You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Exported rules which are in ndjson format have extra metadata which causes importing to fail for several CLI commands.
create-rule -c
load-from-file
view-rule
{"actions":[],"created_at":"2020-07-21T13:52:18.527Z","updated_at":"2020-07-21T13:52:18.544Z","created_by":"elastic","description":"This is a demo of an example rule","enabled":false,"false_positives":["Sometimes cmd is benign :)"],"filters":[],"from":"now-360s","id":"90f6cdcb-6211-4985-ab75-c6253fcdd868","immutable":false,"index":["winlogbeat-*"],"interval":"5m","rule_id":"6b9d2af4-84c8-4e38-a697-2d5d455a9e86","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"name":"Example Custom Rule","query":"process.name:cmd.exe and process.args:\"-c\"","references":["https://google.com"],"meta":{"from":"1m","kibana_siem_app_url":"https://703efb61c6ee4b14b36f7f4a9674a5ea.us-west-2.aws.found.io:9243/app/siem"},"severity":"low","updated_by":"elastic","tags":["Windows"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution"},"technique":[{"id":"T1064","name":"Scripting","reference":"https://attack.mitre.org/techniques/T1064"}]}],"throttle":"no_actions","note":"## Triage\nWhy are they executing `cmd.exe`?","version":1}
{"exported_count":1,"missing_rules":[],"missing_rules_count":0}
Expected behavior
The CLI should be updated to be able to understand importing the ndjson formatted rules and ignore extra data. It currently has the ability to parse json, toml, and yaml.
Rules will still need to be able to validate against the schema to be accepted
Describe the bug
Exported rules which are in ndjson format have extra metadata which causes importing to fail for several CLI commands.
create-rule -cload-from-fileview-rule{"actions":[],"created_at":"2020-07-21T13:52:18.527Z","updated_at":"2020-07-21T13:52:18.544Z","created_by":"elastic","description":"This is a demo of an example rule","enabled":false,"false_positives":["Sometimes cmd is benign :)"],"filters":[],"from":"now-360s","id":"90f6cdcb-6211-4985-ab75-c6253fcdd868","immutable":false,"index":["winlogbeat-*"],"interval":"5m","rule_id":"6b9d2af4-84c8-4e38-a697-2d5d455a9e86","language":"kuery","output_index":".siem-signals-default","max_signals":100,"risk_score":50,"name":"Example Custom Rule","query":"process.name:cmd.exe and process.args:\"-c\"","references":["https://google.com"],"meta":{"from":"1m","kibana_siem_app_url":"https://703efb61c6ee4b14b36f7f4a9674a5ea.us-west-2.aws.found.io:9243/app/siem"},"severity":"low","updated_by":"elastic","tags":["Windows"],"to":"now","type":"query","threat":[{"framework":"MITRE ATT&CK","tactic":{"id":"TA0002","reference":"https://attack.mitre.org/tactics/TA0002","name":"Execution"},"technique":[{"id":"T1064","name":"Scripting","reference":"https://attack.mitre.org/techniques/T1064"}]}],"throttle":"no_actions","note":"## Triage\nWhy are they executing `cmd.exe`?","version":1} {"exported_count":1,"missing_rules":[],"missing_rules_count":0}To Reproduce
Steps to reproduce the behavior:
python -m detection_rules -c export.ndjson new_rule.toml --required-onlyExpected behavior
The CLI should be updated to be able to understand importing the ndjson formatted rules and ignore extra data. It currently has the ability to parse json, toml, and yaml.
Rules will still need to be able to validate against the schema to be accepted
Additional context
related to #76
The text was updated successfully, but these errors were encountered: