[Bug] Pre-Built Detection Rules Package Versioning

[terrancedejesus]

Issues

• [Bug] Pre-Built Detection Rules Package Versioning #2251

Please refer to the issue for a detailed explanation.

[Mikaayenson]

Did this overwrite the old previous? Where is the 7.16 previous?

[terrancedejesus]

These are min_stacked but have not been forked yet.

  "00140285-b827-4aee-aa09-8113f58a08f3": {
    "min_stack_version": "7.16",
    "rule_name": "Potential Credential Access via Windows Utilities",
    "sha256": "3c01d95323f7c5eb6e183e2123acd3cdd13019c938cea3a4331856c7fc486ca7",
    "type": "eql",
    "version": 8

[Mikaayenson]

LGTM

[terrancedejesus]

Removed version updates from rules where the type is machine_learning or threat_match.

[terrancedejesus]

It seems that a min_stack is automatically applied to the version lock contents in memory when running the following command and no min_stack_version is defined in the metadata of a rule. I checked out 8.3 and applied the version lock file changes from this PR so see how it would handle next release and since all rules will be soft locked at 8.2.

Command: python -m detection_rules dev build-release --update-version-lock

As seen below, 8.2 was not changed, but current was and the version bumped +1 as expected.

  "ff4dd44a-0ac6-44c4-8609-3f81bc820f02": {
    "previous": {
      "8.2": {
        "rule_name": "Microsoft 365 Exchange Transport Rule Creation",
        "sha256": "4f9627d3b6b169fbfa945c83748ecb0c9a8e9b3b4ebcbcc162dcc625c469e507",
        "type": "query",
        "version": 8
      }
    },
    "rule_name": "Microsoft 365 Exchange Transport Rule Creation",
    "sha256": "fc351b0cc10d8a1965cf0141354b791c9540afb352e1caa4ea00d7b32cb3caba",
    "type": "query",
    "version": 11

However, if checking out 8.2 branch, we would expect the route to be chosen based on a previous entry existing where the key or stack value matches the current branch and adjust that hash and version only. At this time it does not as the same version lock file results resulted as above.

We may need to introduce a new route in version_lock.manage_versions where soft locking is taken into consideration or expand on this in an existing route.

[terrancedejesus]

account for soft lock version stack reference in version_lock.manage_versions

                if lock_from_file:
                    name = lock_from_rule['rule_name']
                    existing_type = lock_from_file['type']
                    current_type = lock_from_rule['type']
                    if existing_type != current_type:
                        err_msg = f'cannot change "type" in locked rule: {name} from {existing_type} to {current_type}'
                        raise ValueError(err_msg)
                    if "min_stack_version" not in lock_from_file:
                        # take into account soft locking where min_version_stack is not defined
                        if "previous" in lock_from_file:
                            soft_min_stack_version = Version(Version(list(lock_from_file.get("previous").keys())[0])[:2])
                            lock_from_file["min_stack_version"] = soft_min_stack_version
                            min_stack = soft_min_stack_version

[terrancedejesus]

Closing this PR as a solution is being developed in #2259