forked from elastic/kibana
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[SIEM][Detections] - Update KQL/Lucene search to include lists except…
…ions (elastic#63264) (elastic#63856) [SIEM][Detections] - Update KQL/Lucene search to include lists exceptions (elastic#63264) ### Summary This PR adds logic to include the lists values in search so we can now filter off of lists. - does work with KQL search - does work with Lucene search - does NOT yet filter off of large lists (will be separate PR) - does NOT yet work on ML search (will be separate PR)
- Loading branch information
Showing
18 changed files
with
1,959 additions
and
66 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
35 changes: 35 additions & 0 deletions
35
.../plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_and.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| { | ||
| "name": "List - and", | ||
| "description": "Query with a list that includes and. This rule should only produce signals when host.name exists and when both event.module is endgame and event.category is anything other than file", | ||
| "rule_id": "query-with-list-and", | ||
| "risk_score": 1, | ||
| "severity": "high", | ||
| "type": "query", | ||
| "query": "host.name: *", | ||
| "interval": "30s", | ||
| "language": "kuery", | ||
| "lists": [ | ||
| { | ||
| "field": "event.module", | ||
| "values_operator": "excluded", | ||
| "values_type": "match", | ||
| "values": [ | ||
| { | ||
| "name": "endgame" | ||
| } | ||
| ], | ||
| "and": [ | ||
| { | ||
| "field": "event.category", | ||
| "values_operator": "included", | ||
| "values_type": "match", | ||
| "values": [ | ||
| { | ||
| "name": "file" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |
23 changes: 23 additions & 0 deletions
23
...ins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_excluded.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "name": "List - excluded", | ||
| "description": "Query with a list of values_operator excluded. This rule should only produce signals when host.name exists and event.module is suricata", | ||
| "rule_id": "query-with-list-excluded", | ||
| "risk_score": 1, | ||
| "severity": "high", | ||
| "type": "query", | ||
| "query": "host.name: *", | ||
| "interval": "30s", | ||
| "language": "kuery", | ||
| "lists": [ | ||
| { | ||
| "field": "event.module", | ||
| "values_operator": "excluded", | ||
| "values_type": "match", | ||
| "values": [ | ||
| { | ||
| "name": "suricata" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |
18 changes: 18 additions & 0 deletions
18
...ugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_exists.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| { | ||
| "name": "List - exists", | ||
| "description": "Query with a list that includes exists. This rule should only produce signals when host.name exists and event.action does not exist", | ||
| "rule_id": "query-with-list-exists", | ||
| "risk_score": 1, | ||
| "severity": "high", | ||
| "type": "query", | ||
| "query": "host.name: *", | ||
| "interval": "30s", | ||
| "language": "kuery", | ||
| "lists": [ | ||
| { | ||
| "field": "event.action", | ||
| "values_operator": "included", | ||
| "values_type": "exists" | ||
| } | ||
| ] | ||
| } |
54 changes: 54 additions & 0 deletions
54
...plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_list.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| { | ||
| "name": "Query with a list", | ||
| "description": "Query with a list. This rule should only produce signals when either host.name exists and event.module is system and user.name is zeek or gdm OR when host.name exists and event.module is not endgame or zeek or system.", | ||
| "rule_id": "query-with-list", | ||
| "risk_score": 2, | ||
| "severity": "high", | ||
| "type": "query", | ||
| "query": "host.name: *", | ||
| "interval": "30s", | ||
| "language": "kuery", | ||
| "lists": [ | ||
| { | ||
| "field": "event.module", | ||
| "values_operator": "excluded", | ||
| "values_type": "match", | ||
| "values": [ | ||
| { | ||
| "name": "system" | ||
| } | ||
| ], | ||
| "and": [ | ||
| { | ||
| "field": "user.name", | ||
| "values_operator": "excluded", | ||
| "values_type": "match_all", | ||
| "values": [ | ||
| { | ||
| "name": "zeek" | ||
| }, | ||
| { | ||
| "name": "gdm" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "field": "event.module", | ||
| "values_operator": "included", | ||
| "values_type": "match_all", | ||
| "values": [ | ||
| { | ||
| "name": "endgame" | ||
| }, | ||
| { | ||
| "name": "zeek" | ||
| }, | ||
| { | ||
| "name": "system" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |
23 changes: 23 additions & 0 deletions
23
...lugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "name": "List - match", | ||
| "description": "Query with a list that includes match. This rule should only produce signals when host.name exists and event.module is not suricata", | ||
| "rule_id": "query-with-list-match", | ||
| "risk_score": 1, | ||
| "severity": "high", | ||
| "type": "query", | ||
| "query": "host.name: *", | ||
| "interval": "30s", | ||
| "language": "kuery", | ||
| "lists": [ | ||
| { | ||
| "field": "event.module", | ||
| "values_operator": "included", | ||
| "values_type": "match", | ||
| "values": [ | ||
| { | ||
| "name": "suricata" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |
26 changes: 26 additions & 0 deletions
26
...ns/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_match_all.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| { | ||
| "name": "List - match_all", | ||
| "description": "Query with a list that includes match_all. This rule should only produce signals when host.name exists and event.module is not suricata or auditd", | ||
| "rule_id": "query-with-list-match-all", | ||
| "risk_score": 1, | ||
| "severity": "high", | ||
| "type": "query", | ||
| "query": "host.name: *", | ||
| "interval": "30s", | ||
| "language": "kuery", | ||
| "lists": [ | ||
| { | ||
| "field": "event.module", | ||
| "values_operator": "included", | ||
| "values_type": "match_all", | ||
| "values": [ | ||
| { | ||
| "name": "suricata" | ||
| }, | ||
| { | ||
| "name": "auditd" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |
32 changes: 32 additions & 0 deletions
32
...y/plugins/siem/server/lib/detection_engine/scripts/rules/queries/lists/query_with_or.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| { | ||
| "name": "List - or", | ||
| "description": "Query with a list that includes or. This rule should only produce signals when host.name exists and event.module is suricata OR when host.name exists and event.category is file", | ||
| "rule_id": "query-with-list-or", | ||
| "risk_score": 1, | ||
| "severity": "high", | ||
| "type": "query", | ||
| "query": "host.name: *", | ||
| "interval": "30s", | ||
| "lists": [ | ||
| { | ||
| "field": "event.module", | ||
| "values_operator": "excluded", | ||
| "values_type": "match", | ||
| "values": [ | ||
| { | ||
| "name": "suricata" | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "field": "event.category", | ||
| "values_operator": "excluded", | ||
| "values_type": "match", | ||
| "values": [ | ||
| { | ||
| "name": "file" | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } |
41 changes: 0 additions & 41 deletions
41
...egacy/plugins/siem/server/lib/detection_engine/scripts/rules/queries/query_with_list.json
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.