Merge branch 'main' into Samirbous-patch-1

Author: Samirbous

.github/PULL_REQUEST_GUIDELINES/bug_guidelines.md

@@ -31,4 +31,5 @@ These guidelines serve as a reminder set of considerations when addressing a bug
 - [ ] Ensure that the bug fix does not break existing functionality.
 - [ ] Review the bug fix with a peer or team member for additional insights.
 - [ ] Verify that the bug fix works across all relevant environments (e.g., different OS versions).
-- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
+- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
+- [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/PULL_REQUEST_GUIDELINES/enhancement_guidelines.md

@@ -32,3 +32,4 @@ These guidelines serve as a reminder set of considerations when addressing addin
 - [ ] Review the enhancement with a peer or team member for additional insights.
 - [ ] Verify that the enhancement works across all relevant environments (e.g., different OS versions).
 - [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
+- [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/PULL_REQUEST_GUIDELINES/hunt_tuning_guidelines.md

@@ -27,4 +27,4 @@ These guidelines serve as a reminder set of considerations when tuning an existi
 - [ ] Evidence of testing and valid query usage.
 - [ ] Markdown Generated: Run `python -m hunting generate-markdown` with specific parameters to ensure a markdown version of the hunting TOML files is created.
 - [ ] Index Refreshed: Run `python -m hunting refresh-index` to refresh indexes.
-- [ ] Run Unit Tests: Run `pytest tests/test_hunt_data.py` to run unit tests.
+- [ ] Run Unit Tests: Run `pytest tests/test_hunt_data.py` to run unit tests.

.github/PULL_REQUEST_GUIDELINES/schema_enhancement_guidelines.md

@@ -43,4 +43,5 @@ These guidelines serve as a reminder set of considerations when addressing addin
 - [ ] Implemented requisite downgrade functionality
 - [ ] Cross-referenced the feature with product documentation for consistency
 - [ ] Incorporated a comprehensive test rule in unit tests for full schema coverage
-- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-remote-cli`)
+- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-remote-cli`)
+- [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/PULL_REQUEST_TEMPLATE.md

@@ -36,7 +36,7 @@ from your submission, but they are here to help bring them to your attention.
 
 <!-- Delete any items that are not applicable to this PR. -->
 
-- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
+- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
 - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
 - [ ] Secret and sensitive material has been managed correctly
 - [ ] Automated testing was updated or added to match the most common scenarios

.github/release-drafter.yml

@@ -0,0 +1,37 @@
+name-template: 'dev-v$RESOLVED_VERSION'
+tag-template: 'dev-v$RESOLVED_VERSION'
+tag-prefix: 'dev-v'
+
+categories:
+  - title: 🚀 Features
+    label: 'enhancement'
+  - title: 🐛 Bug Fixes
+    label: 'bug'
+  - title: 🛠 Internal Changes
+    labels:
+      - 'maintenance'
+      - 'schema'
+      - 'documentation'
+      - 'python'
+  - title: 🔍 Hunting Updates
+    label: 'Hunting'
+
+change-template: '- $TITLE (#$NUMBER) @$AUTHOR'
+exclude-labels:
+  - 'skip-changelog'
+
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+
+template: |
+  ## Changes
+  $CHANGES

.github/workflows/version-code-and-release.yml

@@ -0,0 +1,81 @@
+name: Version Code Check and Draft Release
+
+on:
+  pull_request:
+    paths:
+      - 'lib/**'
+      - 'hunting/**/*.py'
+      - 'pyproject.toml'
+      - 'Makefile'
+      - 'docs/**'
+      - 'detection_rules/**'
+      - 'tests/**'
+      - '**/*.md'
+    types: [opened, reopened, synchronize, labeled, closed]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  label_check:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Ensure PR has Version Bump Label
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const labels = ['major', 'minor', 'patch'];
+            const prLabels = context.payload.pull_request.labels.map(label => label.name);
+            const hasVersionLabel = labels.some(label => prLabels.includes(label));
+            if (!hasVersionLabel) {
+              throw new Error("PR must have one of the following labels: major, minor, or patch.");
+            }
+
+  version_check:
+    if: github.event_name == 'pull_request'
+    needs: label_check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check if core pyproject.toml was updated
+        run: |
+          BASE_COMMIT="${{ github.event.pull_request.base.sha }}"
+
+          if ! git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep '^pyproject.toml$'; then
+            echo "Code changes detected in core, but pyproject.toml was not updated."
+            exit 1
+          fi
+
+      - name: Check if lib pyproject.toml files were updated
+        run: |
+          BASE_COMMIT="${{ github.event.pull_request.base.sha }}"
+
+          if git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep -E 'lib/kql/|lib/kibana/'; then
+            if ! git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep -E 'lib/kql/pyproject.toml|lib/kibana/pyproject.toml'; then
+              echo "Changes detected in kql or kibana library, but respective pyproject.toml was not updated."
+              exit 1
+            fi
+          fi
+
+  release_drafter:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Release Drafter
+        uses: release-drafter/release-drafter@v6
+        with:
+          config-name: release-drafter.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

detection_rules/etc/integration-manifests.json.gz

@@ -150,7 +150,10 @@
   "logs-aws.cloudtrail-*": {
     "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword",
     "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword",
-    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword"
+    "aws.cloudtrail.flattened.request_parameters.roleArn": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.roleName": "keyword",
+    "aws.cloudtrail.flattened.request_paramters.policyArn": "keyword",
+    "aws.cloudtrail.flattened.request_parameters.serialNumber": "keyword"
   },
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword"