Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kibana/security-rule asset type #142

Merged
merged 10 commits into from
Mar 18, 2021
Merged

Add kibana/security-rule asset type #142

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
6b4c13b
Add kibana/rules for detection rules as JSON files
rw-access Feb 25, 2021
5a56cf4
Merge branch 'master' into add-rules-type
rw-access Feb 25, 2021
c0479d7
Update changelog.yml
rw-access Feb 25, 2021
e5e8b40
Limit scope to a single 'security-rule' asset
rw-access Mar 16, 2021
7e68dfe
Merge branch 'add-rules-type' of github.com:elastic/package-spec into…
rw-access Mar 16, 2021
87bfe01
Update spec and statik
rw-access Mar 17, 2021
e68a0b0
Merge remote-tracking branch 'origin/master' into add-rules-type
rw-access Mar 17, 2021
3523a78
Update specs
rw-access Mar 17, 2021
8c42ca6
Merge branch 'master' into add-rules-type
rw-access Mar 17, 2021
ba23706
Loosen up security_rule artifact
rw-access Mar 17, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion code/go/internal/spec/statik.go
View file
Open in desktop

Large diffs are not rendered by default.

37 changes: 37 additions & 0 deletions test/packages/good/kibana/security_rule/rule-000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
{
"author": [
"Elastic"
],
"description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
"false_positives": [
"Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
],
"index": [
"filebeat-*",
"logs-okta*"
],
"language": "kuery",
"license": "Elastic License v2",
"name": "Attempt to Modify an Okta Policy Rule",
"note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
"query": "event.dataset:okta.system and event.action:policy.rule.update",
"references": [
"https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/"
],
"risk_score": 21,
"rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
"severity": "low",
"tags": [
"Elastic",
"Identity",
"Okta",
"Continuous Monitoring",
"SecOps",
"Identity and Access"
],
"timestamp_override": "event.ingested",
"type": "query",
"version": 5
}
5 changes: 4 additions & 1 deletion versions/1/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,4 +93,7 @@
link: https://github.com/elastic/package-spec/pull/143
- description: Pipeline test results can be optional
type: enhancement
link: https://github.com/elastic/package-spec/pull/147
link: https://github.com/elastic/package-spec/pull/147
- description: Add kibana/security-rule asset
type: enhancement
link: https://github.com/elastic/package-spec/pull/142
9 changes: 9 additions & 0 deletions versions/1/kibana/spec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,12 @@
type: file
contentMediaType: "application/json"
pattern: '^.+\.json$'
- description: Folder containing rules
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please create a sample package and add it to the test/packages.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added this asset to test/packages/good

Copy link
Contributor Author

@rw-access rw-access Mar 17, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unless this should be its own test package

type: folder
name: "security_rule"
required: false
contents:
- description: An individual rule file for the detection engine
type: file
contentMediaType: "application/json"
pattern: '^rule-.+\.json$'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the rule prefix in the name required?

Copy link
Contributor Author

@rw-access rw-access Mar 17, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, I can loosen this to just *.json

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just ^.+\.json$ as of ba23706