Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Index information on the TOML files does not make it to Kibana SIEM rules #121

Closed
ArdRay opened this issue Aug 12, 2020 · 2 comments · Fixed by #216
Closed

[Bug] Index information on the TOML files does not make it to Kibana SIEM rules #121

ArdRay opened this issue Aug 12, 2020 · 2 comments · Fixed by #216
Assignees
@brokensound77 @rw-access
Labels
bug Something isn't working community

Comments

@ArdRay
Copy link

ArdRay commented Aug 12, 2020

Describe the bug
During testing of the new Kibana upload feature, we have identified that the index information on the TOML configuration does not propagate to the rules in the Kibana SIEM app.

To Reproduce
Steps to reproduce the behavior:

  1. Create a TOML detection rule which follows the guidelines provided. Example:
[metadata]
creation_date = "2020/08/11"
ecs_version = ["1.5.0"]
maturity = "development"
updated_date = "2020/08/11"

[rule]
author = ["Rule export"]
description = "The contents of crontab have been modified by a non-root user."
tags = ["prod"]
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Cron - Crontab entry changed"
risk_score = 15
rule_id = "9bad9907-1969-4a70-bfbd-367f0dcc0203"
severity = "low"
type = "query"

query = '''
event.module: cron and event.action: changed and not user.name: root
'''

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1053"
name = "Scheduled Task"
reference = "https://attack.mitre.org/techniques/T1053/"


[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
  1. Ensure all tests pass successfully.
python3 -m detection_rules toml-lint
python3 -m detection_rules validate-all
python3 -m detection_rules test
  1. Verify that the index information makes it to the api-call.
python3 -m detection_rules view-rule -f ./rules/cron_crontab_entry_changed.toml --as-api

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
{
  "author": [
    "Rule export"
  ],
  "description": "The contents of crontab have been modified by a non-root user.",
  "index": [
    "filebeat-*"
  ],
  "language": "kuery",
  "license": "Elastic License",
  "name": "Cron - Crontab entry changed",
  "query": "event.module: cron and event.action: changed and not user.name: root",
  "risk_score": 15,
  "rule_id": "9bad9907-1969-4a70-bfbd-367f0dcc0203",
  "severity": "low",
  "tags": [
    "prod"
  ],
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0002",
        "name": "Execution",
        "reference": "https://attack.mitre.org/tactics/TA0002/"
      },
      "technique": [
        {
          "id": "T1053",
          "name": "Scheduled Task",
          "reference": "https://attack.mitre.org/techniques/T1053/"
        }
      ]
    },
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0003",
        "name": "Persistence",
        "reference": "https://attack.mitre.org/tactics/TA0003/"
      },
      "technique": [
        {
          "id": "T1053",
          "name": "Scheduled Task",
          "reference": "https://attack.mitre.org/techniques/T1053/"
        }
      ]
    }
  ],
  "type": "query"
}
  1. Push to kibana.
python3 -m detection_rules kibana-upload --url $KIBANA_URL -u $KIBANA_USERNAME -p $KIBANA_PASSWORD rules/*.toml
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
Loading rules from /opt/rule_engine/detection-rules/rules
Loaded 1 rules
Successfully uploaded 1 rules
  1. Verify the rule within the SIEM Kibana app.
    Screenshot 2020-08-12 at 16 56 40
    Screenshot 2020-08-12 at 16 56 54

Expected behavior
The index should have propagated to the rule within the SIEM app, although as it can be seen from the screenshots above, that information is missing. The index field is empty.

Desktop (please complete the following information):

  • OS: MacOS
  • Version: 10.15.5
  • Python version: 3.6.8
  • ELK version: Tested on 7.8.0 and 7.8.1, the issue persist on both.
@ArdRay ArdRay added the bug Something isn't working label Aug 12, 2020
@rw-access
Copy link
Contributor

@spong do you have any ideas about this behavior at the API level?

@rw-access
Copy link
Contributor

ah could also be at the schema downgrade level. I'll check the python side

@rw-access rw-access mentioned this issue Aug 24, 2020
Merged
@rw-access rw-access mentioned this issue Sep 2, 2020
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brokensound77 brokensound77

@rw-access rw-access

Labels
bug Something isn't working community
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix kibana-upload and remove cumbersome dataclasses rw-access/detection-rules
3 participants
@ArdRay @brokensound77 @rw-access