Staging

.github/workflows/dac_cicd.yml

@@ -0,0 +1,141 @@
+name: DAC - SIEM CI/CD Workflow
+
+on:
+  push:
+    branches:
+      - "dev"  # Dedicated for new rules implementatioln
+      - "staging" # Dedicated for rules evalation and fine tuning      
+      - "main" # Decicated for production rules
+    paths:
+      - '**/*.toml'
+  pull_request:
+    branches:
+      - "staging"
+      - "main"
+ # workflow_dispatch:
+  #  inputs:
+   #   space:
+    #    description: 'Kibana space to use (dev or prod)'
+     #   required: false
+      #  default: 'dac-dev'
+
+jobs:
+
+  deploy-to-dev:
+    name: Deploy to Kibana Dev SIEM Space
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/dev'
+    env:
+      CUSTOM_RULES_DIR: ${{ secrets.CUSTOM_RULES_DIR }}
+
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python 3.12
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.12'
+
+    - name: Install Dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip cache purge
+        pip install .[dev]
+
+    #- name: Setup config file
+    #  run: |
+    #    python -m detection_rules custom-rules setup-config rules_custom --overwrite
+
+    - name: Import Rules to Kibana
+      run: |
+        python -m detection_rules kibana --space dac-dev import-rules --overwrite -e -ac -d ${{ env.CUSTOM_RULES_DIR }}/rules
+      env:
+        DR_CLOUD_ID: ${{ secrets.ELASTIC_CLOUD_ID }}
+        DR_API_KEY: ${{ secrets.ELASTIC_API_KEY }}
+
+  deploy-to-staging:
+    name: Deploy to Staging SIEM Space
+    #needs: deploy-to-dev
+    if: github.ref == 'refs/heads/staging'
+    runs-on: ubuntu-latest
+    env:
+      CUSTOM_RULES_DIR: ${{ secrets.CUSTOM_RULES_DIR }}
+
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python 3.12
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.12'
+
+    - name: Install Dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip cache purge
+        pip install .[dev]
+
+    - name: Import Rules to Kibana
+      run: |
+        python -m detection_rules kibana --space dac-staging import-rules --overwrite -e -ac -d ${{ env.CUSTOM_RULES_DIR }}/rules
+      env:
+        DR_CLOUD_ID: ${{ secrets.ELASTIC_CLOUD_ID }}
+        DR_API_KEY: ${{ secrets.ELASTIC_API_KEY }}
+
+    - name: Update rule hashes in version.lock.json file without bumping version
+      run: |
+        python -m detection_rules dev update-lock-versions --force
+
+  generate-auth-logs:
+    name: Generate Authentication Logs & Send to Elastic SIEM
+    needs: deploy-to-staging
+    if: github.ref == 'refs/heads/staging'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v4
+
+      - name: Install Python Dependencies
+        run: pip install elasticsearch requests faker
+
+      - name: Run Authentication Log Generator
+        env:
+          ELASTIC_URL: "${{ secrets.ELASTIC_URL }}"
+          ELASTIC_API_KEY: ${{ secrets.ELASTIC_API_KEY }}
+        run: python scripts/windows_logs_gen.py
+
+  deploy-to-production:
+    name: Deploy to Production SIEM Space
+    #needs: deploy-to-staging
+    if: github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    env:
+      CUSTOM_RULES_DIR: ${{ secrets.CUSTOM_RULES_DIR }}
+
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python 3.12
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.12'
+
+    - name: Install Dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip cache purge
+        pip install .[dev]
+
+    #- name: Setup config file
+    #  run: |
+    #    python -m detection_rules custom-rules setup-config rules_custom --overwrite
+
+    - name: Import Rules to Kibana
+      run: |
+        python -m detection_rules kibana --space dac-prod import-rules --overwrite -e -ac -d ${{ env.CUSTOM_RULES_DIR }}/rules
+      env:
+        DR_CLOUD_ID: ${{ secrets.ELASTIC_CLOUD_ID }}
+        DR_API_KEY: ${{ secrets.ELASTIC_API_KEY }}

.github/workflows/dac_manual_push_rules_to_elastic.yml

@@ -0,0 +1,46 @@
+name: Push Latest Rules to Elastic Security Space
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '**/*.toml'
+  workflow_dispatch:
+    inputs:
+      space:
+        description: 'Kibana space to use (dev or prod)'
+        required: false
+        default: 'dac-dev'
+
+jobs:
+  push-to-dev:
+    runs-on: ubuntu-latest
+    env:
+      CUSTOM_RULES_DIR: ${{ secrets.CUSTOM_RULES_DIR }}
+
+    steps:
+    - name: Checkout Repository
+      uses: actions/checkout@v4
+
+    - name: Set up Python 3.12
+      uses: actions/setup-python@v2
+      with:
+        python-version: '3.12'
+
+    - name: Install Dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip cache purge
+        pip install .[dev]
+
+    #- name: Setup config file
+    #  run: |
+    #    python -m detection_rules custom-rules setup-config rules_custom --overwrite
+
+    - name: Import Rules to Kibana
+      run: |
+        python -m detection_rules kibana --space "${{ github.event.inputs.space }}" import-rules --overwrite -e -ac -d ${{ env.CUSTOM_RULES_DIR }}/rules
+      env:
+        DR_CLOUD_ID: ${{ secrets.ELASTIC_CLOUD_ID }}
+        DR_API_KEY: ${{ secrets.ELASTIC_API_KEY }}

rules_custom/_config.yaml

@@ -0,0 +1,15 @@
+bbr_rules_dirs:
+- rules_building_block
+directories:
+  action_connector_dir: action_connectors
+  action_dir: actions
+  exception_dir: exceptions
+files:
+  deprecated_rules: etc/deprecated_rules.json
+  packages: etc/packages.yaml
+  stack_schema_map: etc/stack-schema-map.yaml
+  version_lock: etc/version.lock.json
+rule_dirs:
+- rules
+testing:
+  config: etc/test_config.yaml

rules_custom/etc/deprecated_rules.json

@@ -0,0 +1 @@
+{}

rules_custom/etc/packages.yaml

@@ -0,0 +1,2 @@
+package:
+  name: '9.1'

rules_custom/etc/stack-schema-map.yaml

@@ -0,0 +1,4 @@
+9.1.0:
+  beats: 9.0.0-beta1
+  ecs: 9.0.0-rc1
+  endgame: 8.4.0

rules_custom/etc/test_config.yaml

@@ -0,0 +1,11 @@
+# For more details, refer to the example configuration:
+# /Users/bendiawara/Project/dac/detection-rules/detection_rules/etc/example_test_config.yaml
+# Define tests to explicitly bypass, with all others being run.
+# To run all tests, set bypass to empty or leave this file commented out.
+
+unit_tests:
+  bypass:
+  - tests.test_gh_workflows.TestWorkflows.test_matrix_to_lock_version_defaults
+  - tests.test_schemas.TestVersionLockSchema.test_version_lock_has_nested_previous
+  - tests.test_packages.TestRegistryPackage.test_registry_package_config
+  - tests.test_all_rules.TestValidRules.test_schema_and_dupes

rules_custom/etc/version.lock.json

@@ -0,0 +1 @@
+{}

rules_custom/exceptions/exception1.toml

@@ -0,0 +1,33 @@
+[metadata]
+creation_date = "2025/04/07"
+list_name = "TestShareList"
+rule_ids = ["4ed8e743-3af3-4503-b710-497c16a53ed9"]
+rule_names = ["rere"]
+updated_date = "2024/07/10"
+
+[[exceptions]]
+[exceptions.container]
+description = "Dac Vuln Scanners"
+list_id = "dbc9b368-5d39-41fa-9a16-bfcb995fc866"
+name = "vulnerability_scanners"
+namespace_type = "single"
+tags = []
+type = "detection"
+
+[[exceptions.items]]
+comments = []
+description = "Exception list item"
+list_id = "dbc9b368-5d39-41fa-9a16-bfcb995fc866"
+item_id = "7c823cd0-ca30-46ba-af35-3633219eed1f"
+name = "qualys_scanners"
+namespace_type = "single"
+tags = []
+type = "simple"
+
+[[exceptions.items.entries]]
+field = "source.ip"
+type = "match"
+operator = "included"
+value = "192.168.1.10"
+
+

rules_custom/rules/suspicious_authentication.toml

@@ -0,0 +1,37 @@
+[metadata]
+creation_date = "2025/04/03"
+maturity = "development"
+updated_date = "2025/04/03"
+
+[rule]
+author = ["Ben D"]
+description = """
+Identifies Suspicious Authentication
+"""
+false_positives = ["Legitimate exchange system administrations activity."]
+from = "now-9m"
+index = [
+    "logs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Suspicious Authentication Detected"
+note = """## TBD.
+"""
+references = [
+    "https://www.elastic.co/",
+    "https://www.elastic.co/"
+]
+risk_score = 47
+rule_id = "6aace640-e631-4870-ba8e-5fdda09325ae"
+severity = "medium"
+enabled = "true"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+]
+type = "query"
+
+query = '''
+event.category : "authentication" and event.outcome : "failure" and user.name : "adminfake"
+'''
+