Merge branch 'main' into kerb-unusual-client

Author: Samirbous

.github/workflows/kibana-mitre-update.yml

@@ -18,7 +18,7 @@ jobs:
 
       - name: Get MITRE Attack changed files
         id: changed-attack-files
-        uses: tj-actions/changed-files@2f7c5bfce28377bc069a65ba478de0a74aa0ca32 # v46.0.1
+        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
         with:
           files: detection_rules/etc/attack-v*.json.gz
 

.github/workflows/lock-versions.yml

@@ -37,7 +37,57 @@ jobs:
           pip cache purge
           pip install .[dev]
 
+      - name: Check out container repository
+        env:
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+          DR_API_KEY: ${{ secrets.dr_api_key }}
+        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          path: elastic-container
+          repository: peasead/elastic-container
+
+      - name: Build and run containers
+        env:
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+          DR_API_KEY: ${{ secrets.dr_api_key }}
+        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }} 
+        run: |
+          cd elastic-container
+          GENERATED_PASSWORD=$(openssl rand -base64 16)
+          sed -i "s|changeme|$GENERATED_PASSWORD|" .env
+          echo "::add-mask::$GENERATED_PASSWORD"
+          echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV
+          set -x
+          bash elastic-container.sh start
+          
+      - name: Get API Key and setup auth
+        env:
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+          DR_API_KEY: ${{ secrets.dr_api_key }}
+          DR_ELASTICSEARCH_URL: "https://localhost:9200"
+          ES_USER: "elastic"
+          ES_PASSWORD: ${{ env.GENERATED_PASSWORD }}
+        if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
+        run: |
+          cd detection-rules
+          response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{
+            "name": "tmp-api-key",
+            "expiration": "1d"
+          }' "$DR_ELASTICSEARCH_URL/_security/api_key")
+
+          DR_API_KEY=$(echo "$response" | jq -r '.encoded')
+          echo "::add-mask::$DR_API_KEY"
+          echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV
+
       - name: Build release package with navigator files
+        env:
+          DR_REMOTE_ESQL_VALIDATION: "true"
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
+          DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
+          DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
+          DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
+          DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
         run: |
           python -m detection_rules dev build-release --generate-navigator
 
@@ -56,6 +106,12 @@ jobs:
       - name: Lock the versions
         env:
           BRANCHES: "${{github.event.inputs.branches}}"
+          DR_REMOTE_ESQL_VALIDATION: "true"
+          DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
+          DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
+          DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
+          DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
+          DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
         run: |
           ./detection_rules/etc/lock-multiple.sh $BRANCHES
           git add detection_rules/etc/version.lock.json

.github/workflows/release-fleet.yml

@@ -112,7 +112,57 @@ jobs:
             git tag $RELEASE_TAG
             git push origin $RELEASE_TAG
 
+        - name: Check out container repository
+          env:
+            DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+            DR_API_KEY: ${{ secrets.dr_api_key }}
+          if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
+          uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+          with:
+            path: elastic-container
+            repository: peasead/elastic-container
+
+        - name: Build and run containers
+          env:
+            DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+            DR_API_KEY: ${{ secrets.dr_api_key }}
+          if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }} 
+          run: |
+            cd elastic-container
+            GENERATED_PASSWORD=$(openssl rand -base64 16)
+            sed -i "s|changeme|$GENERATED_PASSWORD|" .env
+            echo "::add-mask::$GENERATED_PASSWORD"
+            echo "GENERATED_PASSWORD=$GENERATED_PASSWORD" >> $GITHUB_ENV
+            set -x
+            bash elastic-container.sh start
+          
+        - name: Get API Key and setup auth
+          env:
+            DR_CLOUD_ID: ${{ secrets.dr_cloud_id }}
+            DR_API_KEY: ${{ secrets.dr_api_key }}
+            DR_ELASTICSEARCH_URL: "https://localhost:9200"
+            ES_USER: "elastic"
+            ES_PASSWORD: ${{ env.GENERATED_PASSWORD }}
+          if: ${{ !env.DR_CLOUD_ID && !env.DR_API_KEY }}
+          run: |
+            cd detection-rules
+            response=$(curl -k -X POST -u "$ES_USER:$ES_PASSWORD" -H "Content-Type: application/json" -d '{
+              "name": "tmp-api-key",
+              "expiration": "1d"
+            }' "$DR_ELASTICSEARCH_URL/_security/api_key")
+
+            DR_API_KEY=$(echo "$response" | jq -r '.encoded')
+            echo "::add-mask::$DR_API_KEY"
+            echo "DR_API_KEY=$DR_API_KEY" >> $GITHUB_ENV
+
         - name: Build release package
+          env:
+            DR_REMOTE_ESQL_VALIDATION: "true"
+            DR_CLOUD_ID: ${{ secrets.dr_cloud_id || '' }}
+            DR_KIBANA_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:5601' || '' }}
+            DR_ELASTICSEARCH_URL: ${{ secrets.dr_cloud_id == '' && 'https://localhost:9200' || '' }}
+            DR_API_KEY: ${{ secrets.dr_api_key || env.DR_API_KEY }}
+            DR_IGNORE_SSL_ERRORS: ${{ secrets.dr_cloud_id == '' && 'true' || '' }}
           run: |
             cd detection-rules
             python -m detection_rules dev build-release

detection_rules/index_mappings.py

@@ -261,7 +261,6 @@ def get_filtered_index_schema(
     filtered_keys.update(non_ecs_indices.keys())
     filtered_keys.update(custom_indices.keys())
     filtered_keys.add("logs-endpoint.alerts-*")
-    filtered_keys.update(indices)
 
     matches: list[str] = []
     for index in indices:

detection_rules/rule.py

@@ -1528,7 +1528,11 @@ def get_packaged_integrations(
                 *definitions.NON_DATASET_PACKAGES,
                 *map(str.lower, definitions.MACHINE_LEARNING_PACKAGES),
             ]
-            if integration in ineligible_integrations or isinstance(data, MachineLearningRuleData):
+            if (
+                integration in ineligible_integrations
+                or isinstance(data, MachineLearningRuleData)
+                or (isinstance(data, ESQLRuleData) and integration not in datasets)
+            ):
                 packaged_integrations.append({"package": integration, "integration": None})
 
         packaged_integrations.extend(parse_datasets(list(datasets), package_manifest))

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.5.4"
+version = "1.5.5"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

tests/test_rules_remote.py

@@ -46,6 +46,28 @@ def test_esql_related_integrations(self):
         for integration in related_integrations:
             assert integration["package"] == "aws", f"Expected 'aws', but got {integration['package']}"
 
+    def test_esql_non_dataset_package_related_integrations(self):
+        """Test an ESQL rule has its related integrations built correctly with a non dataset package."""
+        file_path = get_path(["tests", "data", "command_control_dummy_production_rule.toml"])
+        original_production_rule = load_rule_contents(file_path)
+        production_rule = deepcopy(original_production_rule)[0]
+        production_rule["metadata"]["integration"] = ["aws_bedrock"]
+        production_rule["rule"]["query"] = """
+        from logs-aws_bedrock.invocation-* metadata _id, _version, _index
+        // Filter for access denied errors from GenAI responses
+        | where gen_ai.response.error_code == "AccessDeniedException"
+        // keep ECS and response fields
+        | keep
+        user.id,
+        gen_ai.request.model.id,
+        cloud.account.id,
+        gen_ai.response.error_code
+        """
+        rule = RuleCollection().load_dict(production_rule)
+        related_integrations = rule.contents.to_api_format()["related_integrations"]
+        for integration in related_integrations:
+            assert integration["package"] == "aws_bedrock", f"Expected 'aws_bedrock', but got {integration['package']}"
+
     def test_esql_event_dataset_schema_error(self):
         """Test an ESQL rule that uses event.dataset field in the query that restricts the schema failing validation."""
         file_path = get_path(["tests", "data", "command_control_dummy_production_rule.toml"])