Esempio n. 1
0
 def test_stack_schema_map(self):
     """Test to ensure that an entry exists in the stack-schema-map for the current package version."""
     package_version = Version(load_current_package_version())
     stack_map = utils.load_etc_dump('stack-schema-map.yaml')
     err_msg = f'There is no entry defined for the current package ({package_version}) in the stack-schema-map'
     self.assertIn(package_version, [Version(v)[:2] for v in stack_map],
                   err_msg)
Esempio n. 2
0
 def build_rule(query):
     metadata = {
         "creation_date": "1970/01/01",
         "updated_date": "1970/01/01",
         "min_stack_version": load_current_package_version()
     }
     data = base_fields.copy()
     data["query"] = query
     obj = {"metadata": metadata, "rule": data}
     return TOMLRuleContents.from_dict(obj)
Esempio n. 3
0
    def setUpClass(cls):
        cls.current_version = load_current_package_version()

        # expected contents for a downgraded rule
        cls.v78_kql = {
            "description":
            "test description",
            "index": ["filebeat-*"],
            "language":
            "kuery",
            "name":
            "test rule",
            "query":
            "process.name:test.query",
            "risk_score":
            21,
            "rule_id":
            str(uuid.uuid4()),
            "severity":
            "low",
            "type":
            "query",
            "threat": [{
                "framework":
                "MITRE ATT&CK",
                "tactic": {
                    "id": "TA0001",
                    "name": "Execution",
                    "reference": "https://attack.mitre.org/tactics/TA0001/"
                },
                "technique": [{
                    "id":
                    "T1059",
                    "name":
                    "Command and Scripting Interpreter",
                    "reference":
                    "https://attack.mitre.org/techniques/T1059/",
                }],
            }]
        }
        cls.v79_kql = dict(cls.v78_kql,
                           author=["Elastic"],
                           license="Elastic License v2")
        cls.v711_kql = copy.deepcopy(cls.v79_kql)
        # noinspection PyTypeChecker
        cls.v711_kql["threat"][0]["technique"][0]["subtechnique"] = [{
            "id":
            "T1059.001",
            "name":
            "PowerShell",
            "reference":
            "https://attack.mitre.org/techniques/T1059/001/"
        }]
        # noinspection PyTypeChecker
        cls.v711_kql["threat"].append({
            "framework": "MITRE ATT&CK",
            "tactic": {
                "id": "TA0008",
                "name": "Lateral Movement",
                "reference": "https://attack.mitre.org/tactics/TA0008/"
            },
        })

        cls.v79_threshold_contents = {
            "author": ["Elastic"],
            "description": "test description",
            "language": "kuery",
            "license": "Elastic License v2",
            "name": "test rule",
            "query": "process.name:test.query",
            "risk_score": 21,
            "rule_id": str(uuid.uuid4()),
            "severity": "low",
            "threshold": {
                "field": "destination.bytes",
                "value": 75,
            },
            "type": "threshold",
        }
        cls.v712_threshold_rule = dict(
            copy.deepcopy(cls.v79_threshold_contents),
            threshold={
                'field': ['destination.bytes', 'process.args'],
                'value': 75,
                'cardinality': [{
                    'field': 'user.name',
                    'value': 2
                }]
            })