Hello everybody,
TL;DR
I am failing here on a seemingly trivial task: creating a rule through the Rule API. So, quick question: can anybody provide an easy example on how to do this?
An example would be sufficient but if you are interested how I am currently failing, here are the details:
Being on OpenSearch 2.10 I can’t even create a custom rule using the provided example in the official documentation (Rule APIs - OpenSearch documentation).
Using the example as-is like this in Dev Tools:
POST /_plugins/_security_analytics/rules?category=windows
Header:
Content-Type: application/json
Body:
title: Moriya Rootkit
id: 25b9c01c-350d-4b95-bed1-836d04a4f324
description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report
status: experimental
author: Bhabesh Raj
date: 2021/05/06
modified: 2021/11/30
references:
- https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1543.003
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
ServiceName: ZzNetSvc
condition: selection
level: critical
falsepositives:
- Unknown
leads to this error:
{
"error": {
"root_cause": [
{
"type": "security_analytics_exception",
"reason": "Cannot invoke \"java.util.Map.containsKey(Object)\" because \"rule\" is null"
}
],
"type": "security_analytics_exception",
"reason": "Cannot invoke \"java.util.Map.containsKey(Object)\" because \"rule\" is null",
"caused_by": {
"type": "exception",
"reason": "java.lang.NullPointerException: Cannot invoke \"java.util.Map.containsKey(Object)\" because \"rule\" is null"
}
},
"status": 500
}
Now, there is no JSON wrapping around the Sigma rule although the header states it is JSON. Since this is not consistent I tried using the JSON structure from the example responses as follows:
POST /_plugins/_security_analytics/rules?category=windows
{
"_id": "M1Rm1IMByX0LvTiGvde2",
"_version": 1,
"rule": {
"category": "windows",
"title": "Moriya Rootkit",
"log_source": "",
"description": "Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report",
"tags": [
{
"value": "attack.persistence"
},
{
"value": "attack.privilege_escalation"
},
{
"value": "attack.t1543.003"
}
],
"references": [
{
"value": "https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831"
}
],
"level": "critical",
"false_positives": [
{
"value": "Unknown"
}
],
"author": "Bhabesh Raj",
"status": "experimental",
"last_update_time": "2021-05-06T00:00:00.000Z",
"rule": "title: Moriya Rootkit\nid: 25b9c01c-350d-4b95-bed1-836d04a4f324\ndescription: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report\nstatus: experimental\nauthor: Bhabesh Raj\ndate: 2021/05/06\nmodified: 2021/11/30\nreferences:\n - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831\ntags:\n - attack.persistence\n - attack.privilege_escalation\n - attack.t1543.003\nlogsource:\n product: windows\n service: system\ndetection:\n selection:\n Provider_Name: 'Service Control Manager'\n EventID: 7045\n ServiceName: ZzNetSvc\n condition: selection\nlevel: critical\nfalsepositives:\n - Unknown"
}
}
I still an error even with a ‘rule’ key being present. This time the error is
{
"error": {
"root_cause": [
{
"type": "security_analytics_exception",
"reason": "Cannot invoke \"Object.toString()\" because the return value of \"java.util.Map.get(Object)\" is null"
}
],
"type": "security_analytics_exception",
"reason": "Cannot invoke \"Object.toString()\" because the return value of \"java.util.Map.get(Object)\" is null",
"caused_by": {
"type": "exception",
"reason": "java.lang.NullPointerException: Cannot invoke \"Object.toString()\" because the return value of \"java.util.Map.get(Object)\" is null"
}
},
"status": 500
}
I would appreciate any enlightenment as to this issue.
Thank you,
Andreas