forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
beats.py
288 lines (208 loc) · 10.3 KB
/
beats.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
# or more contributor license agreements. Licensed under the Elastic License
# 2.0; you may not use this file except in compliance with the Elastic License
# 2.0.
"""ECS Schemas management."""
import json
import os
import re
from typing import List, Optional
import eql
import requests
from semver import Version
import yaml
import kql
from .utils import (DateTimeEncoder, cached, get_etc_path, gzip_compress,
read_gzip, unzip)
def _decompress_and_save_schema(url, release_name):
print(f"Downloading beats {release_name}")
response = requests.get(url)
print(f"Downloaded {len(response.content) / 1024.0 / 1024.0:.2f} MB release.")
fs = {}
parsed = {}
with unzip(response.content) as archive:
base_directory = archive.namelist()[0]
for name in archive.namelist():
if os.path.basename(name) in ("fields.yml", "fields.common.yml", "config.yml"):
contents = archive.read(name)
# chop off the base directory name
key = name[len(base_directory):]
if key.startswith("x-pack"):
key = key[len("x-pack") + 1:]
try:
decoded = yaml.safe_load(contents)
except yaml.YAMLError:
print(f"Error loading {name}")
# create a hierarchical structure
parsed[key] = decoded
branch = fs
directory, base_name = os.path.split(key)
for limb in directory.split(os.path.sep):
branch = branch.setdefault("folders", {}).setdefault(limb, {})
branch.setdefault("files", {})[base_name] = decoded
# remove all non-beat directories
fs = {k: v for k, v in fs.get("folders", {}).items() if k.endswith("beat")}
print(f"Saving detection_rules/etc/beats_schema/{release_name}.json")
compressed = gzip_compress(json.dumps(fs, sort_keys=True, cls=DateTimeEncoder))
path = get_etc_path("beats_schemas", release_name + ".json.gz")
with open(path, 'wb') as f:
f.write(compressed)
def download_beats_schema(version: str):
"""Download a beats schema by version."""
url = 'https://api.github.com/repos/elastic/beats/releases'
releases = requests.get(url)
version = f'v{version.lstrip("v")}'
beats_release = None
for release in releases.json():
if release['tag_name'] == version:
beats_release = release
break
if not beats_release:
print(f'beats release {version} not found!')
return
beats_url = beats_release['zipball_url']
name = beats_release['tag_name']
_decompress_and_save_schema(beats_url, name)
def download_latest_beats_schema():
"""Download additional schemas from beats releases."""
url = 'https://api.github.com/repos/elastic/beats/releases'
releases = requests.get(url)
latest_release = max(releases.json(), key=lambda release: Version.parse(release["tag_name"].lstrip("v")))
download_beats_schema(latest_release["tag_name"])
def refresh_main_schema():
"""Download and refresh beats schema from main."""
_decompress_and_save_schema('https://github.com/elastic/beats/archive/main.zip', 'main')
def _flatten_schema(schema: list, prefix="") -> list:
if schema is None:
# sometimes we see `fields: null` in the yaml
return []
flattened = []
for s in schema:
if s.get("type") == "group":
nested_prefix = prefix + s["name"] + "."
# beats is complicated. it seems like we would expect a zoom.webhook.*, for the zoom.webhook dataset,
# but instead it's just at zoom.* directly.
#
# we have what looks like zoom.zoom.*, but should actually just be zoom.*.
# this is one quick heuristic to determine if a submodule nests fields at the parent.
# it's probably not perfect, but we can fix other bugs as we run into them later
if len(schema) == 1 and nested_prefix.startswith(prefix + prefix):
nested_prefix = s["name"] + "."
if "field" in s:
# integrations sometimes have a group with a single field
flattened.extend(_flatten_schema(s["field"], prefix=nested_prefix))
continue
elif "fields" not in s:
# integrations sometimes have a group with no fields
continue
flattened.extend(_flatten_schema(s["fields"], prefix=nested_prefix))
elif "fields" in s:
flattened.extend(_flatten_schema(s["fields"], prefix=prefix))
elif "name" in s:
s = s.copy()
# type is implicitly keyword if not defined
# example: https://github.com/elastic/beats/blob/main/packetbeat/_meta/fields.common.yml#L7-L12
s.setdefault("type", "keyword")
s["name"] = prefix + s["name"]
flattened.append(s)
return flattened
def flatten_ecs_schema(schema: dict) -> dict:
return _flatten_schema(schema)
def get_field_schema(base_directory, prefix="", include_common=False):
base_directory = base_directory.get("folders", {}).get("_meta", {}).get("files", {})
flattened = []
file_names = ("fields.yml", "fields.common.yml") if include_common else ("fields.yml", )
for name in file_names:
if name in base_directory:
flattened.extend(_flatten_schema(base_directory[name], prefix=prefix))
return flattened
def get_beat_root_schema(schema: dict, beat: str):
if beat not in schema:
raise KeyError(f"Unknown beats module {beat}")
beat_dir = schema[beat]
flattened = get_field_schema(beat_dir, include_common=True)
return {field["name"]: field for field in sorted(flattened, key=lambda f: f["name"])}
def get_beats_sub_schema(schema: dict, beat: str, module: str, *datasets: str):
if beat not in schema:
raise KeyError(f"Unknown beats module {beat}")
flattened = []
beat_dir = schema[beat]
module_dir = beat_dir.get("folders", {}).get("module", {}).get("folders", {}).get(module, {})
# if we only have a module then we'll work with what we got
if not datasets:
datasets = [d for d in module_dir.get("folders", {}) if not d.startswith("_")]
for dataset in datasets:
# replace aws.s3 -> s3
if dataset.startswith(module + "."):
dataset = dataset[len(module) + 1:]
dataset_dir = module_dir.get("folders", {}).get(dataset, {})
flattened.extend(get_field_schema(dataset_dir, prefix=module + ".", include_common=True))
# we also need to capture (beta?) fields which are directly within the module _meta.files.fields
flattened.extend(get_field_schema(module_dir, include_common=True))
return {field["name"]: field for field in sorted(flattened, key=lambda f: f["name"])}
@cached
def get_versions() -> List[Version]:
versions = []
for filename in os.listdir(get_etc_path("beats_schemas")):
version_match = re.match(r'v(.+)\.json\.gz', filename)
if version_match:
versions.append(Version.parse(version_match.groups()[0]))
return versions
@cached
def get_max_version() -> str:
return str(max(get_versions()))
@cached
def read_beats_schema(version: str = None):
if version and version.lower() == 'main':
return json.loads(read_gzip(get_etc_path('beats_schemas', 'main.json.gz')))
version = Version.parse(version) if version else None
beats_schemas = get_versions()
if version and version not in beats_schemas:
raise ValueError(f'Unknown beats schema: {version}')
version = version or get_max_version()
return json.loads(read_gzip(get_etc_path('beats_schemas', f'v{version}.json.gz')))
def get_schema_from_datasets(beats, modules, datasets, version=None):
filtered = {}
beats_schema = read_beats_schema(version=version)
# infer the module if only a dataset are defined
if not modules:
modules.update(ds.split(".")[0] for ds in datasets if "." in ds)
for beat in beats:
# if no modules are specified then grab them all
# all_modules = list(beats_schema.get(beat, {}).get("folders", {}).get("module", {}).get("folders", {}))
# beat_modules = modules or all_modules
filtered.update(get_beat_root_schema(beats_schema, beat))
for module in modules:
filtered.update(get_beats_sub_schema(beats_schema, beat, module, *datasets))
return filtered
def get_schema_from_eql(tree: eql.ast.BaseNode, beats: list, version: str = None) -> dict:
modules = set()
datasets = set()
# extract out event.module and event.dataset from the query's AST
for node in tree:
if isinstance(node, eql.ast.Comparison) and node.comparator == node.EQ and \
isinstance(node.right, eql.ast.String):
if node.left == eql.ast.Field("event", ["module"]):
modules.add(node.right.render())
elif node.left == eql.ast.Field("event", ["dataset"]):
datasets.add(node.right.render())
elif isinstance(node, eql.ast.InSet):
if node.expression == eql.ast.Field("event", ["module"]):
modules.add(node.get_literals())
elif node.expression == eql.ast.Field("event", ["dataset"]):
datasets.add(node.get_literals())
return get_schema_from_datasets(beats, modules, datasets, version=version)
def get_schema_from_kql(tree: kql.ast.BaseNode, beats: list, version: str = None) -> dict:
modules = set()
datasets = set()
# extract out event.module and event.dataset from the query's AST
for node in tree:
if isinstance(node, kql.ast.FieldComparison) and node.field == kql.ast.Field("event.module"):
modules.update(child.value for child in node.value if isinstance(child, kql.ast.String))
if isinstance(node, kql.ast.FieldComparison) and node.field == kql.ast.Field("event.dataset"):
datasets.update(child.value for child in node.value if isinstance(child, kql.ast.String))
return get_schema_from_datasets(beats, modules, datasets, version=version)
def parse_beats_from_index(index: Optional[list]) -> List[str]:
indexes = index or []
beat_types = [index.split("-")[0] for index in indexes if "beat-*" in index]
return beat_types