Skip to content

[SIEM] Add initial candidate rules for 7.8 merge may 4#65169

Merged
randomuserid merged 6 commits intomasterfrom
78-rules-merge-may-4
May 5, 2020
Merged

[SIEM] Add initial candidate rules for 7.8 merge may 4#65169
randomuserid merged 6 commits intomasterfrom
78-rules-merge-may-4

Conversation

@randomuserid
Copy link
Contributor

@randomuserid randomuserid commented May 4, 2020
edited
Loading

Summary

First pass at rule additions for v 7.8

Checklist

Delete any items that are not applicable to this PR.

For maintainers

Craig added 3 commits May 4, 2020 15:51
78 rules
eb831e5 
populated rules with a package from the siem-rules repo
Update index.ts
cd60374
Update rule.ts
dc17a1e 
adjust rule count to 145
@randomuserid randomuserid requested review from a team as code owners May 4, 2020 20:06
@elasticmachine
Copy link
Contributor

elasticmachine commented May 4, 2020

Pinging @elastic/siem (Team:SIEM)

@randomuserid randomuserid added release_note:skip Skip the PR/issue when compiling release notes v7.8 v8.0.0 v7.8.0 and removed v7.8 labels May 4, 2020
rw-access
rw-access previously approved these changes May 4, 2020
View reviewed changes
Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.
only request is to update the title of the PR to something more meaningful.
e.g. [SIEM] Add initial candidate rules for 7.8

rw-access
rw-access reviewed May 4, 2020
View reviewed changes
Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks like you're missing the rules .gz file

@randomuserid randomuserid changed the title 78 rules merge may 4 [SIEM] Add initial candidate rules for 7.8 merge may 4 May 4, 2020
@rw-access rw-access dismissed their stale review May 4, 2020 21:16

pending the .gz and passing tests

@spong
Copy link
Member

spong commented May 4, 2020

@elasticmachine merge upstream

brokensound77
brokensound77 approved these changes May 4, 2020
View reviewed changes
Copy link
Contributor

@brokensound77 brokensound77 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 looks like versions aligned as expected

@randomuserid randomuserid requested a review from spong May 4, 2020 22:05
spong
spong approved these changes May 5, 2020
View reviewed changes
Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 👍 Nice to see the conversion script standardizing on the EoF newline and sorted keys.

@randomuserid randomuserid requested a review from crowens May 5, 2020 15:36
alexk307
alexk307 reviewed May 5, 2020
View reviewed changes
.../detection_engine/rules/prepackaged_rules/linux_attempt_to_disable_iptables_or_firewall.json
"language": "kuery",
"name": "Attempt to Disable IPTables or Firewall",
"query": "event.action:(executed or process_started) and (process.name:service and process.args:stop or process.name:chkconfig and process.args:off) and process.args:(ip6tables or iptables) or process.name:systemctl and process.args:(firewalld and (disable or stop or kill))",
"risk_score": 47,
Copy link

@alexk307 alexk307 May 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just wondering, how are these defined? I see that the user can select whatever risk_score they want when creating a rule. Is this arbitrary at 47, or is there some meaning behind where it came from?

Copy link
Contributor Author

@randomuserid randomuserid May 5, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

they are linked to severity by default.

@spong
Copy link
Member

spong commented May 5, 2020

@elasticmachine merge upstream

@randomuserid randomuserid removed the request for review from crowens May 5, 2020 17:09
@randomuserid randomuserid merged commit bec09fd into master May 5, 2020
@randomuserid randomuserid mentioned this pull request May 5, 2020
Merged
randomuserid added a commit to randomuserid/kibana that referenced this pull request May 5, 2020
@randomuserid @elasticmachine @spong
[SIEM] Add initial candidate rules for 7.8 merge may 4 (elastic#65169)
cd10df5 
* 78 rules

populated rules with a package from the siem-rules repo

* Update index.ts

* Update rule.ts

adjust rule count to 145

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
@rw-access rw-access deleted the 78-rules-merge-may-4 branch May 5, 2020 21:11
@kibanamachine
Copy link
Contributor

kibanamachine commented May 5, 2020

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

spong added a commit that referenced this pull request May 6, 2020
@randomuserid @elasticmachine @spong
[SIEM] Add initial candidate rules for 7.8 merge may 4 (#65169) (#65350)
c7243c7 
* 78 rules

populated rules with a package from the siem-rules repo

* Update index.ts

* Update rule.ts

adjust rule count to 145

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Garrett Spong <spong@users.noreply.github.com>

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Sep 23, 2021
@elasticmachine
Copy link
Contributor

elasticmachine commented Sep 23, 2021

Pinging @elastic/security-solution (Team: SecuritySolution)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@spong spong spong approved these changes

+3 more reviewers

@rw-access rw-access rw-access left review comments

@alexk307 alexk307 alexk307 approved these changes

@brokensound77 brokensound77 brokensound77 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

release_note:skip Skip the PR/issue when compiling release notes Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.8.0 v8.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@randomuserid @elasticmachine @spong @kibanamachine @alexk307 @brokensound77 @rw-access @MindyRS