Skip to content

[FR] Add negate DOES NOT MATCH capability to IM rule type (>=9.2)#5041

Merged
Mikaayenson merged 9 commits intomainfrom
im-not-matches
Sep 9, 2025
Merged

[FR] Add negate DOES NOT MATCH capability to IM rule type (>=9.2)#5041
Mikaayenson merged 9 commits intomainfrom
im-not-matches

Conversation

@Mikaayenson
Copy link
Contributor

@Mikaayenson Mikaayenson commented Aug 29, 2025
edited
Loading

Pull Request

Issue link(s):

Summary - What I changed

  • Adds support for negate field (DOES NOT MATCH) in indicator match fields
  • Adds validation for Single DOES NOT MATCH is not allowed per the kibana pr to match

How To Test

  • Uses the sample rule provided by @vitaliidm used during his development
  • Test with the sample file provided
    • Validation fails on a single DOES NOT MATCH
    • negate field available after 9.2
    • Fail if match/not match on the same field
Sample Toml File 

[metadata]
creation_date = "2025/08/29"
maturity = "production"
updated_date = "2025/08/29"
min_stack_version = "9.2.0"
min_stack_comments = "Breaking change at 9.2.0 for the negate field in threat mapping."

[rule]
actions = []
author = ["elastic"]
description = "Failing test"
filters = []
from = "now-5001h"
index = ["ecs_compliant"]
interval = "1h"
language = "kuery"
max_signals = 100
name = "Failing test"
note = "None"
risk_score = 21
rule_id = "73ac6c85-515f-4f27-a386-47f5f7953f66"
setup = "None"
severity = "low"
threat_index = ["ecs_compliant"]
threat_indicator_path = "threat.indicator"
threat_language = "kuery"
to = "now"
type = "threat_match"

query = '''
NOT agent.type:threat
'''



threat_query = '''
agent.type:threat
'''


[[rule.threat_mapping]]

[[rule.threat_mapping.entries]]
field = "geo.country_name"
negate = true
type = "mapping"
value = "geo.country_name"

[[rule.threat_mapping.entries]]
field = "user.name"
negate = false
type = "mapping"
value = "user.name"

[rule.meta]
kibana_siem_app_url = "http://localhost:5620/app/security"

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

@Mikaayenson Mikaayenson requested a review from vitaliidm August 29, 2025 19:56
@Mikaayenson Mikaayenson self-assigned this Aug 29, 2025
@Mikaayenson Mikaayenson added enhancement New feature or request schema labels Aug 29, 2025
@botelastic botelastic bot added the python Internal python for the repository label Aug 29, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Aug 29, 2025

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

1 similar comment
@github-actions
Copy link
Contributor

github-actions bot commented Aug 29, 2025

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

Mikaayenson
Mikaayenson commented Aug 29, 2025
View reviewed changes
vitaliidm
vitaliidm reviewed Sep 1, 2025
View reviewed changes
eric-forte-elastic
eric-forte-elastic approved these changes Sep 2, 2025
View reviewed changes
Copy link
Contributor

@eric-forte-elastic eric-forte-elastic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟢 Manual review, looks good to me! 👍

vitaliidm
vitaliidm reviewed Sep 4, 2025
View reviewed changes
@Mikaayenson Mikaayenson added patch and removed minor labels Sep 9, 2025
@Mikaayenson Mikaayenson merged commit 35b000b into main Sep 9, 2025
15 checks passed
@Mikaayenson Mikaayenson deleted the im-not-matches branch September 9, 2025 15:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shashank-elastic shashank-elastic shashank-elastic approved these changes

@vitaliidm vitaliidm vitaliidm approved these changes

@eric-forte-elastic eric-forte-elastic eric-forte-elastic approved these changes

@traut traut Awaiting requested review from traut

Assignees

@Mikaayenson Mikaayenson

Labels

backport: auto enhancement New feature or request patch python Internal python for the repository schema

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Mikaayenson @shashank-elastic @vitaliidm @eric-forte-elastic