Add kibana/security-rule asset type (#142)

* Add kibana/rules for detection rules as JSON files * Update changelog.yml * Limit scope to a single 'security-rule' asset * Update spec and statik * Update specs * Loosen up security_rule artifact
elastic · Mar 18, 2021 · 63e8131 · 63e8131
1 parent 4d3bd5b
commit 63e8131
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 1 deletion.
diff --git a/code/go/internal/spec/statik.go b/code/go/internal/spec/statik.go
diff --git a/test/packages/good/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json b/test/packages/good/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json
@@ -0,0 +1,37 @@
+{
+  "author": [
+    "Elastic"
+  ],
+  "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
+  "false_positives": [
+    "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+  ],
+  "index": [
+    "filebeat-*",
+    "logs-okta*"
+  ],
+  "language": "kuery",
+  "license": "Elastic License v2",
+  "name": "Attempt to Modify an Okta Policy Rule",
+  "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
+  "query": "event.dataset:okta.system and event.action:policy.rule.update",
+  "references": [
+    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+    "https://developer.okta.com/docs/reference/api/system-log/",
+    "https://developer.okta.com/docs/reference/api/event-types/"
+  ],
+  "risk_score": 21,
+  "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+  "severity": "low",
+  "tags": [
+    "Elastic",
+    "Identity",
+    "Okta",
+    "Continuous Monitoring",
+    "SecOps",
+    "Identity and Access"
+  ],
+  "timestamp_override": "event.ingested",
+  "type": "query",
+  "version": 5
+}
diff --git a/versions/1/changelog.yml b/versions/1/changelog.yml
@@ -100,3 +100,6 @@
   - description: Add optional NOTICE.txt file to a package
     type: enhancement
     link: https://github.com/elastic/package-spec/pull/151
+  - description: Add kibana/security-rule asset
+    type: enhancement
+    link: https://github.com/elastic/package-spec/pull/142
diff --git a/versions/1/kibana/spec.yml b/versions/1/kibana/spec.yml
@@ -65,3 +65,12 @@
         type: file
         contentMediaType: "application/json"
         pattern: '^.+\.json$'
+    - description: Folder containing rules
+      type: folder
+      name: "security_rule"
+      required: false
+      contents:
+      - description: An individual rule file for the detection engine
+        type: file
+        contentMediaType: "application/json"
+        pattern: '^.+\.json$'