[New Rule] Threat intel indicator match rule

[peasead]

Issues

Resolves #1065
Resolves https://github.com/elastic/protections-team/issues/368

Summary

This adds an Indicator Match rule for the Detection Engine. The indicators are provided by the Threat Intel Filebeat module from the following sources:

• Abuse Malware
• Abuse URL
• Anomali Limo
• AlienVault OTX
• Malware Bazaar
• MISP

Of note, currently, the Indicator Match rule type isn't in the detection_rules module, so this rule was exported from the Detection Engine and converted to TOML manually. This will likely need some massaging to pass unit tests.

Contributor checklist

• Have you signed the contributor license agreement? Yes
• Have you followed the contributor guidelines? Yes

[brokensound77]

👋

• Add threat_match rule type #1138 adds support for the rule type

Some other dependencies before this will pass

• need to add support for wildcards in field names (Add wildcard field support to KQL #1139)
• need to refresh to latest beats (and ECS) schemas (Refresh beats and ecs schemas #1140)

A separate PR will be added for CLI support of the rule type

[brokensound77]

I had to manually lint/format this @rw-access . There appears to be an issue with the MarshmallowDataclassMixin.to_dict method on schema.dump, but I think it is only happening on threat_match rules, so it may not be rendering the schema properly. As of now, it strips a lot of fields

[rw-access]

hmm... is this the right call?
IIRC, this blew up the schema significantly before and added more fields that shouldn't be there.
do you have a sense what new fields and how many were added?

[brokensound77]

not for every module, but threatintel.indicator* (and some other threatintel.* specifically was entirely embedded under this. Not sure if this is actually where beta fields are stuffed, but it seems consistent. Without it, validation will fail on threatintel.indicator*

[rw-access]

yeah, i'm following that this is the only way for this rule to be validated.
we should double check the impact on the schema and validation in general. i think for other beats and modules, this brings in more fields than is correct

[brokensound77]

Here is a full dump of what's included per beats/module in the base directory only:

beats-module-base-fields.txt

[rw-access]

👍

[rw-access]

it's kinda too bad that this all get flattened, but that's more of a kibana API thing
i think it would be nicer if the fields were all namespaced by type instead of jammed together

[brokensound77]

Successfully exported and imported into Kibana

If all of the rule data looks accurate to you @peasead, then LGTM to merge 👍

[peasead]

Solid.

The indicator match timeline template should be in 7.13, would that be a timeline UUID I could add now?

[brokensound77]

Solid.

The indicator match timeline template should be in 7.13, would that be a timeline UUID I could add now?

yep, just find the guid and timeline title (and test 🙂 )

[peasead]

Here's the GUID (495ad7a7-316e-4544-8a0f-9c098daee76e), but how would I test that?

https://raw.githubusercontent.com/elastic/kibana/master/x-pack/plugins/security_solution/server/lib/detection_engine/rules/prepackaged_timelines/threat.json

[brokensound77]

add this to the rule and upload it to a stack that has that template

timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"

Unit tests/validation may need to be updated to pass

[brokensound77]

92562bc

FYSA @rw-access in a separate PR we can start removing irrelevant tests and moving others to within the marshmallow schema validation under TOMLRuleContents.