Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Convert windows rules from KQL to EQL #1114

Merged
merged 38 commits into from
Apr 30, 2021
Merged

Convert windows rules from KQL to EQL #1114

merged 38 commits into from
Apr 30, 2021

Conversation

brokensound77
Copy link
Collaborator

Issues

resolves #1113

Summary

Converts all windows KQL rules to EQL for case resiliency.

For reviewers

The most important thing for this review (in order)

  • Ensure logic wasn't unintentionally changed as a result of a conversion
  • Verify all necessary case-insensitive syntax was applied (where necessary) (== to : and in to :)
  • everything else

@brokensound77 brokensound77 added Rule: Tuning tweaking or tuning an existing rule OS: Windows windows related rules v7.13.0 7.13 rules release package labels Apr 14, 2021
@rw-access
Copy link
Contributor

@Samirbous thanks for all the enhancements to the rules! From a quick glance they look good, but are beyond the original scope of this PR.

For some more context and sharing my process:

One of the biggest downsides of scope and having multiple contributors making commits to a PR is that it's hard for them to coordinate and they have different goals in mind for what "done" means. It also makes it difficult as a reviewer because merging a PR is always all-or-nothing so additional changes could slow the merge.

That said, in thinking that we might want to move your commits to a new PR (don't worry this can be done fairly painlessly and I'll be glad to help make it happen), so that we can get the KQL -> EQL conversion done first. Then it'll be easier to sort through all of the helpful contributions you made.

@Samirbous
Copy link
Contributor

Samirbous commented Apr 15, 2021
edited
Loading

@Samirbous thanks for all the enhancements to the rules! From a quick glance they look good, but are beyond the original scope of this PR.

For some more context and sharing my process:

One of the biggest downsides of scope and having multiple contributors making commits to a PR is that it's hard for them to coordinate and they have different goals in mind for what "done" means. It also makes it difficult as a reviewer because merging a PR is always all-or-nothing so additional changes could slow the merge.

That said, in thinking that we might want to move your commits to a new PR (don't worry this can be done fairly painlessly and I'll be glad to help make it happen), so that we can get the KQL -> EQL conversion done first. Then it'll be easier to sort through all of the helpful contributions you made.

@rw-access As long as they will be incorporated automagically I'm fine with that (most tuning were related to kql -> eql like replacing driver letter C with ?, few were quick adjustment to wrong syntax/logic like a rule with file where process.parent.name ... or process where dll.name ... ).

@bm11100 bm11100 mentioned this pull request Apr 15, 2021
Merged
rw-access
rw-access reviewed Apr 22, 2021
View reviewed changes
Copy link
Contributor

@rw-access rw-access left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good after the suggestions are applied

@brokensound77
Merge remote-tracking branch 'upstream/main' into convert-windows-kql…
cc356e8 
…-to-eql

# Conflicts:
#	rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml
#	rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml
#	rules/_deprecated/execution_command_shell_started_by_powershell.toml
@brokensound77 @bm11100 @rw-access
small tweaks to queries from feedback
145679d 
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
dstepanic
dstepanic approved these changes Apr 30, 2021
View reviewed changes
Copy link
Contributor

@dstepanic dstepanic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@brokensound77 brokensound77 merged commit 82ec6ac into elastic:main Apr 30, 2021
@brokensound77 brokensound77 deleted the convert-windows-kql-to-eql branch April 30, 2021 19:21
@TotalKnob TotalKnob mentioned this pull request Aug 8, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rw-access rw-access rw-access left review comments

@bm11100 bm11100 bm11100 approved these changes

@dstepanic dstepanic dstepanic approved these changes

@Samirbous Samirbous Awaiting requested review from Samirbous

Assignees
No one assigned
Labels
OS: Windows windows related rules Rule: Tuning tweaking or tuning an existing rule v7.13.0 7.13 rules release package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Rule Tuning] Convert KQL rules to EQL for case resiliency
5 participants
@brokensound77 @rw-access @Samirbous @bm11100 @dstepanic