schema, get_custom_index_schema and parse_beats_from_index
• A cool idea was to uniform the split to use : delimiter and replace any occurrence of :: to :

How To Test

• Testing inspired from [FR] [DAC] Add support for CCS in Beats Validation #3853
• Created a Rule with CCS index patterns with :: delimiter

Rule Details

[metadata]
creation_date = "2024/11/07"
maturity = "production"
updated_date = "2024/11/07"

[rule]
actions = []
author = []
description = "INFOSEC CSS Test Rule"
enabled = true
exceptions_list = []
false_positives = []
filters = []
from = "now-18060s"
index = ["infosec_test::logs-*", "infosec_test::auditbeat-*"]
interval = "5h"
language = "eql"
license = ""
max_signals = 100
name = "INFOSEC CSS Test Rule"
references = []
related_integrations = []
required_fields = []
risk_score = 21
risk_score_mapping = []
rule_id = "521629d1-61e4-4203-8a16-a08d5dc20281"
setup = ""
severity = "low"
severity_mapping = []
tags = []
threat = []
to = "now"
type = "eql"

query = '''
process where process.name == "FakeRoot"
'''



[rule.meta]
from = "1m"
kibana_siem_app_url = "https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/app/security"

• We can test locally using view-rule on the following test rule file

view-rule Details

❯  python -m detection_rules view-rule custom-rules/rules/infosec_css_test_rule.toml 
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

{
  "actions": [],
  "author": [],
  "description": "INFOSEC CSS Test Rule",
  "enabled": true,
  "exceptions_list": [],
  "false_positives": [],
  "filters": [],
  "from": "now-18060s",
  "index": [
    "infosec_test::logs-*",
    "infosec_test::auditbeat-*"
  ],
  "interval": "5h",
  "language": "eql",
  "license": "",
  "max_signals": 100,
  "meta": {
    "from": "1m",
    "kibana_siem_app_url": "https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/app/security"
  },
  "name": "INFOSEC CSS Test Rule",
  "query": "process where process.name == \"FakeRoot\"\n",
  "references": [],
  "related_integrations": [],
  "required_fields": [],
  "risk_score": 21,
  "risk_score_mapping": [],
  "rule_id": "521629d1-61e4-4203-8a16-a08d5dc20281",
  "setup": "",
  "severity": "low",
  "severity_mapping": [],
  "tags": [],
  "threat": [],
  "to": "now",
  "type": "eql",
  "version": 1
}
(.venv) 
detection-rules on  issue-4158 [$?] is 📦 v0.1.1 via 🐍 v3.12.5 (.venv) on ☁️  [email protected] 
❯ 

• Created a Rule with CCS index patterns with : delimiter

Rule Details

[metadata]
creation_date = "2024/11/07"
maturity = "production"
updated_date = "2024/11/07"

[rule]
actions = []
author = []
description = "INFOSEC CSS Test Rule"
enabled = true
exceptions_list = []
false_positives = []
filters = []
from = "now-18060s"
index = ["infosec_test:logs-*"]
interval = "5h"
language = "eql"
license = ""
max_signals = 100
name = "INFOSEC CSS Test Rule"
references = []
related_integrations = []
required_fields = []
risk_score = 21
risk_score_mapping = []
rule_id = "521629d1-61e4-4203-8a16-a08d5dc20281"
setup = ""
severity = "low"
severity_mapping = []
tags = []
threat = []
to = "now"
type = "eql"

query = '''
process where process.name == "FakeRoot"
'''



[rule.meta]
from = "1m"
kibana_siem_app_url = "https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/app/security"

• We can test locally using view-rule on the following test rule file

view-rule Details

❯  python -m detection_rules view-rule custom-rules/rules/infosec_css_test_rule2.toml
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

{
  "actions": [],
  "author": [],
  "description": "INFOSEC CSS Test Rule",
  "enabled": true,
  "exceptions_list": [],
  "false_positives": [],
  "filters": [],
  "from": "now-18060s",
  "index": [
    "infosec_test:logs-*"
  ],
  "interval": "5h",
  "language": "eql",
  "license": "",
  "max_signals": 100,
  "meta": {
    "from": "1m",
    "kibana_siem_app_url": "https://dev-deployment-2c684a.kb.us-central1.gcp.cloud.es.io:9243/app/security"
  },
  "name": "INFOSEC CSS Test Rule",
  "query": "process where process.name == \"FakeRoot\"\n",
  "references": [],
  "related_integrations": [],
  "required_fields": [],
  "risk_score": 21,
  "risk_score_mapping": [],
  "rule_id": "521629d1-61e4-4203-8a16-a08d5dc20281",
  "setup": "",
  "severity": "low",
  "severity_mapping": [],
  "tags": [],
  "threat": [],
  "to": "now",
  "type": "eql",
  "version": 1
}
(.venv) 

Testing 4 DAC export/import commands - #3509

Successful Import of Rule with Run Time Field

detection-rules on  issue-4158 [$?] is 📦 v0.2.0 via 🐍 v3.12.5 (.venv) on ☁️  [email protected] 
❯ python -m detection_rules import-rules-to-repo /Users/shashankks/Downloads/test_run_time_filed.ndjson --required-only 
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

[+] Building rule for /Users/shashankks/elastic_workspace/detection-rules/custom-rules/rules/run_time_filed_mapping_to_data_views.toml
1 results exported
1 rules converted
0 exceptions exported
0 actions connectors exported
(.venv) 

AutoGen Schema populated successfully

Successful Export of Rule with Run Time Field

❯ python -m detection_rules export-rules-from-repo -id "521629d1-61e4-4203-8a16-a08d5dc20281"                           
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Exported 1 rules into /Users/shashankks/elastic_workspace/detection-rules/exports/20241112T171934L.ndjson
(.venv) 

Exported Rule with CSS indices "::" nothing was replaced in original file

Successful Export of Rule with Run Time Field From Kibana

❯ python -m detection_rules kibana export-rules -r "a97cf517-bb1c-4d46-9522-f449fd3b0873" -d /Users/shashankks/elastic_workspace/detection-rules/custom_rules -ac
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

1 results exported
0 rules converted
0 exceptions exported
0 action connectors exported
0 rules saved to /Users/shashankks/elastic_workspace/detection-rules/custom_rules
0 exception lists saved to /Users/shashankks/elastic_workspace/detection-rules/custom-rules/exceptions
0 action connectors saved to /Users/shashankks/elastic_workspace/detection-rules/custom-rules/action_connectors
(.venv) 
detection

Based on the Fix #3984 we are using the -ac flag.

Successful Import of Rule with Run Time Field To Kibana

❯ python -m detection_rules kibana import-rules -id "521629d1-61e4-4203-8a16-a08d5dc20281" 
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

1 rule(s) successfully imported
 - 521629d1-61e4-4203-8a16-a08d5dc20281
(.venv) 
detection-rules on  issue-4158 [$?] is 📦 v0.2.0 via 🐍 v3.12.5 (.venv) on ☁️  [email protected] took 5s 
❯ 

make test-cli

Snippet of the run

Building manifests for integrations
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

loading rules to determine all integration tags
loaded endpoint manifests from the following package versions: ['8.16.0', '8.15.2', '8.15.1', '8.15.0', '8.14.0', '8.13.0', '8.12.0', '8.11.1', '8.11.0', '8.10.2', '8.10.1', '8.10.0', '8.9.1', '8.9.0', '8.8.0', '8.7.1', '8.7.0', '8.6.1', '8.6.0', '8.5.0', '8.4.1', '8.4.0', '8.3.0', '8.2.0', '1.5.0', '1.4.1', '1.4.0', '1.3.0', '1.2.2', '1.2.1', '1.2.0', '1.1.1', '1.1.0', '1.0.0']
final integrations manifests dumped: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/integration-manifests.json.gz
Building schemas for integrations
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Building integration schemas...
processing endpoint
final integrations manifests dumped: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/integration-schemas.json.gz
Detection-rules CLI tests completed!
(.venv) 

make test-rmote-cli

Found 2 matching queries:

╒══════════════════════════════════════════════════════════╤══════════════════════════════════════╤═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╤════════════════════╤═══════════╕
│ Name                                                     │ UUID                                 │ Location                                                                                                                      │ Data Source        │ MITRE     │
╞══════════════════════════════════════════════════════════╪══════════════════════════════════════╪═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╪════════════════════╪═══════════╡
│ IAM User Activity with No MFA Session                    │ 913a47be-649c-11ef-a693-f661ea17fbcc │ /Users/shashankks/elastic_workspace/detection-rules/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml │ ['aws.cloudtrail'] │ T1078.004 │
├──────────────────────────────────────────────────────────┼──────────────────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────┼───────────┤
│ Signin Single Factor Console Login via Federated Session │ 953b1252-5efd-11ef-a997-f661ea17fbce │ /Users/shashankks/elastic_workspace/detection-rules/hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml │ ['aws.cloudtrail'] │ T1078.004 │
╘══════════════════════════════════════════════════════════╧══════════════════════════════════════╧═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════╧════════════════════╧═══════════╛

Running Query: low_volume_external_network_connections_from_process.toml
Requires .detection-rules-cfg.json credentials file set.
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json
No file found at path: /Users/tdejesus/code/src/detection-rules/hunting/linux/queries/low_volume_external_network_connections_from_process.toml
Viewing Hunt: 12526f14-5e35-4f5f-884c-96c6a353a544
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json
{
    "author": "Elastic",
    "description": "This hunt identifies low volume external network connections initiated by processes on Linux systems. It focuses on connections attempted by processes that have been seen infrequently (five or fewer connections) and by unique agents. This can help identify potentially suspicious activity that might be missed due to low volume.\n",
    "integration": [
        "endpoint"
    ],
    "uuid": "12526f14-5e35-4f5f-884c-96c6a353a544",
    "name": "Low Volume External Network Connections from Process by Unique Agent",
    "language": [
        "ES|QL"
    ],
    "license": "Elastic License v2",
    "query": [
        "from logs-endpoint.events.network-*\n| where @timestamp > now() - 7 day\n| where host.os.type == \"linux\" and event.category == \"network\" and event.type == \"start\" and event.action == \"connection_attempted\" and not process.name is null and\n    not CIDR_MATCH(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\"FE80::/10\", \"FF00::/8\")\n| stats connection_count = count(*), unique_agent_count = count_distinct(agent.id) by process.name\n| where connection_count <= 5 and unique_agent_count == 1\n| limit 100\n| sort connection_count, unique_agent_count asc\n",
        "from logs-endpoint.events.network-*\n| where @timestamp > now() - 7 day\n| where host.os.type == \"linux\" and event.category == \"network\" and event.type == \"start\" and event.action == \"connection_attempted\" and user.id == \"0\" and not process.name is null and\n    not CIDR_MATCH(destination.ip, \"10.0.0.0/8\", \"127.0.0.0/8\", \"169.254.0.0/16\", \"172.16.0.0/12\", \"192.0.0.0/24\", \"192.0.0.0/29\", \"192.0.0.8/32\", \"192.0.0.9/32\", \"192.0.0.10/32\", \"192.0.0.170/32\", \"192.0.0.171/32\", \"192.0.2.0/24\", \"192.31.196.0/24\", \"192.52.193.0/24\", \"192.168.0.0/16\", \"192.88.99.0/24\", \"224.0.0.0/4\", \"100.64.0.0/10\", \"192.175.48.0/24\",\"198.18.0.0/15\", \"198.51.100.0/24\", \"203.0.113.0/24\", \"240.0.0.0/4\", \"::1\",\"FE80::/10\", \"FF00::/8\")\n| stats connection_count = count(*), unique_agent_count = count_distinct(agent.id) by process.name\n| where connection_count <= 5 and unique_agent_count == 1\n| limit 100\n| sort connection_count, unique_agent_count asc\n"
    ],
    "notes": [
        "Monitors for network connections attempted by processes that have a low occurrence frequency (five or fewer connections) and are seen by a unique agent.",
        "Excludes common internal IP ranges to minimize false positives.",
        "A separate query is included to specifically monitor low volume network connections initiated by the root user, as these can be particularly indicative of malicious activity."
    ],
    "mitre": [
        "T1071.001",
        "T1071.004"
    ],
    "references": []
}
Generating summary of hunts by integration
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json
Generating hunt summary broken down by integration...
╒════════════════════════╤══════════════╕
│ Integration            │   Hunt Count │
╞════════════════════════╪══════════════╡
│ aws_bedrock.invocation │            4 │
├────────────────────────┼──────────────┤
│ endpoint               │           61 │
├────────────────────────┼──────────────┤
│ system                 │           12 │
├────────────────────────┼──────────────┤
│ okta                   │           11 │
├────────────────────────┼──────────────┤
│ aws.cloudtrail         │           18 │
├────────────────────────┼──────────────┤
│ windows                │           23 │
╘════════════════════════╧══════════════╛
Generating summary of hunts by platform
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json
Generating hunt summary broken down by platform...
╒═════════════════════╤══════════════╕
│ Platform (Folder)   │   Hunt Count │
╞═════════════════════╪══════════════╡
│ llm                 │            4 │
├─────────────────────┼──────────────┤
│ macos               │            2 │
├─────────────────────┼──────────────┤
│ linux               │           31 │
├─────────────────────┼──────────────┤
│ okta                │           11 │
├─────────────────────┼──────────────┤
│ aws                 │           18 │
├─────────────────────┼──────────────┤
│ windows             │           32 │
╘═════════════════════╧══════════════╛
Generating summary of hunts by language
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json
Generating hunt summary broken down by language...
╒════════════╤══════════════╕
│ Language   │   Hunt Count │
╞════════════╪══════════════╡
│ ES|QL      │           93 │
├────────────┼──────────────┤
│ OSQuery    │           15 │
╘════════════╧══════════════╛
(.venv) 

## Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[protectionsmachine]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Code changes do not introduce new warnings or errors.
• Variables and functions are well-named and descriptive.
• Any unnecessary / commented-out code is removed.
• Ensure that the code is modular and reusable where applicable.
• Check for proper exception handling and messaging.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.

Additional Checks

• Ensure that the enhancement does not break existing functionality.
• Review the enhancement with a peer or team member for additional insights.
• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that all dependencies are up-to-date and compatible with the changes.
• Confirm that the proper version label is applied to the PR patch, minor, major.

[eric-forte-elastic]

🟢 Manual review, looks good to me! 👍

The .replace approach should function as both ":" and "::" are reserved for CCS at this time. However, this will need to be revisited should the ":" be reserved for something else in the index.

[Mikaayenson]

doesnt look like an issue, but in the kibana pr/issue, did it reference beat indexes would have this pattern?

[Mikaayenson]

Can you double check the 4 dac export/import commands to ensure this doesn't introduce errors?

[shashank-elastic]

Can you double check the 4 dac export/import commands to ensure this doesn't introduce errors?

Testing Updated