-
Notifications
You must be signed in to change notification settings - Fork 517
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FR] Add Alert Suppression for Addtional Rule Types #3986
Merged
Mikaayenson
merged 7 commits into
main
from
3640-fr-new-terms-suppression-schema-updates
Aug 15, 2024
Merged
[FR] Add Alert Suppression for Addtional Rule Types #3986
Mikaayenson
merged 7 commits into
main
from
3640-fr-new-terms-suppression-schema-updates
Aug 15, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Mikaayenson
requested review from
traut,
rylnd,
banderror,
vitaliidm and
eric-forte-elastic
August 14, 2024 19:22
Enhancement - GuidelinesThese guidelines serve as a reminder set of considerations when addressing adding a feature to the code. Documentation and Context
Code Standards and Practices
Testing
Additional Checks
|
🟢 Local Testing LGTM 👍 As a note in my output, since I am bypassing the version lock my test results are slightly different in number but the same as it relates to the desired output for the PR. Output
detection-rules on 3640-fr-new-terms-suppression-schema-updates [$!?] is v0.1.0 via v3.12.4 (detection-rules-build) on eric.forte
❯ python -m detection_rules import-rules-to-repo ~/Downloads/rules_export_supression.ndjson --required-only
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
[+] Building rule for /home/forteea1/Code/clean_mains/detection-rules/custom_test/rules/test_new_terms_suppress_rule.toml
[+] Building rule for /home/forteea1/Code/clean_mains/detection-rules/custom_test/rules/test_esql_suppress_rule.toml
[+] Building rule for /home/forteea1/Code/clean_mains/detection-rules/custom_test/rules/test_eql_suppress_rule.toml
[+] Building rule for /home/forteea1/Code/clean_mains/detection-rules/custom_test/rules/test_ml_suppress_rule_per_execution.toml
[+] Building rule for /home/forteea1/Code/clean_mains/detection-rules/custom_test/rules/test_threat_indicator_match_suppress_rule.toml
[+] Building rule for /home/forteea1/Code/clean_mains/detection-rules/custom_test/rules/test_ml_suppress_rule.toml
6 results exported
6 rules converted
0 exceptions exported
0 actions connectors exported
detection-rules on 3640-fr-new-terms-suppression-schema-updates [$!?] is v0.1.0 via v3.12.4 (detection-rules-build) on eric.forte took 2s
❯ python -m detection_rules kibana --space test import-rules
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
6 rule(s) successfully imported
- 3ea1fa0a-0a25-4043-b23e-450e1e9c5730
- 058a8221-5b41-49ad-9e68-5a60fdf977e8
- 749ac911-16fd-406c-b1d1-d16b69322cbb
- 804d56c3-18bd-4e92-81f4-0c4f08af6e24
- c5904049-0d3a-4416-ad23-e1cceaf9f9f2
- fbdbcb5f-1e75-4931-92b2-aedc830c9b8e
detection-rules on 3640-fr-new-terms-suppression-schema-updates [$!?] is v0.1.0 via v3.12.4 (detection-rules-build) on eric.forte
❯ python -m detection_rules kibana --space "test" export-rules -s -d tmp-export/
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
6 results exported
6 rules converted
0 exceptions exported
0 action connectors exported
6 rules saved to tmp-export
0 exception lists saved to /home/forteea1/Code/clean_mains/detection-rules/custom_test/exceptions
0 action connectors saved to /home/forteea1/Code/clean_mains/detection-rules/custom_test/action_connectors
./env/detection-rules-build/bin/python -m detection_rules test
Loaded config file: /home/forteea1/Code/clean_mains/detection-rules/.detection-rules-cfg.json
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
Tests skipped per config (8):
tests/test_all_rules.py::TestRuleMetadata::test_invalid_queries
tests/test_all_rules.py::TestValidRules::test_bbr_validation
tests/test_all_rules.py::TestValidRules::test_rule_type_changes
tests/test_all_rules.py::TestValidRules::test_schema_and_dupes
tests/test_gh_workflows.py::TestWorkflows::test_matrix_to_lock_version_defaults
tests/test_packages.py::TestRegistryPackage::test_registry_package_config
tests/test_schemas.py::TestSchemas::test_eql_validation
tests/test_schemas.py::TestVersionLockSchema::test_version_lock_has_nested_previous
======================================================================================================================= test session starts ========================================================================================================================
platform linux -- Python 3.12.4, pytest-8.2.1, pluggy-1.5.0 -- /home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/bin/python
cachedir: .pytest_cache
rootdir: /home/forteea1/Code/clean_mains/detection-rules
configfile: pyproject.toml
plugins: typeguard-3.0.2
collected 142 items
tests/kuery/test_dsl.py::TestKQLtoDSL::test_and_query PASSED [ 0%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_exists PASSED [ 1%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_inequality PASSED [ 2%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_field_match PASSED [ 2%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_not_query PASSED [ 3%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_optimizations PASSED [ 4%]
tests/kuery/test_dsl.py::TestKQLtoDSL::test_or_query PASSED [ 4%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_and_query PASSED [ 5%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_boolean_precedence PASSED [ 6%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_field_equals PASSED [ 7%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_field_inequality PASSED [ 7%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_ip_checks PASSED [ 8%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_list_of_values PASSED [ 9%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_not_query PASSED [ 9%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_or_query PASSED [ 10%]
tests/kuery/test_eql2kql.py::TestEql2Kql::test_wildcard_field PASSED [ 11%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_and_expr PASSED [ 11%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_and_values PASSED [ 12%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_cidr_match PASSED [ 13%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_field_exists PASSED [ 14%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_flattening PASSED [ 14%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_list_value PASSED [ 15%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_not_value PASSED [ 16%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_or_expr PASSED [ 16%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_or_values PASSED [ 17%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_quoted_wildcard PASSED [ 18%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_range PASSED [ 19%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_single_value PASSED [ 19%]
tests/kuery/test_evaluator.py::EvaluatorTests::test_wildcard PASSED [ 20%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_and_query PASSED [ 21%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_boolean_precedence PASSED [ 21%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_field_equals PASSED [ 22%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_field_inequality PASSED [ 23%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_list_of_values PASSED [ 23%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_lone_value PASSED [ 24%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_nested_query PASSED [ 25%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_not_query PASSED [ 26%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_or_query PASSED [ 26%]
tests/kuery/test_kql2eql.py::TestKql2Eql::test_schema PASSED [ 27%]
tests/kuery/test_lint.py::LintTests::test_and_not PASSED [ 28%]
tests/kuery/test_lint.py::LintTests::test_compound PASSED [ 28%]
tests/kuery/test_lint.py::LintTests::test_double_negate PASSED [ 29%]
tests/kuery/test_lint.py::LintTests::test_extract_not PASSED [ 30%]
tests/kuery/test_lint.py::LintTests::test_ip PASSED [ 30%]
tests/kuery/test_lint.py::LintTests::test_lint_field PASSED [ 31%]
tests/kuery/test_lint.py::LintTests::test_lint_precedence PASSED [ 32%]
tests/kuery/test_lint.py::LintTests::test_merge_fields PASSED [ 33%]
tests/kuery/test_lint.py::LintTests::test_mixed_demorgans PASSED [ 33%]
tests/kuery/test_lint.py::LintTests::test_not_demorgans PASSED [ 34%]
tests/kuery/test_lint.py::LintTests::test_not_or PASSED [ 35%]
tests/kuery/test_lint.py::LintTests::test_upper_tokens PASSED [ 35%]
tests/kuery/test_parser.py::ParserTests::test_conversion PASSED [ 36%]
tests/kuery/test_parser.py::ParserTests::test_date PASSED [ 37%]
tests/kuery/test_parser.py::ParserTests::test_keyword PASSED [ 38%]
tests/kuery/test_parser.py::ParserTests::test_list_equals PASSED [ 38%]
tests/kuery/test_parser.py::ParserTests::test_multiple_types_fail PASSED [ 39%]
tests/kuery/test_parser.py::ParserTests::test_multiple_types_success PASSED [ 40%]
tests/kuery/test_parser.py::ParserTests::test_number_exists PASSED [ 40%]
tests/kuery/test_parser.py::ParserTests::test_number_wildcard_fail PASSED [ 41%]
tests/kuery/test_parser.py::ParserTests::test_type_family_fail PASSED [ 42%]
tests/kuery/test_parser.py::ParserTests::test_type_family_success PASSED [ 42%]
tests/test_all_rules.py::TestAlertSuppression::test_eql_non_sequence_support_only PASSED [ 43%]
tests/test_all_rules.py::TestAlertSuppression::test_group_field_in_schemas PASSED [ 44%]
tests/test_all_rules.py::TestBuildTimeFields::test_build_fields_min_stack PASSED [ 45%]
tests/test_all_rules.py::TestIncompatibleFields::test_rule_backports_for_restricted_fields PASSED [ 45%]
tests/test_all_rules.py::TestIntegrationRules::test_all_min_stack_rules_have_comment PASSED [ 46%]
tests/test_all_rules.py::TestIntegrationRules::test_integration_guide SKIPPED (8.3+ Stacks Have Related Integrations Feature) [ 47%]
tests/test_all_rules.py::TestIntegrationRules::test_ml_integration_jobs_exist PASSED [ 47%]
tests/test_all_rules.py::TestIntegrationRules::test_rule_demotions PASSED [ 48%]
tests/test_all_rules.py::TestLicense::test_elastic_license_only_v2 PASSED [ 49%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_if_plugins_explicitly_defined PASSED [ 50%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_note_has_osquery_warning PASSED [ 50%]
tests/test_all_rules.py::TestNoteMarkdownPlugins::test_plugin_placeholders_match_entries PASSED [ 51%]
tests/test_all_rules.py::TestRiskScoreMismatch::test_rule_risk_score_severity_mismatch PASSED [ 52%]
tests/test_all_rules.py::TestRuleFiles::test_bbr_in_correct_dir PASSED [ 52%]
tests/test_all_rules.py::TestRuleFiles::test_non_bbr_in_correct_dir PASSED [ 53%]
tests/test_all_rules.py::TestRuleFiles::test_rule_file_name_tactic PASSED [ 54%]
tests/test_all_rules.py::TestRuleMetadata::test_deprecated_rules SKIPPED (Skipping deprecated version lock check) [ 54%]
tests/test_all_rules.py::TestRuleMetadata::test_deprecated_rules_modified PASSED [ 55%]
tests/test_all_rules.py::TestRuleMetadata::test_event_dataset PASSED [ 56%]
tests/test_all_rules.py::TestRuleMetadata::test_integration_tag PASSED [ 57%]
tests/test_all_rules.py::TestRuleMetadata::test_rule_change_has_updated_date PASSED [ 57%]
tests/test_all_rules.py::TestRuleMetadata::test_updated_date_newer_than_creation PASSED [ 58%]
tests/test_all_rules.py::TestRuleTags::test_casing_and_spacing SKIPPED (Skipping tag validation) [ 59%]
tests/test_all_rules.py::TestRuleTags::test_investigation_guide_tag SKIPPED (Skipping tag validation) [ 59%]
tests/test_all_rules.py::TestRuleTags::test_ml_rule_type_tags SKIPPED (Skipping tag validation) [ 60%]
tests/test_all_rules.py::TestRuleTags::test_no_duplicate_tags SKIPPED (Skipping tag validation) [ 61%]
tests/test_all_rules.py::TestRuleTags::test_os_tags SKIPPED (Skipping tag validation) [ 61%]
tests/test_all_rules.py::TestRuleTags::test_primary_tactic_as_tag SKIPPED (Skipping tag validation) [ 62%]
tests/test_all_rules.py::TestRuleTags::test_required_tags SKIPPED (Skipping tag validation) [ 63%]
tests/test_all_rules.py::TestRuleTags::test_tag_prefix SKIPPED (Skipping tag validation) [ 64%]
tests/test_all_rules.py::TestRuleTimelines::test_timeline_has_title PASSED [ 64%]
tests/test_all_rules.py::TestRuleTiming::test_eql_interval_to_maxspan PASSED [ 65%]
tests/test_all_rules.py::TestRuleTiming::test_eql_lookback PASSED [ 66%]
tests/test_all_rules.py::TestRuleTiming::test_event_override PASSED [ 66%]
tests/test_all_rules.py::TestRuleTiming::test_required_lookback PASSED [ 67%]
tests/test_all_rules.py::TestThreatMappings::test_duplicated_tactics PASSED [ 68%]
tests/test_all_rules.py::TestThreatMappings::test_tactic_to_technique_correlations PASSED [ 69%]
tests/test_all_rules.py::TestThreatMappings::test_technique_deprecations PASSED [ 69%]
tests/test_all_rules.py::TestValidRules::test_all_rule_queries_optimized PASSED [ 70%]
tests/test_all_rules.py::TestValidRules::test_duplicate_file_names PASSED [ 71%]
tests/test_all_rules.py::TestValidRules::test_file_names PASSED [ 71%]
tests/test_all_rules.py::TestValidRules::test_from_filed_value PASSED [ 72%]
tests/test_all_rules.py::TestValidRules::test_index_or_data_view_id_present PASSED [ 73%]
tests/test_all_rules.py::TestValidRules::test_max_signals_note PASSED [ 73%]
tests/test_all_rules.py::TestValidRules::test_production_rules_have_rta PASSED [ 74%]
tests/test_hunt_data.py::TestHunt::test_load_toml_files PASSED [ 75%]
tests/test_hunt_data.py::TestHunt::test_markdown_existence PASSED [ 76%]
tests/test_hunt_data.py::TestHunt::test_toml_loading PASSED [ 76%]
tests/test_mappings.py::TestMappings::test_false_positives PASSED [ 77%]
tests/test_mappings.py::TestMappings::test_true_positives PASSED [ 78%]
tests/test_mappings.py::TestRTAs::test_rtas_with_triggered_rules_have_uuid PASSED [ 78%]
tests/test_packages.py::TestPackages::test_package_loader_default_configs SKIPPED (Version lock bypassed) [ 79%]
tests/test_packages.py::TestPackages::test_package_loader_production_config PASSED [ 80%]
tests/test_packages.py::TestPackages::test_package_summary SKIPPED (Version lock bypassed) [ 80%]
tests/test_packages.py::TestPackages::test_rule_versioning SKIPPED (Version lock bypassed) [ 81%]
tests/test_python_library.py::TestEQLInSet::test_eql_in_set PASSED [ 82%]
tests/test_schemas.py::TestSchemas::test_query_downgrade_7_x PASSED [ 83%]
tests/test_schemas.py::TestSchemas::test_query_downgrade_8_x PASSED [ 83%]
tests/test_schemas.py::TestSchemas::test_threshold_downgrade_7_x PASSED [ 84%]
tests/test_schemas.py::TestSchemas::test_threshold_downgrade_8_x PASSED [ 85%]
tests/test_schemas.py::TestSchemas::test_versioned_downgrade_7_x PASSED [ 85%]
tests/test_schemas.py::TestSchemas::test_versioned_downgrade_8_x PASSED [ 86%]
tests/test_schemas.py::TestVersionLockSchema::test_version_lock_no_previous PASSED [ 87%]
tests/test_schemas.py::TestVersions::test_stack_schema_map PASSED [ 88%]
tests/test_specific_rules.py::TestESQLRules::test_esql_queries PASSED [ 88%]
tests/test_specific_rules.py::TestEndpointQuery::test_os_and_platform_in_query PASSED [ 89%]
tests/test_specific_rules.py::TestNewTerms::test_history_window_start PASSED [ 90%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_field_exists PASSED [ 90%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_fields PASSED [ 91%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_fields_unique PASSED [ 92%]
tests/test_specific_rules.py::TestNewTerms::test_new_terms_max_limit PASSED [ 92%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_formatter_deep PASSED [ 93%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_formatter_rule PASSED [ 94%]
tests/test_toml_formatter.py::TestRuleTomlFormatter::test_normalization PASSED [ 95%]
tests/test_transform_fields.py::TestGuideMarkdownPlugins::test_plugin_conversion PASSED [ 95%]
tests/test_transform_fields.py::TestGuideMarkdownPlugins::test_transform_guide_markdown_plugins PASSED [ 96%]
tests/test_utils.py::TestTimeUtils::test_caching PASSED [ 97%]
tests/test_utils.py::TestTimeUtils::test_event_class_normalization PASSED [ 97%]
tests/test_utils.py::TestTimeUtils::test_schema_multifields PASSED [ 98%]
tests/test_utils.py::TestTimeUtils::test_time_normalize PASSED [ 99%]
tests/test_version_locking.py::TestVersionLock::test_previous_entries_gte_current_min_stack SKIPPED (Version lock bypassed) [100%]
========================================================================================================================= warnings summary =========================================================================================================================
env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1285
/home/forteea1/Code/clean_mains/detection-rules/env/detection-rules-build/lib/python3.12/site-packages/_pytest/config/__init__.py:1285: PytestAssertRewriteWarning: Module already imported so cannot be rewritten: typeguard
self._mark_plugins_for_rewrite(hook)
-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
============================================================================================================ 128 passed, 14 skipped, 1 warning in 6.11s ============================================================================================================
|
eric-forte-elastic
approved these changes
Aug 15, 2024
traut
approved these changes
Aug 15, 2024
Co-authored-by: Eric Forte <[email protected]>
vitaliidm
approved these changes
Aug 15, 2024
….com:elastic/detection-rules into 3640-fr-new-terms-suppression-schema-updates
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 15, 2024
(cherry picked from commit 10ba6ad)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 15, 2024
(cherry picked from commit 10ba6ad)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 15, 2024
(cherry picked from commit 10ba6ad)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 15, 2024
(cherry picked from commit 10ba6ad)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 15, 2024
(cherry picked from commit 10ba6ad)
protectionsmachine
pushed a commit
that referenced
this pull request
Aug 15, 2024
(cherry picked from commit 10ba6ad)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s): #3640
Summary - What I changed
Adds Alert Suppression support to our schemas for different rule types based on the Kibana Schemas.
8.14.0
8.15.0
8.15.0
8.14.0
8.13.0
PR Checklist
Implemented requisite downgrade functionalityIncorporated a comprehensive test rule in unit tests for full schema coverage(no new base schemas were introduced)How To Test
Make Tests
Importing / Exporting Test Files
.txt
extension:rules_export_supression.ndjson.txt
(detection-rules-build) ➜ detection-rules git:(3640-fr-new-terms-suppression-schema-updates) ✗ python -m detection_rules kibana --space "main" export-rules -s -d custom_rules Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ - skipping Test ESQL Suppress Rule - ValidationError - skipping Test New Terms Suppress Rule - ValidationError - skipping Test Threat Indicator Match Suppress Rule - ValidationError - skipping Test EQL Suppress Rule - ValidationError - skipping Test ML Suppress Rule Per Execution - ValidationError - skipping Test ML Suppress Rule - ValidationError 6 results exported 0 rules converted 0 exceptions exported 0 action connectors exported 0 rules saved to custom_rules 0 exception lists saved to None 0 action connectors saved to None 6 errors saved to custom_rules/_errors.txt (detection-rules-build) ➜ detection-rules git:(3640-fr-new-terms-suppression-schema-updates) ✗
(detection-rules-build) ➜ detection-rules git:(3640-fr-new-terms-suppression-schema-updates) ✗ python -m detection_rules kibana --space "main" import-rules -d custom_r ules -o Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ 5 rule(s) successfully imported - 3ea1fa0a-0a25-4043-b23e-450e1e9c5730 - 749ac911-16fd-406c-b1d1-d16b69322cbb - 804d56c3-18bd-4e92-81f4-0c4f08af6e24 - c5904049-0d3a-4416-ad23-e1cceaf9f9f2 - fbdbcb5f-1e75-4931-92b2-aedc830c9b8e
Unit Tests
Have to test locally since we dont have rules with this feature in our repo yet.
Checklist
bug
,enhancement
,schema
,Rule: New
,Rule: Deprecation
,Rule: Tuning
,Hunt: New
, orHunt: Tuning
so guidelines can be generatedAdded themeta:rapid-merge
label if planning to merge within 24 hours