Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Add Integration Schema Query Validation #2470

Merged
merged 53 commits into from
Feb 2, 2023
Merged

[FR] Add Integration Schema Query Validation #2470

merged 53 commits into from
Feb 2, 2023

Conversation

Mikaayenson
Copy link
Contributor

@Mikaayenson Mikaayenson commented Jan 15, 2023
edited
Loading

Issues

#1994

Summary

Untitled-2023-02-01-1239-2

  • Adds a new method find_latest_compatible_version that scans all integration versions to determine the compatibility window to validate the rule with the integrations.
  • Adds a CLI command to show-latest-compatible that prints the latest compatible integration version given a package and stack version.
  • Fixes a bug in the build_integration_manifests method that was introduced when the integration field schema changed to support lists.
  • Updates the IntegrationManifestSchema schema to include the download field that is used to pull the schemas.
  • Adds logic to download the flattened schemas from EPR based on the compatible integration window and save to disk based on new integration versions added to the integration manifest.
  • Adds logic to validate the query against the schemas
  • Updated the test_integration_tag unit test to catch integrations that are missing based on rule index.
  • TODO: Prior to merge

Testing

  • Run view-rule on several different integrations and try with multiple min_stack versions.
    • E.g. python -m detection_rules view-rule rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
    • E.g. python -m detection_rules view-rule rules/integrations/aws/collection_cloudtrail_logging_created.toml
    • E.g. python -m detection_rules view-rule rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
    • E.g. python -m detection_rules view-rule rules/apm/apm_403_response_to_a_post.toml
  • Run show-latest-compatible to verify command shows latest compatible version.
    • E.g. python -m detection_rules dev integrations show-latest-compatible -p apm -s 8.2.0
  • Run the build-schemas and build-manifest commands to test rebuilding the schemas and manifest
    • E.g. python -m detection_rules dev integrations build-schemas -o
    • E.g. python -m detection_rules dev integrations build-manifests -o
  • Run make test to ensure all unit tests pass.
(detection_dev) ➜  detection-rules git:(1994-add-integration-specific-query-validation) ✗  cd /Users/stryker/workspace/ElasticGitHub/detection-rules ; /usr/bin/env /Users/stryker/
.virtualenvs/detection_dev/bin/python /Users/stryker/.vscode/extensions/ms-python.python-2022.20.2/pythonFiles/lib/python/debugpy/adapter/../../debugpy/launcher 62449 -- -m detect
ion_rules view-rule /Users/stryker/workspace/ElasticGitHub/detection-rules/rules/apm/apm_403_response_to_a_post.toml --api-format 
Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.0.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.0.0-rc1'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.1.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.1.2'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.2.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.3.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.3.3'
Integration apm-None version 8.4.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.4.2 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.5.0-preview-1659529701 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659932434 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659933740 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1660193585 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1661950351 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662468239 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662716186 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662730440 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662977937 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663129460 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663692203 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.6.0-preview-1663775281 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664245434 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664357594 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664419843 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664458996 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666156067 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666681391 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666941604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667290680 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667541744 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667931268 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668515315 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668602604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1670294014 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1672305902 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.1-preview-1673359535 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.7.0-preview-1668610056 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1668822144 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669282000 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669303673 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670292270 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670486478 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670947109 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671181805 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671493034 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671792910 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672145489 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672207595 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672220075 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672300413 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672635521 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672828042 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672912576 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673310975 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673519880 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.0.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.0.0-rc1'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.1.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.1.2'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.2.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.3.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.3.3'
Integration apm-None version 8.4.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.4.2 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.5.0-preview-1659529701 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659932434 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659933740 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1660193585 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1661950351 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662468239 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662716186 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662730440 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662977937 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663129460 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663692203 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.6.0-preview-1663775281 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664245434 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664357594 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664419843 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664458996 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666156067 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666681391 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666941604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667290680 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667541744 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667931268 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668515315 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668602604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1670294014 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1672305902 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.1-preview-1673359535 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.7.0-preview-1668610056 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1668822144 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669282000 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669303673 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670292270 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670486478 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670947109 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671181805 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671493034 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671792910 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672145489 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672207595 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672220075 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672300413 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672635521 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672828042 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672912576 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673310975 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673519880 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.0.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.0.0-rc1'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.1.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.1.2'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.2.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.3.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.5.2' package='apm' integration=None package_version='8.3.3'
Integration apm-None version 8.4.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.4.2 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.5.0-preview-1659529701 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659932434 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659933740 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1660193585 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1661950351 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662468239 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662716186 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662730440 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662977937 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663129460 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663692203 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.6.0-preview-1663775281 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664245434 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664357594 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664419843 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664458996 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666156067 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666681391 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666941604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667290680 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667541744 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667931268 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668515315 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668602604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1670294014 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1672305902 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.1-preview-1673359535 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.7.0-preview-1668610056 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1668822144 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669282000 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669303673 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670292270 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670486478 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670947109 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671181805 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671493034 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671792910 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672145489 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672207595 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672220075 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672300413 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672635521 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672828042 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672912576 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673310975 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673519880 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.4.0' package='apm' integration=None package_version='8.0.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.4.0' package='apm' integration=None package_version='8.0.0-rc1'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.4.0' package='apm' integration=None package_version='8.1.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.4.0' package='apm' integration=None package_version='8.1.2'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.4.0' package='apm' integration=None package_version='8.2.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.4.0' package='apm' integration=None package_version='8.3.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.4.0' package='apm' integration=None package_version='8.3.3'
Integration apm-None version 8.4.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.4.2 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.5.0-preview-1659529701 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659932434 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659933740 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1660193585 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1661950351 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662468239 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662716186 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662730440 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662977937 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663129460 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663692203 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.6.0-preview-1663775281 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664245434 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664357594 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664419843 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664458996 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666156067 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666681391 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666941604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667290680 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667541744 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667931268 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668515315 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668602604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1670294014 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1672305902 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.1-preview-1673359535 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.7.0-preview-1668610056 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1668822144 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669282000 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669303673 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670292270 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670486478 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670947109 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671181805 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671493034 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671792910 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672145489 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672207595 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672220075 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672300413 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672635521 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672828042 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672912576 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673310975 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673519880 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.3.1' package='apm' integration=None package_version='8.0.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.3.1' package='apm' integration=None package_version='8.0.0-rc1'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.3.1' package='apm' integration=None package_version='8.1.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.3.1' package='apm' integration=None package_version='8.1.2'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.3.1' package='apm' integration=None package_version='8.2.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.3.1' package='apm' integration=None package_version='8.3.0'
Validating query of 'Web Application Suspicious Activity: POST Request Declined' against fields for ecs_version='8.3.1' package='apm' integration=None package_version='8.3.3'
Integration apm-None version 8.4.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.4.2 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration apm-None version 8.5.0-preview-1659529701 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659932434 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1659933740 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1660193585 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1661950351 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662468239 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662716186 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662730440 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1662977937 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663129460 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.5.0-preview-1663692203 has a higher stack version requirement. Consider updating min_stack version to 8.5.0 to support this version.
Integration apm-None version 8.6.0-preview-1663775281 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664245434 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664357594 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664419843 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1664458996 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666156067 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666681391 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1666941604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667290680 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667541744 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1667931268 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668515315 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1668602604 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1670294014 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.0-preview-1672305902 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.6.1-preview-1673359535 has a higher stack version requirement. Consider updating min_stack version to 8.6.0 to support this version.
Integration apm-None version 8.7.0-preview-1668610056 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1668822144 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669282000 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1669303673 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670292270 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670486478 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1670947109 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671181805 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671493034 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1671792910 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672145489 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672207595 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672220075 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672300413 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672635521 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672828042 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1672912576 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673310975 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
Integration apm-None version 8.7.0-preview-1673519880 has a higher stack version requirement. Consider updating min_stack version to 8.7.0 to support this version.
{
  "author": [
    "Elastic"
  ],
  "description": "A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed.",
  "false_positives": [
    "Security scans and tests may result in these errors. Misconfigured or buggy applications may produce large numbers of these errors. If the source is unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity."
  ],
  "index": [
    "apm-*-transaction*",
    "traces-apm*"
  ],
  "language": "kuery",
  "license": "Elastic License v2",
  "name": "Web Application Suspicious Activity: POST Request Declined",
  "query": "http.response.status_code:403 and http.request.method:post\n",
  "references": [
    "https://en.wikipedia.org/wiki/HTTP_403"
  ],
  "related_integrations": [
    {
      "package": "apm",
      "version": "^8.0.0"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "http.request.method",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "http.response.status_code",
      "type": "long"
    }
  ],
  "risk_score": 47,
  "rule_id": "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e",
  "severity": "medium",
  "tags": [
    "Elastic",
    "APM"
  ],
  "timestamp_override": "event.ingested",
  "type": "query",
  "version": 101
}

(detection_dev) ➜  detection-rules git:(1994-add-integration-specific-query-validation) ✗  cd /Users/stryker/workspace/ElasticGitHub/detection-rules ; /usr/bin/env /Users/stryker/
.virtualenvs/detection_dev/bin/python /Users/stryker/.vscode/extensions/ms-python.python-2022.20.2/pythonFiles/lib/python/debugpy/adapter/../../debugpy/launcher 62463 -- -m detect
ion_rules view-rule /Users/stryker/workspace/ElasticGitHub/detection-rules/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml --api
-format 
Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.3.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.6.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.7.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.7.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.3.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.6.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.7.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.7.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='activitylogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='azure' integration='auditlogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.3.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.4.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.6.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.7.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.7.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.8.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.5.2' package='o365' integration='audit' package_version='1.9.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='activitylogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='azure' integration='auditlogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.3.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.4.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.4.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.6.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.7.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.7.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.8.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.8.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.8.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.9.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.9.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.4.0' package='o365' integration='audit' package_version='1.9.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='activitylogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='0.12.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.0.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.0.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.1.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.1.6'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.1.7'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.1.8'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.1.10'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.2.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.2.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.2.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.5.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.5.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.5.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.5.4'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='azure' integration='auditlogs' package_version='1.5.5'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.3.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.3.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.4.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.4.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.4.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.4.3'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.5.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.6.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.7.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.7.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.8.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.8.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.8.2'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.9.0'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.9.1'
Validating query of 'Possible Consent Grant Attack via Azure-Registered Application' against fields for ecs_version='8.3.1' package='o365' integration='audit' package_version='1.9.2'
{
  "author": [
    "Elastic"
  ],
  "description": "Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide permissions to an application. An adversary may create an Azure-registered application that requests access to data such as contact information, email, or documents.",
  "from": "now-25m",
  "index": [
    "filebeat-*",
    "logs-azure*"
  ],
  "language": "kuery",
  "license": "Elastic License v2",
  "name": "Possible Consent Grant Attack via Azure-Registered Application",
  "note": "## Triage and analysis\n\n### Investigating Possible Consent Grant Attack via Azure-Registered Application\n\nIn an illicit consent grant attack, the attacker creates an Azure-registered application that requests access to data such as contact information, email, or documents. The attacker then tricks an end user into granting that application consent to access their data either through a phishing attack, or by injecting illicit code into a trusted website. After the illicit application has been granted consent, it has account-level access to data without the need for an organizational account. Normal remediation steps like resetting passwords for breached accounts or requiring multi-factor authentication (MFA) on accounts are not effective against this type of attack, since these are third-party applications and are external to the organization.\n\nOfficial Microsoft guidance for detecting and remediating this attack can be found [here](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants).\n\n#### Possible investigation steps\n\n- From the Azure AD portal, Review the application that was granted permissions:\n  - Click on the `Review permissions` button on the `Permissions` blade of the application.\n  - An app should require only permissions related to the app's purpose. If that's not the case, the app might be risky.\n  - Apps that require high privileges or admin consent are more likely to be risky.\n- Investigate the app and the publisher. The following characteristics can indicate suspicious apps:\n  -  A low number of downloads.\n  -  Low rating or score or bad comments.\n  -  Apps with a suspicious publisher or website.\n  -  Apps whose last update is not recent. This might indicate an app that is no longer supported.\n- Export and examine the [Oauth app auditing](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#oauth-app-auditing) to identify users affected.\n\n### False positive analysis\n\n- This mechanism can be used legitimately. Malicious applications abuse the same workflow used by legitimate apps. Thus, analysts must review each app consent to ensure that only desired apps are granted access.\n\n### Response and remediation\n\n- Initiate the incident response process based on the outcome of the triage.\n- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:\n    - Identify the account role in the cloud environment.\n    - Assess the criticality of affected services and servers.\n    - Work with your IT team to identify and minimize the impact on users.\n    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.\n    - Identify any regulatory or legal ramifications related to this activity.\n- Disable the malicious application to stop user access and the application access to your data.\n- Revoke the application Oauth consent grant. The `Remove-AzureADOAuth2PermissionGrant` cmdlet can be used to complete this task.\n- Remove the service principal application role assignment. The `Remove-AzureADServiceAppRoleAssignment` cmdlet can be used to complete this task.\n- Revoke the refresh token for all users assigned to the application. Azure provides a [playbook](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Revoke-AADSignInSessions) for this task.\n- [Report](https://docs.microsoft.com/en-us/defender-cloud-apps/manage-app-permissions#send-feedback) the application as malicious to Microsoft.\n- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.\n- Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook.\n- Disable the permission for a user to set consent permission on their behalf.\n  - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature.\n- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).",
  "query": "event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and\n  (\n    azure.activitylogs.operation_name:\"Consent to application\" or\n    azure.auditlogs.operation_name:\"Consent to application\" or\n    o365.audit.Operation:\"Consent to application.\"\n  ) and\n  event.outcome:(Success or success)\n",
  "references": [
    "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide",
    "https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/",
    "https://docs.microsoft.com/en-us/defender-cloud-apps/investigate-risky-oauth#how-to-detect-risky-oauth-apps"
  ],
  "related_integrations": [
    {
      "integration": "activitylogs",
      "package": "azure",
      "version": "^1.0.0"
    },
    {
      "package": "azure",
      "version": "^1.0.0"
    },
    {
      "package": "o365",
      "version": "^1.3.0"
    }
  ],
  "required_fields": [
    {
      "ecs": false,
      "name": "azure.activitylogs.operation_name",
      "type": "keyword"
    },
    {
      "ecs": false,
      "name": "azure.auditlogs.operation_name",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "event.dataset",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "event.outcome",
      "type": "keyword"
    },
    {
      "ecs": false,
      "name": "o365.audit.Operation",
      "type": "keyword"
    }
  ],
  "risk_score": 47,
  "rule_id": "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38",
  "setup": "The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
  "severity": "medium",
  "tags": [
    "Elastic",
    "Cloud",
    "Azure",
    "Continuous Monitoring",
    "SecOps",
    "Identity and Access",
    "Investigation Guide"
  ],
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0001",
        "name": "Initial Access",
        "reference": "https://attack.mitre.org/tactics/TA0001/"
      },
      "technique": [
        {
          "id": "T1566",
          "name": "Phishing",
          "reference": "https://attack.mitre.org/techniques/T1566/",
          "subtechnique": [
            {
              "id": "T1566.002",
              "name": "Spearphishing Link",
              "reference": "https://attack.mitre.org/techniques/T1566/002/"
            }
          ]
        }
      ]
    },
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0006",
        "name": "Credential Access",
        "reference": "https://attack.mitre.org/tactics/TA0006/"
      },
      "technique": [
        {
          "id": "T1528",
          "name": "Steal Application Access Token",
          "reference": "https://attack.mitre.org/techniques/T1528/"
        }
      ]
    }
  ],
  "timestamp_override": "event.ingested",
  "type": "query",
  "version": 104
}
(detection_dev) ➜  detection-rules git:(1994-add-integration-specific-query-validation) ✗ 

(detection_dev) ➜  detection-rules git:(1994-add-integration-specific-query-validation) ✗  cd /Users/stryker/workspace/ElasticGitHub/detection-rules ; /usr/bin/env /Users
/stryker/.virtualenvs/detection_dev/bin/python /Users/stryker/.vscode/extensions/ms-python.python-2022.20.2/pythonFiles/lib/python/debugpy/adapter/../../debugpy/launcher 
50210 -- -m detection_rules view-rule /Users/stryker/workspace/ElasticGitHub/detection-rules/rules/integrations/google_workspace/collection_google_drive_ownership_transfe
rred_via_google_workspace.toml --api-format 
Loaded config file: /Users/stryker/workspace/ElasticGitHub/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

validating query against integration fields
validating query against integration fields for admin ^1.2.0
validating query against integration fields for admin ^1.2.2
validating query against integration fields for admin ^1.3.0
validating query against integration fields for admin ^1.3.1
validating query against integration fields for admin ^1.3.2
validating query against integration fields for admin ^1.3.3
validating query against integration fields for admin ^1.4.0
Integration google_workspace-admin version 1.5.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.5.1 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.6.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.6.1 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.7.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.7.1 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.7.2 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.7.3 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.7.4 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.8.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 1.9.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 2.0.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
Integration google_workspace-admin version 2.1.0 has a higher stack version requirement. Consider updating min_stack version to 8.4.0 to support this version.
{
  "author": [
    "Elastic"
  ],
  "description": "Drive and Docs is a Google Workspace service that allows users to leverage Google Drive and Google Docs. Access to files is based on inherited permissions from the child organizational unit the user belongs to which is scoped by administrators. Typically if a user is removed, their files can be transferred to another user by the administrator. This service can also be abused by adversaries to transfer files to an adversary account for potential exfiltration.",
  "false_positives": [
    "Administrators may transfer file ownership during employee leave or absence to ensure continued operations by a new or existing employee."
  ],
  "from": "now-130m",
  "index": [
    "filebeat-*",
    "logs-google_workspace*"
  ],
  "interval": "10m",
  "language": "kuery",
  "license": "Elastic License v2",
  "name": "Google Drive Ownership Transferred via Google Workspace",
  "note": "### Important Information Regarding Google Workspace Event Lag Times\n- As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs.\n- This rule is configured to run every 10 minutes with a lookback time of 130 minutes.\n- To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events.\n- By default, `var.interval` is set to 2 hours (2h). Consider changing this interval to a lower value, such as 10 minutes (10m).\n- See the following references for further information:\n  - https://support.google.com/a/answer/7061566\n  - https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-google_workspace.html",
  "query": "event.dataset:\"google_workspace.admin\" and event.action:\"CREATE_DATA_TRANSFER_REQUEST\"\n  and event.category:\"iam\" and google_workspace.admin.application.name:Drive*\n",
  "references": [
    "https://support.google.com/a/answer/1247799?hl=en"
  ],
  "related_integrations": [
    {
      "package": "google_workspace",
      "version": "^2.0.0"
    }
  ],
  "required_fields": [
    {
      "ecs": true,
      "name": "event.action",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "event.category",
      "type": "keyword"
    },
    {
      "ecs": true,
      "name": "event.dataset",
      "type": "keyword"
    },
    {
      "ecs": false,
      "name": "google_workspace.admin.application.name",
      "type": "keyword"
    }
  ],
  "risk_score": 47,
  "rule_id": "07b5f85a-240f-11ed-b3d9-f661ea17fbce",
  "setup": "The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.",
  "severity": "medium",
  "tags": [
    "Elastic",
    "Cloud",
    "Google Workspace",
    "Continuous Monitoring",
    "SecOps",
    "Collection"
  ],
  "threat": [
    {
      "framework": "MITRE ATT&CK",
      "tactic": {
        "id": "TA0009",
        "name": "Collection",
        "reference": "https://attack.mitre.org/tactics/TA0009/"
      },
      "technique": [
        {
          "id": "T1074",
          "name": "Data Staged",
          "reference": "https://attack.mitre.org/techniques/T1074/",
          "subtechnique": [
            {
              "id": "T1074.002",
              "name": "Remote Data Staging",
              "reference": "https://attack.mitre.org/techniques/T1074/002/"
            }
          ]
        }
      ]
    }
  ],
  "timestamp_override": "event.ingested",
  "type": "query",
  "version": 104
}
(detection_dev) ➜  detection-rules git

@Mikaayenson Mikaayenson added python Internal python for the repository schema v8.7.0 labels Jan 15, 2023
@Mikaayenson Mikaayenson self-assigned this Jan 15, 2023
@Mikaayenson Mikaayenson linked an issue Jan 15, 2023 that may be closed by this pull request
[FR] Add integration-specific query validation #1994
Closed
3 tasks
@Mikaayenson
Copy link
Contributor Author

Mikaayenson commented Jan 17, 2023
edited
Loading

Update Jan 17 2023

Based on some preliminary testing, some rules will have to be tuned.

  • For example, the rule discovery_suspicious_self_subject_review.toml has a min_stack of 8.4.0. The query specifies event.dataset : "kubernetes.audit_logs" but the 1.4.1 k8s integration which supports ^8.0.0 doesn't have a dataset of audit_logs. This means that a user could have the 1.4.1 integration installed and be compatible with the 8.4.0 stack, but our rule is not compatible.

    • Screenshot 2023-01-16 at 10 49 40 PM
    • Screenshot 2023-01-16 at 10 48 40 PM

  • Another examples is the rule initial_access_consent_grant_attack_via_azure_registered_application.toml, which has a min_stack of 8.3.0. The query has azure.auditlogs.operation_name:"Consent to application" but the package integration combination can not find that field package='azure', integration='activitylogs', package_version='0.12.0', stack_version='8.7.0', ecs_version='8.5.2'. The 0.12.0 integration compatibility supports stacks above 8.0.0.

  • A last example is the credential_access_ldap_attributes.toml rule that has a Windows integration but winlog beats fields. With the package integration combination stack: 8.7.0, integration: None, ecs: 8.5.2, package: windows, package_version: 1.5.0, it can't find the field winlog.event_data.Properties. Note: There are other winlog.event_data fields available in the schema, just not Properties.

    • Screenshot 2023-01-17 at 8 56 40 AM

  • A last example is the credential_access_ldap_attributes.toml rule that has a Windows integration but winlog beats fields. With the package integration combination stack: 8.7.0, integration: None, ecs: 8.5.2, package: windows, package_version: 1.5.0, it can't find the field winlog.event_data.Properties. Note: There are other winlog.event_data fields available in the schema, just not Properties.

    • Screenshot 2023-01-17 at 8 56 40 AM

There are some other ones, but before rules are tuned, I want to locally go through more rules that fail.

Note: You'll need to uncomment the lines to validate if you want to see the errors.

Mikaayenson
Mikaayenson commented Jan 17, 2023
View reviewed changes
detection_rules/beats.py Outdated Show resolved Hide resolved
Mikaayenson
Mikaayenson commented Jan 17, 2023
View reviewed changes
detection_rules/rule.py Outdated Show resolved Hide resolved
brokensound77
brokensound77 reviewed Jan 17, 2023
View reviewed changes
detection_rules/integrations.py Outdated Show resolved Hide resolved
detection_rules/integrations.py Outdated Show resolved Hide resolved
detection_rules/integrations.py Outdated Show resolved Hide resolved
detection_rules/integrations.py Outdated Show resolved Hide resolved
@Mikaayenson
Copy link
Contributor Author

Mikaayenson commented Feb 1, 2023
edited
Loading

Update Feb 1

  • Added a diagram to the summary to highlight the major changes
  • Updated the integration tag unit test to check for missing tags or indexes
  • Tuned the rules with missing tags/indexes based on integration information
  • Added logic to check fields not found in a specific integration (warn and then check against the combined integrations)
  • Only announce the notice of latest integrations available once per rule
  • Not planning on holding for 2450 after internal discussions

terrancedejesus
terrancedejesus approved these changes Feb 2, 2023
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, great work!

Checks:
✅ Reviewed rule updates regarding missing system integration tag.
NON_DATASET_PACKAGES in definitions.py looks good
✅ Reviewed KQLValidator and EQLValidator validation logic that relies on get_packaged_integrations and validate_integration if they apply
✅ Reviewed build_integrations_schema function in integrations.py
✅ Reviewed find_latest_compatible_version function in integrations.py
✅ Reviewed get_integration_schema_data function in integrations.py
✅ Tested show-latest-compatible command for endpoint and stack version 8.5
✅ Unit tests passing

@Mikaayenson
get the data nofify field
011511a
@Mikaayenson
Merge branch '1994-add-integration-specific-query-validation' of gith…
cc70eb5 
…ub.com:elastic/detection-rules into 1994-add-integration-specific-query-validation
@eric-forte-elastic
Copy link
Contributor

Stealing from Terrence's checklist above where applicable ^

✅ Reviewed KQLValidator and EQLValidator validation logic that relies on get_packaged_integrations and validate_integration if they apply
✅ Reviewed build_integrations_schemas function in integrations.py
✅ Reviewed get_integration_schema_data function in integrations.py
✅ Reviewed find_latest_compatible_version function in integrations.py
✅ Tested show-latest-compatible command for endpoint and stack version 8.5 and 8.4
✅ Unit tests passing

eric-forte-elastic
eric-forte-elastic approved these changes Feb 2, 2023
View reviewed changes
detection_rules/integrations.py
integrations_schemas = load_integrations_schemas()

# validate the query against related integration fields
if isinstance(data, QueryRuleData) and data.language != 'lucene' and meta.maturity == "production":
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: Maybe data.language should use data.get()?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then again, this case (where data.language is invalid/not set) might have already been caught in schema validation.

@Mikaayenson Mikaayenson merged commit 1784429 into main Feb 2, 2023
@Mikaayenson Mikaayenson deleted the 1994-add-integration-specific-query-validation branch February 2, 2023 21:22
protectionsmachine pushed a commit that referenced this pull request Feb 2, 2023
@Mikaayenson @github-actions
[FR] Add Integration Schema Query Validation (#2470)
2e5bf97 
Removed changes from:
- rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
- rules/linux/credential_access_bruteforce_password_guessing.toml
- rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
- rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml
- rules/windows/collection_email_outlook_mailbox_via_com.toml
- rules/windows/credential_access_bruteforce_admin_account.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
- rules/windows/credential_access_dcsync_replication_rights.toml
- rules/windows/credential_access_disable_kerberos_preauth.toml
- rules/windows/credential_access_ldap_attributes.toml
- rules/windows/credential_access_lsass_memdump_handle_access.toml
- rules/windows/credential_access_remote_sam_secretsdump.toml
- rules/windows/credential_access_saved_creds_vault_winlog.toml
- rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
- rules/windows/credential_access_shadow_credentials.toml
- rules/windows/credential_access_spn_attribute_modified.toml
- rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
- rules/windows/defense_evasion_clearing_windows_security_logs.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/discovery_whoami_command_activity.toml
- rules/windows/lateral_movement_remote_service_installed_winlog.toml
- rules/windows/lateral_movement_remote_task_creation_winlog.toml
- rules/windows/lateral_movement_service_control_spawned_script_int.toml
- rules/windows/persistence_ad_adminsdholder.toml
- rules/windows/persistence_dontexpirepasswd_account.toml
- rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
- rules/windows/persistence_remote_password_reset.toml
- rules/windows/persistence_scheduled_task_creation_winlog.toml
- rules/windows/persistence_scheduled_task_updated.toml
- rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
- rules/windows/persistence_service_windows_service_winlog.toml
- rules/windows/persistence_temp_scheduled_task.toml
- rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
- rules/windows/privilege_escalation_create_process_as_different_user.toml
- rules/windows/privilege_escalation_credroaming_ldap.toml
- rules/windows/privilege_escalation_group_policy_iniscript.toml
- rules/windows/privilege_escalation_group_policy_privileged_groups.toml
- rules/windows/privilege_escalation_group_policy_scheduled_task.toml
- rules/windows/privilege_escalation_krbrelayup_service_creation.toml
- rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
- rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
- rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

(selectively cherry picked from commit 1784429)
protectionsmachine pushed a commit that referenced this pull request Feb 2, 2023
@Mikaayenson @github-actions
[FR] Add Integration Schema Query Validation (#2470)
e15f270 
Removed changes from:
- rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
- rules/linux/credential_access_bruteforce_password_guessing.toml
- rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
- rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml
- rules/windows/collection_email_outlook_mailbox_via_com.toml
- rules/windows/credential_access_bruteforce_admin_account.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
- rules/windows/credential_access_dcsync_replication_rights.toml
- rules/windows/credential_access_disable_kerberos_preauth.toml
- rules/windows/credential_access_ldap_attributes.toml
- rules/windows/credential_access_lsass_memdump_handle_access.toml
- rules/windows/credential_access_remote_sam_secretsdump.toml
- rules/windows/credential_access_saved_creds_vault_winlog.toml
- rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
- rules/windows/credential_access_shadow_credentials.toml
- rules/windows/credential_access_spn_attribute_modified.toml
- rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
- rules/windows/defense_evasion_clearing_windows_security_logs.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/discovery_whoami_command_activity.toml
- rules/windows/lateral_movement_remote_service_installed_winlog.toml
- rules/windows/lateral_movement_remote_task_creation_winlog.toml
- rules/windows/lateral_movement_service_control_spawned_script_int.toml
- rules/windows/persistence_ad_adminsdholder.toml
- rules/windows/persistence_dontexpirepasswd_account.toml
- rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
- rules/windows/persistence_remote_password_reset.toml
- rules/windows/persistence_scheduled_task_creation_winlog.toml
- rules/windows/persistence_scheduled_task_updated.toml
- rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
- rules/windows/persistence_service_windows_service_winlog.toml
- rules/windows/persistence_temp_scheduled_task.toml
- rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
- rules/windows/privilege_escalation_create_process_as_different_user.toml
- rules/windows/privilege_escalation_credroaming_ldap.toml
- rules/windows/privilege_escalation_group_policy_iniscript.toml
- rules/windows/privilege_escalation_group_policy_privileged_groups.toml
- rules/windows/privilege_escalation_group_policy_scheduled_task.toml
- rules/windows/privilege_escalation_krbrelayup_service_creation.toml
- rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
- rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
- rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

(selectively cherry picked from commit 1784429)
protectionsmachine pushed a commit that referenced this pull request Feb 2, 2023
@Mikaayenson @github-actions
[FR] Add Integration Schema Query Validation (#2470)
a4c91a1 
Removed changes from:
- rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
- rules/linux/credential_access_bruteforce_password_guessing.toml
- rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
- rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml
- rules/windows/collection_email_outlook_mailbox_via_com.toml
- rules/windows/credential_access_bruteforce_admin_account.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
- rules/windows/credential_access_dcsync_replication_rights.toml
- rules/windows/credential_access_disable_kerberos_preauth.toml
- rules/windows/credential_access_ldap_attributes.toml
- rules/windows/credential_access_lsass_memdump_handle_access.toml
- rules/windows/credential_access_remote_sam_secretsdump.toml
- rules/windows/credential_access_saved_creds_vault_winlog.toml
- rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
- rules/windows/credential_access_shadow_credentials.toml
- rules/windows/credential_access_spn_attribute_modified.toml
- rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
- rules/windows/defense_evasion_clearing_windows_security_logs.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/discovery_whoami_command_activity.toml
- rules/windows/lateral_movement_remote_service_installed_winlog.toml
- rules/windows/lateral_movement_remote_task_creation_winlog.toml
- rules/windows/lateral_movement_service_control_spawned_script_int.toml
- rules/windows/persistence_ad_adminsdholder.toml
- rules/windows/persistence_dontexpirepasswd_account.toml
- rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
- rules/windows/persistence_remote_password_reset.toml
- rules/windows/persistence_scheduled_task_creation_winlog.toml
- rules/windows/persistence_scheduled_task_updated.toml
- rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
- rules/windows/persistence_service_windows_service_winlog.toml
- rules/windows/persistence_temp_scheduled_task.toml
- rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
- rules/windows/privilege_escalation_create_process_as_different_user.toml
- rules/windows/privilege_escalation_credroaming_ldap.toml
- rules/windows/privilege_escalation_group_policy_iniscript.toml
- rules/windows/privilege_escalation_group_policy_privileged_groups.toml
- rules/windows/privilege_escalation_group_policy_scheduled_task.toml
- rules/windows/privilege_escalation_krbrelayup_service_creation.toml
- rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
- rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
- rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

(selectively cherry picked from commit 1784429)
protectionsmachine pushed a commit that referenced this pull request Feb 2, 2023
@Mikaayenson @github-actions
[FR] Add Integration Schema Query Validation (#2470)
4479ea0 
Removed changes from:
- rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
- rules/linux/credential_access_bruteforce_password_guessing.toml
- rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
- rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml
- rules/windows/collection_email_outlook_mailbox_via_com.toml
- rules/windows/credential_access_bruteforce_admin_account.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
- rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
- rules/windows/credential_access_dcsync_replication_rights.toml
- rules/windows/credential_access_disable_kerberos_preauth.toml
- rules/windows/credential_access_ldap_attributes.toml
- rules/windows/credential_access_lsass_memdump_handle_access.toml
- rules/windows/credential_access_remote_sam_secretsdump.toml
- rules/windows/credential_access_saved_creds_vault_winlog.toml
- rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
- rules/windows/credential_access_shadow_credentials.toml
- rules/windows/credential_access_spn_attribute_modified.toml
- rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
- rules/windows/defense_evasion_clearing_windows_security_logs.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/discovery_whoami_command_activity.toml
- rules/windows/lateral_movement_remote_service_installed_winlog.toml
- rules/windows/lateral_movement_remote_task_creation_winlog.toml
- rules/windows/lateral_movement_service_control_spawned_script_int.toml
- rules/windows/persistence_ad_adminsdholder.toml
- rules/windows/persistence_dontexpirepasswd_account.toml
- rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
- rules/windows/persistence_remote_password_reset.toml
- rules/windows/persistence_scheduled_task_creation_winlog.toml
- rules/windows/persistence_scheduled_task_updated.toml
- rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
- rules/windows/persistence_service_windows_service_winlog.toml
- rules/windows/persistence_temp_scheduled_task.toml
- rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
- rules/windows/privilege_escalation_create_process_as_different_user.toml
- rules/windows/privilege_escalation_credroaming_ldap.toml
- rules/windows/privilege_escalation_group_policy_iniscript.toml
- rules/windows/privilege_escalation_group_policy_privileged_groups.toml
- rules/windows/privilege_escalation_group_policy_scheduled_task.toml
- rules/windows/privilege_escalation_krbrelayup_service_creation.toml
- rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
- rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
- rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

(selectively cherry picked from commit 1784429)
protectionsmachine pushed a commit that referenced this pull request Feb 2, 2023
@Mikaayenson @github-actions
[FR] Add Integration Schema Query Validation (#2470)
8cb9819 
Removed changes from:
- rules/windows/collection_email_outlook_mailbox_via_com.toml

(selectively cherry picked from commit 1784429)
protectionsmachine pushed a commit that referenced this pull request Feb 2, 2023
@Mikaayenson @github-actions
[FR] Add Integration Schema Query Validation (#2470)
982faf9 
(cherry picked from commit 1784429)
protectionsmachine pushed a commit that referenced this pull request Feb 2, 2023
@Mikaayenson @github-actions
[FR] Add Integration Schema Query Validation (#2470)
4baa8d4 
(cherry picked from commit 1784429)
protectionsmachine pushed a commit that referenced this pull request Feb 2, 2023
@Mikaayenson @github-actions
[FR] Add Integration Schema Query Validation (#2470)
b15d8a2 
(cherry picked from commit 1784429)
This was referenced Feb 2, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brokensound77 brokensound77 brokensound77 left review comments

@eric-forte-elastic eric-forte-elastic eric-forte-elastic approved these changes

@terrancedejesus terrancedejesus terrancedejesus approved these changes

Assignees

@Mikaayenson Mikaayenson

Labels
backport: auto Domain: Cloud Domain: Endpoint Integration: Azure azure related rules OS: Linux OS: Windows windows related rules python Internal python for the repository schema v8.7.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FR] Add integration-specific query validation
5 participants
@Mikaayenson @brokensound77 @spong @eric-forte-elastic @terrancedejesus