Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add threat_match rule type #1138

Merged
merged 3 commits into from
Apr 22, 2021
Merged

Add threat_match rule type #1138

merged 3 commits into from
Apr 22, 2021

Conversation

brokensound77
Copy link
Contributor

@brokensound77 brokensound77 commented Apr 21, 2021
edited
Loading

Issues

related to #305

Summary

This creates the rule type for threat_match (Indicator match) rules, which will allow these rules to be added and validated.

This does not include support for adding these rules via the CLI. That will come in a separate PR since the CLI still builds rules exclusively off the old schemas.

I tested this with a modified version of the rule from #1133 
[metadata]
creation_date = "2020/02/18"
maturity = "production"
updated_date = "2021/03/03"

[rule]
author = [ "Elastic",]
description = "This rule is triggered when indicators from the Threat Intel Filebeat module has a match against local file or network observations.\n"
enabled = true
from = "now-600s"
index = [ "auditbeat-*", "filebeat-*", "logs-*",]
interval = "9m"
rule_id = "dc672cb7-d5df-4d1f-a6d7-0841b1caafb9"
language = "kuery"
license = "Elastic License v2"
max_signals = 100
risk_score = 99
name = "Threat Intel Filebeat Module Indicator Match"
query = "file.name:burger"
references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html",]
severity = "critical"
tags = [ "Elastic", "Continuous Monitoring", "SecOps", "Monitoring",]
to = "now"
type = "threat_match"
threat_index = [ "filebeat-*",]
threat_indicator_path = ""
threat_query = "process.name:ham"
threat_language = "kuery"
throttle = "no_actions"
note = "If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched.\n- `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation\n- `threatintel.indicator.matched.field` - this identifies the indicator field that matched the local observation\n- `threatintel.indicator.matched.type` - this identifies the indicator type that matched the local observation"
# version = 5

[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.module"
[rule.threat_filters.meta.params]
query = "threatintel"
[rule.threat_filters.query.match_phrase]
"event.module" = "threatintel"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.category"
[rule.threat_filters.meta.params]
query = "threat"
[rule.threat_filters.query.match_phrase]
"event.category" = "threat"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.kind"
[rule.threat_filters.meta.params]
query = "enrichment"
[rule.threat_filters.query.match_phrase]
"event.kind" = "enrichment"
[[rule.threat_filters]]
[rule.threat_filters."$state"]
store = "appState"
[rule.threat_filters.meta]
negate = false
disabled = false
type = "phrase"
key = "event.type"
[rule.threat_filters.meta.params]
query = "indicator"
[rule.threat_filters.query.match_phrase]
"event.type" = "indicator"

[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.md5"
type = "mapping"
value = "threatintel.indicator.file.hash.md5"

[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha1"
type = "mapping"
value = "threatintel.indicator.file.hash.sha1"

[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.hash.sha256"
type = "mapping"
value = "threatintel.indicator.file.hash.sha256"

[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "file.pe.imphash"
type = "mapping"
value = "threatintel.indicator.file.pe.imphash"

[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "source.ip"
type = "mapping"
value = "threatintel.indicator.ip"

[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "destination.ip"
type = "mapping"
value = "threatintel.indicator.ip"

[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "url.full"
type = "mapping"
value = "threatintel.indicator.url.full"

[[rule.threat_mapping]]
[[rule.threat_mapping.entries]]
field = "registry.path"
type = "mapping"
value = "threatintel.indicator.registry.path"

#[[rule.exceptions_list]]
#list_id = "ee1242d3-43df-41a4-8570-15d5e3c33d27"
#namespace_type = "single"
#id = "7b282b70-8747-11eb-ac13-d5ca87cb8fa2"
#type = "detection"

@brokensound77 brokensound77 added enhancement New feature or request python Internal python for the repository v7.13.0 7.13 rules release package labels Apr 21, 2021
@brokensound77 brokensound77 requested a review from rw-access April 21, 2021 22:44
@brokensound77 brokensound77 mentioned this pull request Apr 21, 2021
Merged
rw-access
rw-access approved these changes Apr 21, 2021
View reviewed changes
Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

two small requests otherwise LGTM

detection_rules/rule.py Outdated Show resolved Hide resolved
detection_rules/schemas/definitions.py Outdated Show resolved Hide resolved
rw-access
rw-access reviewed Apr 22, 2021
View reviewed changes
detection_rules/rule.py Outdated Show resolved Hide resolved
rw-access
rw-access reviewed Apr 22, 2021
View reviewed changes
detection_rules/rule.py Outdated Show resolved Hide resolved
@brokensound77 brokensound77 merged commit cabe923 into elastic:main Apr 22, 2021
@brokensound77 brokensound77 deleted the add-threat-match-rule-type branch April 22, 2021 17:04
@rw-access rw-access mentioned this pull request Apr 22, 2021
Closed
3 tasks
@brokensound77 brokensound77 mentioned this pull request May 12, 2021
Closed
@brokensound77 brokensound77 mentioned this pull request Aug 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rw-access rw-access rw-access approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request python Internal python for the repository v7.13.0 7.13 rules release package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brokensound77 @rw-access