Bump version for endpoint promotion rules for 7.12.1 #1082

brokensound77 · 2021-04-06T15:41:22Z

Issues

related to #1083 (the promotion rule changes will be undone here)

Summary

Endgame promotion rules in Kibana/7.12 are at version 5 and have timestamp_override defined (which should not be). These same rules are at version 4 in the detection-rules repo 7.12 branch and kibana/master and timestamp_override is not defined. These updates are targeted for 7.12.1

There most likely was an issue with the maze of backports and interlaced updates.

To fix the rules, they need to be reconciled across:

detection-rules 7.12 & main
kibana 7.12.1 and master

bump detection-rules/7.12 to v6 -> PR to kibana/master -> backport to 7.12 + 7.x

Details

kibana/master:

=============================================================================================================================
 rule_id                                name                                                    version   timestamp_override 
=============================================================================================================================
 77a3c3df-8ec4-4da4-b758-878f551dee69   Adversary Behavior - Detected - Elastic Endgame               4    
 571afc56-5ed9-465d-a2a9-045f099f6e7e   Credential Dumping - Detected - Elastic Endgame               4    
 db8c33a8-03cd-4988-9e2c-d0a4863adb13   Credential Dumping - Prevented - Elastic Endgame              4    
 c0be5f31-e180-48ed-aa08-96b36899d48f   Credential Manipulation - Detected - Elastic Endgame          4    
 c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa   Credential Manipulation - Prevented - Elastic Endgame         4    
 2003cdc8-8d83-4aa5-b132-1f9a8eb48514   Exploit - Detected - Elastic Endgame                          4    
 2863ffeb-bf77-44dd-b7a5-93ef94b72036   Exploit - Prevented - Elastic Endgame                         4    
 0a97b20f-4144-49ea-be32-b540ecc445de   Malware - Detected - Elastic Endgame                          4    
 3b382770-efbb-44f4-beed-f5e0a051b895   Malware - Prevented - Elastic Endgame                         4    
 c3167e1b-f73c-41be-b60b-87f4df707fe3   Permission Theft - Detected - Elastic Endgame                 4    
 453f659e-0429-40b1-bfdb-b6957286e04b   Permission Theft - Prevented - Elastic Endgame                4    
 80c52164-c82a-402c-9964-852533d58be1   Process Injection - Detected - Elastic Endgame                4    
 990838aa-a953-4f3e-b3cb-6ddf7584de9e   Process Injection - Prevented - Elastic Endgame               4    
 8cb4f625-7743-4dfb-ae1b-ad92be9df7bd   Ransomware - Detected - Elastic Endgame                       4    
 e3c5d5cb-41d5-4206-805c-f30561eae3ac   Ransomware - Prevented - Elastic Endgame                      4    
=============================================================================================================================

Repo rules in 7.12 branch:

=============================================================================================================================
 rule_id                                name                                                    version   timestamp_override 
=============================================================================================================================
 77a3c3df-8ec4-4da4-b758-878f551dee69   Adversary Behavior - Detected - Elastic Endgame               4    
 571afc56-5ed9-465d-a2a9-045f099f6e7e   Credential Dumping - Detected - Elastic Endgame               4    
 db8c33a8-03cd-4988-9e2c-d0a4863adb13   Credential Dumping - Prevented - Elastic Endgame              4    
 c0be5f31-e180-48ed-aa08-96b36899d48f   Credential Manipulation - Detected - Elastic Endgame          4    
 c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa   Credential Manipulation - Prevented - Elastic Endgame         4    
 2003cdc8-8d83-4aa5-b132-1f9a8eb48514   Exploit - Detected - Elastic Endgame                          4    
 2863ffeb-bf77-44dd-b7a5-93ef94b72036   Exploit - Prevented - Elastic Endgame                         4    
 0a97b20f-4144-49ea-be32-b540ecc445de   Malware - Detected - Elastic Endgame                          4    
 3b382770-efbb-44f4-beed-f5e0a051b895   Malware - Prevented - Elastic Endgame                         4    
 c3167e1b-f73c-41be-b60b-87f4df707fe3   Permission Theft - Detected - Elastic Endgame                 4    
 453f659e-0429-40b1-bfdb-b6957286e04b   Permission Theft - Prevented - Elastic Endgame                4    
 80c52164-c82a-402c-9964-852533d58be1   Process Injection - Detected - Elastic Endgame                4    
 990838aa-a953-4f3e-b3cb-6ddf7584de9e   Process Injection - Prevented - Elastic Endgame               4    
 8cb4f625-7743-4dfb-ae1b-ad92be9df7bd   Ransomware - Detected - Elastic Endgame                       4    
 e3c5d5cb-41d5-4206-805c-f30561eae3ac   Ransomware - Prevented - Elastic Endgame                      4    
=============================================================================================================================

kibana/7.12:

=============================================================================================================================
 rule_id                                name                                                    version   timestamp_override 
=============================================================================================================================
 77a3c3df-8ec4-4da4-b758-878f551dee69   Adversary Behavior - Detected - Elastic Endgame               5   event.ingested 
 571afc56-5ed9-465d-a2a9-045f099f6e7e   Credential Dumping - Detected - Elastic Endgame               5   event.ingested 
 db8c33a8-03cd-4988-9e2c-d0a4863adb13   Credential Dumping - Prevented - Elastic Endgame              5   event.ingested 
 c0be5f31-e180-48ed-aa08-96b36899d48f   Credential Manipulation - Detected - Elastic Endgame          5   event.ingested 
 c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa   Credential Manipulation - Prevented - Elastic Endgame         5   event.ingested 
 2003cdc8-8d83-4aa5-b132-1f9a8eb48514   Exploit - Detected - Elastic Endgame                          5   event.ingested 
 2863ffeb-bf77-44dd-b7a5-93ef94b72036   Exploit - Prevented - Elastic Endgame                         5   event.ingested 
 0a97b20f-4144-49ea-be32-b540ecc445de   Malware - Detected - Elastic Endgame                          5   event.ingested 
 3b382770-efbb-44f4-beed-f5e0a051b895   Malware - Prevented - Elastic Endgame                         5   event.ingested 
 c3167e1b-f73c-41be-b60b-87f4df707fe3   Permission Theft - Detected - Elastic Endgame                 5   event.ingested 
 453f659e-0429-40b1-bfdb-b6957286e04b   Permission Theft - Prevented - Elastic Endgame                5   event.ingested 
 80c52164-c82a-402c-9964-852533d58be1   Process Injection - Detected - Elastic Endgame                5   event.ingested 
 990838aa-a953-4f3e-b3cb-6ddf7584de9e   Process Injection - Prevented - Elastic Endgame               5   event.ingested 
 8cb4f625-7743-4dfb-ae1b-ad92be9df7bd   Ransomware - Detected - Elastic Endgame                       5   event.ingested 
 e3c5d5cb-41d5-4206-805c-f30561eae3ac   Ransomware - Prevented - Elastic Endgame                      5   event.ingested 
=============================================================================================================================

kibana/7.11:

===============================================================================================================================
 rule_id                                name                                                      version   timestamp_override 
===============================================================================================================================
 77a3c3df-8ec4-4da4-b758-878f551dee69   Adversary Behavior - Detected - Endpoint Security               4    
 571afc56-5ed9-465d-a2a9-045f099f6e7e   Credential Dumping - Detected - Endpoint Security               4    
 db8c33a8-03cd-4988-9e2c-d0a4863adb13   Credential Dumping - Prevented - Endpoint Security              4    
 c0be5f31-e180-48ed-aa08-96b36899d48f   Credential Manipulation - Detected - Endpoint Security          4    
 c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa   Credential Manipulation - Prevented - Endpoint Security         4    
 2003cdc8-8d83-4aa5-b132-1f9a8eb48514   Exploit - Detected - Endpoint Security                          4    
 2863ffeb-bf77-44dd-b7a5-93ef94b72036   Exploit - Prevented - Endpoint Security                         4    
 0a97b20f-4144-49ea-be32-b540ecc445de   Malware - Detected - Endpoint Security                          4    
 3b382770-efbb-44f4-beed-f5e0a051b895   Malware - Prevented - Endpoint Security                         4    
 c3167e1b-f73c-41be-b60b-87f4df707fe3   Permission Theft - Detected - Endpoint Security                 4    
 453f659e-0429-40b1-bfdb-b6957286e04b   Permission Theft - Prevented - Endpoint Security                4    
 80c52164-c82a-402c-9964-852533d58be1   Process Injection - Detected - Endpoint Security                4    
 990838aa-a953-4f3e-b3cb-6ddf7584de9e   Process Injection - Prevented - Endpoint Security               4    
 8cb4f625-7743-4dfb-ae1b-ad92be9df7bd   Ransomware - Detected - Endpoint Security                       4    
 e3c5d5cb-41d5-4206-805c-f30561eae3ac   Ransomware - Prevented - Endpoint Security                      4    
===============================================================================================================================

rw-access

i'm not totally sure i understand, but there's nothing wrong with extra bumps, so this is fine to me

…verride # Conflicts: # etc/version.lock.json

spong

LGTM! Nice catch here, and thanks for outlining the intricacies in the description, plan sounds good to me 👍

…ld warn about unmapped timestamp override field (#96394) related to elastic/detection-rules#1082 ## Summary Endgame promotion rules in Kibana/7.12 are at version 5 and have timestamp_override defined (which should not be). These same rules are at version 4 in the detection-rules repo 7.12 branch and kibana/master and timestamp_override is not defined. These updates are targeted for 7.12.1 There most likely was an issue with the maze of backports and interlaced updates. To fix the rules, they need to be reconciled across: detection-rules 7.12 & main kibana 7.12.1 and master bump detection-rules/7.12 to v6 -> PR to kibana/master -> backport to 7.12.1 ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

…ld warn about unmapped timestamp override field (elastic#96394) related to elastic/detection-rules#1082 ## Summary Endgame promotion rules in Kibana/7.12 are at version 5 and have timestamp_override defined (which should not be). These same rules are at version 4 in the detection-rules repo 7.12 branch and kibana/master and timestamp_override is not defined. These updates are targeted for 7.12.1 There most likely was an issue with the maze of backports and interlaced updates. To fix the rules, they need to be reconciled across: detection-rules 7.12 & main kibana 7.12.1 and master bump detection-rules/7.12 to v6 -> PR to kibana/master -> backport to 7.12.1 ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) # Conflicts: # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_adversary_behavior_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_prevented.json

…ld warn about unmapped timestamp override field (#96394) (#96528) related to elastic/detection-rules#1082 ## Summary Endgame promotion rules in Kibana/7.12 are at version 5 and have timestamp_override defined (which should not be). These same rules are at version 4 in the detection-rules repo 7.12 branch and kibana/master and timestamp_override is not defined. These updates are targeted for 7.12.1 There most likely was an issue with the maze of backports and interlaced updates. To fix the rules, they need to be reconciled across: detection-rules 7.12 & main kibana 7.12.1 and master bump detection-rules/7.12 to v6 -> PR to kibana/master -> backport to 7.12.1 ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) # Conflicts: # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_adversary_behavior_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_prevented.json Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

…ld warn about unmapped timestamp override field (#96394) (#96529) related to elastic/detection-rules#1082 ## Summary Endgame promotion rules in Kibana/7.12 are at version 5 and have timestamp_override defined (which should not be). These same rules are at version 4 in the detection-rules repo 7.12 branch and kibana/master and timestamp_override is not defined. These updates are targeted for 7.12.1 There most likely was an issue with the maze of backports and interlaced updates. To fix the rules, they need to be reconciled across: detection-rules 7.12 & main kibana 7.12.1 and master bump detection-rules/7.12 to v6 -> PR to kibana/master -> backport to 7.12.1 ### Checklist Delete any items that are not applicable to this PR. - [x] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) # Conflicts: # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_adversary_behavior_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_dumping_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_cred_manipulation_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_exploit_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_malware_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_permission_theft_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_process_injection_prevented.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_detected.json # x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_rules/endgame_ransomware_prevented.json Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Bump version for endpoint promotion rules

8cb7e32

brokensound77 added the v7.12.1 label Apr 6, 2021

brokensound77 requested review from spong and rw-access April 6, 2021 15:41

brokensound77 changed the title ~~Bump version for endpoint promotion rules~~ Bump version for endpoint promotion rules for 7.12.1 Apr 6, 2021

rw-access approved these changes Apr 6, 2021

View reviewed changes

brokensound77 mentioned this pull request Apr 6, 2021

Lock 7.12 rule versions #1083

Merged

brokensound77 added 2 commits April 6, 2021 13:52

Merge remote-tracking branch 'upstream/7.12' into bump-versions-for-o…

8a8b734

…verride # Conflicts: # etc/version.lock.json

remove timestamp_override and lock versions

bcf9292

spong approved these changes Apr 6, 2021

View reviewed changes

brokensound77 mentioned this pull request Apr 7, 2021

[Detection Rules] Resolves regression where Elastic Endgame rules would warn about unmapped timestamp override field elastic/kibana#96394

Merged

2 tasks

brokensound77 merged commit b5bd9d2 into elastic:7.12 Apr 12, 2021

brokensound77 deleted the bump-versions-for-override branch April 12, 2021 13:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump version for endpoint promotion rules for 7.12.1 #1082

Bump version for endpoint promotion rules for 7.12.1 #1082

brokensound77 commented Apr 6, 2021 •

edited

Loading

rw-access left a comment

spong left a comment

Bump version for endpoint promotion rules for 7.12.1 #1082

Bump version for endpoint promotion rules for 7.12.1 #1082

Conversation

brokensound77 commented Apr 6, 2021 • edited Loading

Issues

Summary

Details

kibana/master:

Repo rules in 7.12 branch:

kibana/7.12:

kibana/7.11:

rw-access left a comment

Choose a reason for hiding this comment

spong left a comment

Choose a reason for hiding this comment

brokensound77 commented Apr 6, 2021 •

edited

Loading