Adjust ESQLRuleData to Inherit QueryRuleData Dataclass

detection_rules/rule.py

@@ -569,6 +569,8 @@ def validator(self) -> Optional[QueryValidator]:
             return KQLValidator(self.query)
         elif self.language == "eql":
             return EQLValidator(self.query)
+        elif self.language == "esql":
+            return ESQLValidator(self.query)
 
     def validate_query(self, meta: RuleMeta) -> None:
         validator = self.validator
@@ -603,18 +605,17 @@ def validate_exceptions(self, data, **kwargs):
 
 
 @dataclass(frozen=True)
-class ESQLRuleData(BaseRuleData):
+class ESQLRuleData(QueryRuleData):
     """ESQL rules are a special case of query rules."""
     type: Literal["esql"]
     language: Literal["esql"]
     query: str
 
-    @cached_property
-    def validator(self) -> Optional[QueryValidator]:
-        return ESQLValidator(self.query)
-
-    def validate_query(self, meta: RuleMeta) -> None:
-        return self.validator.validate(self, meta)
+    @validates_schema
+    def validate_esql_data(self, data, **kwargs):
+        """Custom validation for esql rule type."""
+        if data.get('index'):
+            raise ValidationError("Index is not valid for esql rule type.")
 
 
 @dataclass(frozen=True)

rules/linux/credential_access_credential_dumping_esql.toml

@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2023/02/27"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.11.0"
+updated_date = "2023/06/22"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies the execution of the unshadow utility which is part of John the Ripper,
+a password-cracking tool on the host machine. Malicious actors can use the utility to retrieve
+the combined contents of the '/etc/shadow' and '/etc/password' files.
+Using the combined file generated from the utility, the malicious threat actors can use them as input
+for password-cracking utilities or prepare themselves for future operations by gathering
+credential information of the victim.
+"""
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "ESQL Potential Linux Credential Dumping via Unshadow"
+references = [
+    "https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/",
+]
+risk_score = 47
+rule_id = "77af47d0-5bd4-11ee-8f6d-f661ea17fbce"
+severity = "medium"
+tags = ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
+timestamp_override = "event.ingested"
+type = "esql"
+query = '''
+from logs-endpoint.events.*, logs-endpoint.events.process*
+    | keep host.os.type, process.name, process.working_directory, event.type, event.action
+    | where host.os.type == "linux" and process.name == "unshadow" and event.type == "start" and event.action in ("exec", "exec_event")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1003"
+name = "OS Credential Dumping"
+reference = "https://attack.mitre.org/techniques/T1003/"
+[[rule.threat.technique.subtechnique]]
+id = "T1003.008"
+name = "/etc/passwd and /etc/shadow"
+reference = "https://attack.mitre.org/techniques/T1003/008/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"