Skip to content

Commit 8993d98

Browse files
shashank-elastictradebot-elastic
shashank-elastic
authored and
tradebot-elastic
committed
Add all rule types DaC testing (#4969)
(cherry picked from commit ee70674)
1 parent bf20e1a commit 8993d98

File tree

3 files changed

+30
-12
lines changed

3 files changed

+30
-12
lines changed

detection_rules/etc/custom-consolidated-rules.ndjson

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
{"id":"49954888-3d9a-44fd-b224-8f8e9653d294","updated_at":"2025-08-18T03:39:54.977Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.318Z","created_by":"841510929","name":"test_kql_rule","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":50,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"process_started_by_ms_office_program","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[{"package":"o365","version":"^2.3.2"}],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"meta":{"type":"phrase","key":"event.action","params":{"query":"Process Create (rule: ProcessCreate)"},"disabled":false,"negate":false},"$state":{"store":"appState"},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"actions":[]}
2+
{"id":"c7c868c0-cfe1-4139-a873-4c8ce7b181c1","updated_at":"2025-08-18T03:41:10.096Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.310Z","created_by":"841510929","name":"test_kql_with_alert_supprestion_and_investigation_fileds","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":50,"severity":"low","note":"This a a test sample investigation Guide\nThis a a test sample investigation Guide\nThis a a test sample investigation Guide\n\n!{osquery{\"query\":\"SELECT * FROM file WHERE ( path LIKE '/etc/ld.so.conf.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/sudoers.d/%'\\nOR path LIKE '/etc/rc%.d/%' OR path LIKE '/etc/init.d/%' OR path LIKE '/etc/systemd/system/%' OR path LIKE\\n'/usr/lib/systemd/system/%' )\",\"label\":\"test-osquery\"}}\n\n!{investigate{\"label\":\"test-investigation-query\",\"description\":\"test-investigation-query\",\"providers\":[[{\"field\":\"host.name\",\"excluded\":false,\"queryType\":\"phrase\",\"value\":\"test-host\",\"valueType\":\"string\"}]]}}","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"742feb36-ac4c-45e0-b8a5-3b3cfa66b6d2","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"$state":{"store":"appState"},"meta":{"disabled":false,"key":"event.action","negate":false,"type":"phrase","params":{"query":"Process Create (rule: ProcessCreate)"}},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"alert_suppression":{"group_by":["process.parent.name"],"duration":{"value":5,"unit":"h"},"missing_fields_strategy":"suppress"},"actions":[]}
3+
{"id":"e9430a4c-5fce-41b7-9d55-7645360e11d9","updated_at":"2025-08-18T03:40:30.081Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.326Z","created_by":"841510929","name":"test_kql_with_alert_suppression","tags":["child process","ms office"],"interval":"1h","enabled":true,"revision":1,"description":"Process started by MS Office program - possible payload","risk_score":50,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-70m","rule_id":"process_started_by_ms_office_program_supression","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"query","language":"kuery","index":["logs-*"],"query":"process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE\n","filters":[{"meta":{"type":"phrase","key":"event.action","params":{"query":"Process Create (rule: ProcessCreate)"},"disabled":false,"negate":false},"$state":{"store":"appState"},"query":{"match_phrase":{"event.action":{"query":"Process Create (rule: ProcessCreate)"}}}}],"alert_suppression":{"group_by":["process.parent.name"],"duration":{"value":5,"unit":"h"},"missing_fields_strategy":"suppress"},"actions":[]}
4+
{"id":"45241dcf-1bb2-41eb-8e91-89741af275c0","updated_at":"2025-08-18T03:43:41.240Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.317Z","created_by":"841510929","name":"test_eql_rule","tags":["EQL","Windows","rundll32.exe"],"interval":"5m","enabled":true,"revision":1,"description":"Unusual rundll32.exe network connection","risk_score":21,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"eql-outbound-rundll32-connections","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.args_count","type":"long","ecs":true},{"name":"process.entity_id","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.pe.original_file_name","type":"keyword","ecs":true}],"setup":"None","type":"eql","language":"eql","index":["logs-*"],"query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]\n","filters":[],"actions":[]}
5+
{"id":"11d7b970-0076-4ae1-b328-16d6778489f2","updated_at":"2025-08-18T03:45:34.509Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.308Z","created_by":"841510929","name":"test_esql_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Find Excel events","risk_score":21,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"7e0f6dae-5847-465f-89e9-a6de0e9ef918","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"esql","language":"esql","query":"from auditbeat-8.10.2 METADATA _id, _version, _index | KEEP process.parent.name | where process.parent.name == \"EXCEL.EXE\"\n","actions":[]}
6+
{"id":"72abd101-fe39-43f0-a6d1-e9a373684cab","updated_at":"2025-08-18T03:46:00.515Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.334Z","created_by":"841510929","name":"test_new_terms_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Detects a user associated with a new IP address","risk_score":21,"severity":"medium","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"2390c9dd-ad90-4af6-97a4-1d607ba0f092","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"user.id","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"new_terms","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","new_terms_fields":["user.id","source.ip"],"history_window_start":"now-30d","index":["auditbeat*"],"filters":[],"language":"kuery","actions":[]}
7+
{"id":"e0e31a34-2e18-40c0-af09-539021e8439d","updated_at":"2025-08-18T03:47:21.590Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.344Z","created_by":"841510929","name":"test_indicator_match_rule_with_email_actions","tags":[],"interval":"5m","enabled":true,"revision":5,"description":"Checks for bad IP addresses listed in the ip-threat-list index","risk_score":50,"severity":"medium","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"4c589d81-2622-4036-8cc7-372ea8f0e038","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"destination.ip","type":"ip","ecs":true},{"name":"destination.port","type":"long","ecs":true},{"name":"host.ip","type":"ip","ecs":true}],"setup":"None","type":"threat_match","language":"kuery","index":["packetbeat-*"],"query":"destination.ip:* or host.ip:*\n","filters":[],"threat_filters":[],"threat_query":"*:*","threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_language":"kuery","threat_index":["ip-threat-list"],"threat_indicator_path":"threat.indicator","actions":[{"id":"elastic-cloud-email","params":{"message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts","subject":"Test Actions","to":["[email protected]"]},"action_type_id":".email","uuid":"74c388a4-c94f-4541-bacc-2a1b4c47e768","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}]}
8+
{"id":"a0d623ea-e8a4-4eff-9c6c-643ceff9f3e5","updated_at":"2025-08-18T03:44:54.407Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.331Z","created_by":"841510929","name":"test_threshold_with_rule_exception","tags":["Brute force"],"interval":"2m","enabled":true,"revision":1,"description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","risk_score":30,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-3m","rule_id":"liv-win-ser-logins","max_signals":100,"risk_score_mapping":[],"severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"82395156-8ad2-46c3-be79-1f1a23c0d802","list_id":"0a4124f8-2074-450b-8689-d7dee319c666","type":"rule_default","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"threshold","language":"kuery","index":["winlogbeat-*"],"query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","filters":[],"threshold":{"field":["source.ip"],"value":20,"cardinality":[]},"actions":[]}
9+
{"id":"9bcffa42-d8b5-4706-afec-3cf33b19d9b1","updated_at":"2025-08-18T03:48:19.634Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.415Z","created_by":"841510929","name":"test_machine_learning_rule_with_index_action_connector ","tags":["machine learning","Linux"],"interval":"5m","enabled":true,"revision":5,"description":"Generates alerts when the job discovers anomalies over 70","risk_score":70,"severity":"high","note":"Shut down the internet.","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"ml_linux_network_high_threshold","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"This rule requires data coming in from Elastic Defend.","type":"machine_learning","anomaly_threshold":70,"machine_learning_job_id":["linux_anomalous_network_activity_ecs"],"actions":[{"id":"e1b418e7-78df-4042-bfb0-1cc5fb6f7a4e","params":{"documents":[{"rule.id":"{{rule.id}}"}]},"action_type_id":".index","uuid":"175f50f8-3bc1-4017-805f-e532d7eb2f91","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}]}
10+
{"_version":"WzE3NjU1LDhd","created_at":"2025-08-14T12:42:04.522Z","created_by":"841510929","description":"","id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","immutable":false,"list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","name":"Test Excpetion List","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"14b3565d-0c8a-48db-b76a-e46c01574a57","type":"detection","updated_at":"2025-08-14T12:42:04.522Z","updated_by":"841510929","version":1}
11+
{"_version":"WzE3NjU2LDhd","comments":[],"created_at":"2025-08-14T12:42:34.361Z","created_by":"841510929","description":"Exception list item","entries":[{"type":"match","field":"host.name","value":"test-host","operator":"included"}],"id":"dc084b23-4b9c-40c9-a172-77468ee2a4d9","item_id":"734852b6-b3bf-4942-8b3b-c058bd16088f","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","name":"host_excpetion","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"50c46edf-691b-4397-ad9e-e06a544a81d0","type":"simple","updated_at":"2025-08-14T12:42:34.361Z","updated_by":"841510929"}
12+
{"_version":"WzE3NjUwLDhd","created_at":"2025-08-14T12:19:29.454Z","created_by":"841510929","description":"Exception list containing exceptions for rule with id: 51a51212-5975-45ac-b909-c7840a903141","id":"82395156-8ad2-46c3-be79-1f1a23c0d802","immutable":false,"list_id":"0a4124f8-2074-450b-8689-d7dee319c666","name":"Exceptions for rule - Test Windows server prml-19","namespace_type":"single","os_types":[],"tags":["default_rule_exception_list"],"tie_breaker_id":"46a0d0b5-8793-4f60-a20b-6f76274b1722","type":"rule_default","updated_at":"2025-08-14T12:19:29.454Z","updated_by":"841510929","version":1}
13+
{"_version":"WzE3NjUxLDhd","comments":[],"created_at":"2025-08-14T12:19:31.919Z","created_by":"841510929","description":"Exception list item","entries":[{"type":"match","field":" host.name","value":"liv-win-ser","operator":"included"}],"id":"1a4a30ce-bbf2-483a-86a7-7af9ea4b562e","item_id":"9ed8fb85-d920-4759-ba47-8d273cbb55b6","list_id":"0a4124f8-2074-450b-8689-d7dee319c666","name":"int-ips","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"430065d9-8c30-40bf-a589-706ae5cc490d","type":"simple","updated_at":"2025-08-14T12:19:31.919Z","updated_by":"841510929"}
14+
{"id":"e1b418e7-78df-4042-bfb0-1cc5fb6f7a4e","type":"action","updated_at":"2025-08-14T12:30:20.229Z","created_at":"2025-08-14T12:30:20.229Z","version":"WzI3MDY1OSwxMF0=","attributes":{"actionTypeId":".index","name":"test-connector","isMissingSecrets":false,"config":{"index":"logs-connector","refresh":false,"executionTimeField":null},"secrets":{}},"references":[],"managed":false,"coreMigrationVersion":"8.8.0","typeMigrationVersion":"10.1.0"}
15+
{"exported_count":14,"exported_rules_count":9,"missing_rules":[],"missing_rules_count":0,"exported_exception_list_count":2,"exported_exception_list_item_count":2,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0,"exported_action_connector_count":1,"missing_action_connection_count":0,"missing_action_connections":[],"excluded_action_connection_count":0,"excluded_action_connections":[]}

detection_rules/etc/test_remote_cli.bash

Lines changed: 14 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -12,20 +12,23 @@ echo "Performing a quick rule alerts search..."
1212
echo "Requires .detection-rules-cfg.json credentials file set."
1313
python -m detection_rules kibana search-alerts
1414

15-
echo "Performing a rule export..."
16-
mkdir tmp-export 2>/dev/null
17-
python -m detection_rules kibana export-rules -d tmp-export -sv --skip-errors -r 565d6ca5-75ba-4c82-9b13-add25353471c
18-
ls tmp-export
19-
echo "Removing generated files..."
20-
rm -rf tmp-export
15+
echo "Setting Up Custom Directory..."
16+
mkdir tmp-custom 2>/dev/null
17+
python -m detection_rules custom-rules setup-config tmp-custom
18+
export CUSTOM_RULES_DIR=./tmp-custom/
2119

22-
echo "Performing a rule import..."
20+
echo "Performing a rule conversion from ndjson to toml files..."
21+
python -m detection_rules import-rules-to-repo detection_rules/etc/custom-consolidated-rules.ndjson -ac -e -s $CUSTOM_RULES_DIR/rules --required-only
22+
23+
echo "Performing a rule import to kibana..."
2324

24-
python -m detection_rules custom-rules setup-config tmp-custom
25-
export CUSTOM_RULES_DIR=./tmp-custom
26-
cp rules/threat_intel/threat_intel_indicator_match_address.toml tmp-custom/rules/
2725
python -m detection_rules kibana import-rules -o -e -ac
28-
rm -rf tmp-custom
26+
27+
echo "Performing a rule export..."
28+
python -m detection_rules kibana export-rules -d $CUSTOM_RULES_DIR -ac -e -sv --custom-rules-only
29+
30+
echo "Removing generated files..."
31+
rm -rf $CUSTOM_RULES_DIR
2932
set -e CUSTOM_RULES_DIR
3033

3134
echo "Detection-rules Remote CLI tests completed!"

pyproject.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
[project]
22
name = "detection_rules"
3-
version = "1.3.25"
3+
version = "1.3.26"
44
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
55
readme = "README.md"
66
requires-python = ">=3.12"

0 commit comments

Comments
 (0)