Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SIEM] version 7.7 rule import #61903

Merged
merged 8 commits into from
Mar 31, 2020
Merged

[SIEM] version 7.7 rule import #61903

merged 8 commits into from
Mar 31, 2020

Conversation

randomuserid
Copy link
Contributor

@randomuserid randomuserid commented Mar 30, 2020

Summary

This PR does not contain new Kibana features. It adds 38 new SIEM rules and makes syntax modifications to existing rules. The rules execute in the existing (siem) detection engine.

Checklist

For maintainers

@randomuserid randomuserid requested a review from a team as a code owner March 30, 2020 22:50
@randomuserid randomuserid changed the title 77 Siem rule import [SIEM] version 7.7 rule import Mar 30, 2020
@randomuserid randomuserid requested a review from spong March 30, 2020 23:01
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

randomuserid and others added 3 commits March 30, 2020 19:36
…repackaged_rules/windows_credential_dumping_msbuild.json

Co-Authored-By: Garrett Spong <spong@users.noreply.github.com>
@randomuserid randomuserid removed the request for review from FrankHassanabad March 31, 2020 00:57
@spong
Copy link
Member

spong commented Mar 31, 2020

@elasticmachine merge upstream

@elasticmachine elasticmachine requested a review from a team as a code owner March 31, 2020 01:32
Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rules @randomuserid! LGTM 👍

@randomuserid randomuserid requested review from rw-access and removed request for rw-access March 31, 2020 02:09
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

We will bump versions of modified rules and incorporate the changes for BC3 as discussed. I also updated the schema in siem-rules to reflect index being forbidden for machine_learning rules

@@ -4,7 +4,7 @@
* you may not use this file except in compliance with the Elastic License.
*/

export const totalNumberOfPrebuiltRules = 92;
export const totalNumberOfPrebuiltRules = 130;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⭐️

@kibanamachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@spong spong merged commit 341c787 into master Mar 31, 2020
spong added a commit to spong/kibana that referenced this pull request Mar 31, 2020
* rule import

* Update x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json

Co-Authored-By: Garrett Spong <spong@users.noreply.github.com>

* Update add_prepackaged_rules_schema.ts

* Update rule.ts

* updates 'prebuilt_rules_loaded' data (elastic#61940)

Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: MadameSheema <snootchie.boochies@gmail.com>
spong added a commit to spong/kibana that referenced this pull request Mar 31, 2020
* rule import

* Update x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json

Co-Authored-By: Garrett Spong <spong@users.noreply.github.com>

* Update add_prepackaged_rules_schema.ts

* Update rule.ts

* updates 'prebuilt_rules_loaded' data (elastic#61940)

Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: MadameSheema <snootchie.boochies@gmail.com>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Mar 31, 2020
* upstream/master: (69 commits)
  Adding PagerDuty icon to connectors cards (elastic#60805)
  Fix drag and drop flakiness (elastic#61993)
  Grok debugger migration (elastic#60658)
  Endpoint: Fix resolver SVG position issue (elastic#61886)
  [SIEM] version 7.7 rule import (elastic#61903)
  Added styles to make combobox list items wider for alerting flyout (elastic#61894)
  [UA] Tight worker loop can cause high CPU usage (elastic#60950)
  [ML] DF Analytics results table: use index pattern field format if one exists (elastic#61709)
  [ML] Catching unknown index pattern errors (elastic#61935)
  [Discover] Deangularize and euificate sidebar  (elastic#47559)
  Endpoint: Add ts-node dev dependency (elastic#61884)
  Add an onBlur handler for the kuery bar. Only resubmit when input changes. (elastic#61901)
  [ML] Handle Empty Partition Field Values in Single Metric Viewer (elastic#61649)
  Auto interval on date histogram is getting displayed as timestamp per… (elastic#59171)
  [Maps] Explicitly pass fetch function to ems-client (elastic#61846)
  [SIEM][CASE] Fix aria-labels and translations (elastic#61670)
  [ML] Settings: Increase number of items that can be paged in calendars and filters lists (elastic#61842)
  [EPM] update epm filepath route (elastic#61910)
  APM] Set ignore_above to 1024 for telemetry saved object (elastic#61732)
  [Logs UI] Log stream row rendering (elastic#60773)
  ...
@spong spong deleted the 77-siem-rules branch March 31, 2020 18:26
spong added a commit that referenced this pull request Mar 31, 2020
* rule import

* Update x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json

Co-Authored-By: Garrett Spong <spong@users.noreply.github.com>

* Update add_prepackaged_rules_schema.ts

* Update rule.ts

* updates 'prebuilt_rules_loaded' data (#61940)

Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: MadameSheema <snootchie.boochies@gmail.com>

Co-authored-by: The SpaceCake Project <randomuserid@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: MadameSheema <snootchie.boochies@gmail.com>
spong added a commit that referenced this pull request Mar 31, 2020
* rule import

* Update x-pack/legacy/plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_credential_dumping_msbuild.json

Co-Authored-By: Garrett Spong <spong@users.noreply.github.com>

* Update add_prepackaged_rules_schema.ts

* Update rule.ts

* updates 'prebuilt_rules_loaded' data (#61940)

Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: MadameSheema <snootchie.boochies@gmail.com>

Co-authored-by: The SpaceCake Project <randomuserid@users.noreply.github.com>
Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: MadameSheema <snootchie.boochies@gmail.com>
gmmorris added a commit to gmmorris/kibana that referenced this pull request Apr 1, 2020
* master: (64 commits)
  Adding PagerDuty icon to connectors cards (elastic#60805)
  Fix drag and drop flakiness (elastic#61993)
  Grok debugger migration (elastic#60658)
  Endpoint: Fix resolver SVG position issue (elastic#61886)
  [SIEM] version 7.7 rule import (elastic#61903)
  Added styles to make combobox list items wider for alerting flyout (elastic#61894)
  [UA] Tight worker loop can cause high CPU usage (elastic#60950)
  [ML] DF Analytics results table: use index pattern field format if one exists (elastic#61709)
  [ML] Catching unknown index pattern errors (elastic#61935)
  [Discover] Deangularize and euificate sidebar  (elastic#47559)
  Endpoint: Add ts-node dev dependency (elastic#61884)
  Add an onBlur handler for the kuery bar. Only resubmit when input changes. (elastic#61901)
  [ML] Handle Empty Partition Field Values in Single Metric Viewer (elastic#61649)
  Auto interval on date histogram is getting displayed as timestamp per… (elastic#59171)
  [Maps] Explicitly pass fetch function to ems-client (elastic#61846)
  [SIEM][CASE] Fix aria-labels and translations (elastic#61670)
  [ML] Settings: Increase number of items that can be paged in calendars and filters lists (elastic#61842)
  [EPM] update epm filepath route (elastic#61910)
  APM] Set ignore_above to 1024 for telemetry saved object (elastic#61732)
  [Logs UI] Log stream row rendering (elastic#60773)
  ...
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.7.0 v7.8.0 v8.0.0
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants