-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bc5 siem rules merge #62679
bc5 siem rules merge #62679
Conversation
version changes field changes to endpoint rules removed max_signals from 7 rules
Pinging @elastic/siem (Team:SIEM) |
@elasticmachine merge upstream Checked out and tests are passing locally -- possible flakiness? Verifying other possibilities while build continues... |
...server/lib/detection_engine/rules/prepackaged_rules/windows_certutil_network_connection.json
Show resolved
Hide resolved
.../plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_cve_2020_0601.json
Show resolved
Hide resolved
...r/lib/detection_engine/rules/prepackaged_rules/windows_execution_via_net_com_assemblies.json
Show resolved
Hide resolved
...server/lib/detection_engine/rules/prepackaged_rules/windows_modification_of_boot_config.json
Show resolved
Hide resolved
.../plugins/siem/server/lib/detection_engine/rules/prepackaged_rules/windows_msxsl_network.json
Show resolved
Hide resolved
.../server/lib/detection_engine/rules/prepackaged_rules/windows_net_command_system_account.json
Show resolved
Hide resolved
...iem/server/lib/detection_engine/rules/prepackaged_rules/windows_uac_bypass_event_viewer.json
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM once green on CI! Thanks for the updates @randomuserid!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few comments:
- This branch adds carriage returns (
^M
) to all files, resulting in a lot of unnecessary churn. - There are several examples of rules being changed without the version being bumped, as @spong has noted.
- There are also examples of rules not changing but the version being bumped anyway.
It sounds like you've been discussing this offline, so I'm going to leave these as general comments and let you work out what needs to be changed.
The rule files need to be converted from CRLF to LF for consistency (with no other changes). Should I wait to push this commit for additional tests to run or can I push now? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm when tests pass
for Garrett
💚 Build SucceededHistory
To update your PR or re-run it, just comment with: |
* bc5 rule merge version changes field changes to endpoint rules removed max_signals from 7 rules * Fixing monitoring i18n (elastic#62715) * Updates esarchiver test data with the latest rules (elastic#62723) * Remove CR, only CRLF for rules * delete two files for Garrett * deletes delete 2 files (for Garrett) * Revert "deletes" This reverts commit cc2ac1e. * Revert "Fixing monitoring i18n (elastic#62715)" This reverts commit 0285740. Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Garrett Spong <[email protected]> Co-authored-by: Ross Wolf <[email protected]>
* bc5 rule merge version changes field changes to endpoint rules removed max_signals from 7 rules * Fixing monitoring i18n (elastic#62715) * Updates esarchiver test data with the latest rules (elastic#62723) * Remove CR, only CRLF for rules * delete two files for Garrett * deletes delete 2 files (for Garrett) * Revert "deletes" This reverts commit cc2ac1e. * Revert "Fixing monitoring i18n (elastic#62715)" This reverts commit 0285740. Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Garrett Spong <[email protected]> Co-authored-by: Ross Wolf <[email protected]>
* bc5 rule merge version changes field changes to endpoint rules removed max_signals from 7 rules * Fixing monitoring i18n (#62715) * Updates esarchiver test data with the latest rules (#62723) * Remove CR, only CRLF for rules * delete two files for Garrett * deletes delete 2 files (for Garrett) * Revert "deletes" This reverts commit cc2ac1e. * Revert "Fixing monitoring i18n (#62715)" This reverts commit 0285740. Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Garrett Spong <[email protected]> Co-authored-by: Ross Wolf <[email protected]> Co-authored-by: The SpaceCake Project <[email protected]> Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Ross Wolf <[email protected]>
* bc5 rule merge version changes field changes to endpoint rules removed max_signals from 7 rules * Fixing monitoring i18n (#62715) * Updates esarchiver test data with the latest rules (#62723) * Remove CR, only CRLF for rules * delete two files for Garrett * deletes delete 2 files (for Garrett) * Revert "deletes" This reverts commit cc2ac1e. * Revert "Fixing monitoring i18n (#62715)" This reverts commit 0285740. Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Garrett Spong <[email protected]> Co-authored-by: Ross Wolf <[email protected]> Co-authored-by: The SpaceCake Project <[email protected]> Co-authored-by: Elastic Machine <[email protected]> Co-authored-by: Ross Wolf <[email protected]>
* master: (36 commits) [data.search.aggs] Remove service getters from agg types (elastic#61628) fixing APM internationalization (elastic#62757) fix: 🐛 correctly create error on no_matching_indices (elastic#61257) [Lens] Remove all legacy imports (elastic#62596) Add label for ace editor (elastic#62588) [ML] Show better file structure finder explanations (elastic#62316) Fix old pathes in eslintrc (elastic#62580) [Uptime] Improve Telemetry test (elastic#62428) [SIEM] Adds sort rules Cypress test (elastic#62700) [Uptime]Abstracted 'access:uptime-read' tag into a wrapper for… (elastic#62576) fixing bug (elastic#62577) [Maps] Allow updating requestType for ESGeoGridSource (elastic#62365) [Maps] do not show circle border when symbol size is zero (elastic#62644) [Maps] Always show current zoom level (elastic#62684) bc5 siem rules merge (elastic#62679) Revert "[Monitoring] Cluster state watch to Kibana alerting (elastic#61685)" Fix visual tests (elastic#62660) [Telemetry] update crypto packages (elastic#62469) [DOCS] Removed references to left (elastic#60807) [Maps] Move layers to np maps (elastic#61877) ...
Pinging @elastic/security-solution (Team: SecuritySolution) |
incremented version numbers for modified rules
field changes to endpoint signal rules
removed max_signals param from 7 rules
Summary
Few changes to the siem rules.
Checklist
Delete any items that are not applicable to this PR.
For maintainers