-
Notifications
You must be signed in to change notification settings - Fork 513
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules #4324
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules #4324
Conversation
Rule: Tuning - GuidelinesThese guidelines serve as a reminder set of considerations when tuning an existing rule. Documentation and Context
Rule Metadata Checks
Testing and Validation
|
@terrancedejesus With some simple logic, there are a few identified: Details
from detection_rules.rule_loader import RuleCollection
from detection_rules.utils import convert_time_span
rules = RuleCollection.default()
def convert_relative_delta(lookback: str) -> int:
now = len("now")
min_length = now + len('+5m')
if lookback.startswith("now") and len(lookback) >= min_length:
lookback = lookback[len("now"):]
sign = lookback[0] # + or -
span = lookback[1:]
amount = convert_time_span(span)
return amount * (-1 if sign == "-" else 1)
else:
return convert_time_span(lookback)
for rule in rules.rules:
to = convert_relative_delta(rule.contents.data.to) if rule.contents.data.to else 0
from_ = convert_relative_delta(rule.contents.data.from_ or "now-6m")
interval = convert_time_span(rule.contents.data.interval or "5m")
if to - from_ <= interval:
print(f"{rule.name} - {rule.id}") My First Rule - a198fbbd-9413-45ec-a269-47ae4ccf59ce
Rapid Secret Retrieval Attempts from AWS SecretsManager - 185c782e-f86a-11ee-9d9f-f661ea17fbce
Multiple Okta Sessions Detected for a Single User - 621e92b6-7e54-11ee-bdc0-f661ea17fbcd
Query Registry using Built-in Tools - ded09d02-0137-4ccc-8005-c45e617e8d4c Can you go ahead and fix the others? FWIW, we could probably turn the code into a unit test. Starting in 8.18, when rules customization is released, the issue where this surfaces should be fixed by elastic/kibana#204317 . |
@@ -13,9 +13,9 @@ enabled = false | |||
false_positives = [ | |||
"This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.", | |||
] | |||
from = "now-30m" | |||
from = "now-1h" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@approksiu @Mikaayenson - If we want this different just let me know.
rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Outdated
Show resolved
Hide resolved
Co-authored-by: Mika Ayenson <[email protected]>
…_single_user.toml Co-authored-by: Mika Ayenson <[email protected]>
…trieval Rules (#4324) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <[email protected]> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> Removed changes from: - rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml (selectively cherry picked from commit dad008e)
…trieval Rules (#4324) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <[email protected]> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> Removed changes from: - rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml (selectively cherry picked from commit dad008e)
…trieval Rules (#4324) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <[email protected]> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> Removed changes from: - rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml (selectively cherry picked from commit dad008e)
…trieval Rules (#4324) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <[email protected]> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit dad008e)
…trieval Rules (#4324) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <[email protected]> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit dad008e)
…trieval Rules (#4324) * rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <[email protected]> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <[email protected]> --------- Co-authored-by: Mika Ayenson <[email protected]> (cherry picked from commit dad008e)
Pull Request
Issue link(s):
Summary - What I changed
Adjusted the
from
andinterval
times for rules per @approksiu.How To Test
Queries were adjusted for format, but no logic changes.
Checklist
bug
,enhancement
,schema
,maintenance
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedmeta:rapid-merge
label if planning to merge within 24 hoursContributor checklist