macOS new ruleset

[72nomada]

Related issue
#15567

Ruleset

Checks

Syntax

• 1.a Rule tags order must be compliant.
• 1.b Decoder tags order must be compliant.
• 1.c XML blocks must as compact as possible.
• 1.d Only one empty line between rule/decoder and the next rule/decoder.
• 1.e Decoder extracted fields names must use '_' whether a space is needed.
• 1.f Decoder name must use '-' whether a space is needed.
• 2.d XML and ini files must use correct indentation

Grammar

• 2.a Grammar quality.
• 2.b Similar phrases must keep tenses and expressions.
• 2.c Grammar basic rules like capitalization, punctuation marks, sentence construction, and others.

Semantic

• 3.a New decoder, rule, or test are written in the correct file and grouped correctly inside the file.
• 3.b Group similar rules under same ID's group.
• 3.c:
  • 3.c1 Find and reuse group name before creating a new one.
  • 3.c2 Include a new group definition in a PR comment.
  • 3.c3 Any group name must use '_' whether it does need a space char.
  • 3.c4 The groups inside a tag must be sorted in alphabetical order.
  • 3.d Rule level should be compliant with the documentation.

Unit testing

• 4.a A metadata block at the beginning of the .ini file describing software, version, and logs source.
• 4.b Each new rule must have at least one test entry in the correct .ini file.
• 4.c Runtest.py must pass and must include the results in raw format here.

Unit Tests

Individual Tests

• 4.d New CDB lists must include the proper test entry in the correct .ini file.

E2E testing

• 5.a Logs for new or modified decoder/rules sent to a manager running with this PR ruleset appear in Kibana.
• 5.b There are not affected or broken visualizations on Kibana.
• 5.c New or modified items can be seen correctly using APP ruleset navigation.

Elasticsearch Template

• 6.a Known fields with output format managed and usually used for searching are included in template array index.query.default_field.
• 6.b The new field with the correct date format is stored as a "date" type field in the template.
• 6.c The new extracted IP fields are in the pipeline as "geo" field and "geo_point" type in the template.
• 6.d Known fields with output format managed and usually used for searching are included in the template.

Stoppers

• 7.a No previous rule ID changes without triple check.
• 7.b No previous decoder name changes without triple check.
• 7.c No previous file name changes without triple check.
• 7.d No previous test changes its 'rule' field value without triple check.

Others

• 8.a Each file has the correct copyright block.
• 8.b The copyright block doesn't have "Author" only "Created by Wazuh". To include an "Author" request triple check.
• 8.c The copyright block doesn't use "-".
• 8.d The rule files don't have any sample log.
• 8.e The decoder file has sample logs next to the decoder that matches that log.
• 8.f The decoder and rule files have information about software, version, and any helpful information.
• 8.g The PR has a single commit with CHANGELOG changes in the correct format.
• 8.h The new rule ID is not in use.
• 8.i The new rule ID must be in the defined IDs range.
• 8.j New rules ID range must be verified with a triple check and noted in the rules ID document.
• 8.k The new extracted IP fields are in the pipeline as "geo" field and "geo_point" type in the template.

[teddytpc1]

This PR should be merged simultaneously with #5028.

[juliamagan]

QA review

• Type: Manual testing.
• Status: Approved 🟢
• Testing issue: macOS Ruleset  wazuh-qa#3855
• Comments: macOS Ruleset  wazuh-qa#3855 (comment)