cleanup

Author: mhoff

CHANGELOG.md

@@ -4,6 +4,7 @@
 
 ### Features
 * add support for python 3.14
+* allow pre-detector to copy a configurable list of fields from log to detection event
 
 ### Improvements
 * add workflow to partially run & check the compose example
@@ -15,6 +16,7 @@
 * fix docker-compose and k8s example setups
 * fix handling of non-string values (e.g. int) as replacement argument for `generic_resolver`
 * fix documentation for `generic_resolver` rule `append_to_list -> merge_with_target` option
+* fix grokker using a fixed directory for downloaded patterns, potentially leading to conflicts between processes
 
 ## 17.0.3
 ### Breaking

logprep/ng/processor/pre_detector/processor.py

@@ -149,7 +149,7 @@ def _generate_detection_result(
         copy_fields_to_event(
             target_event=detection_result,
             source_event=event,
-            dotted_field_names=rule.copy_fields_to_detector_event,
+            dotted_field_names=rule.copy_fields_to_detection_event,
             rule=rule,
             skip_missing=True,
         )

logprep/processor/pre_detector/processor.py

@@ -160,7 +160,7 @@ def _generate_detection_result(
         copy_fields_to_event(
             target_event=detection_result,
             source_event=event,
-            dotted_field_names=rule.copy_fields_to_detector_event,
+            dotted_field_names=rule.copy_fields_to_detection_event,
             rule=rule,
             skip_missing=True,
         )

logprep/processor/pre_detector/rule.py

@@ -136,11 +136,11 @@
     "target_timezone",
     "timestamp_field",
     "failure_tags",
-    "copy_fields_to_detector_event",
+    "copy_fields_to_detection_event",
 }
 
 
-def _validate_copy_fields_to_detector_event(config: "PreDetectorRule.Config", _, value: set[str]):
+def _validate_copy_fields_to_detection_event(config: "PreDetectorRule.Config", _, value: set[str]):
     field_names_set_by_processor = {"rule_filter", "description", "pre_detection_id"}
 
     rule_config_field_names = set(f.name for f in fields(type(config)))
@@ -150,7 +150,7 @@ def _validate_copy_fields_to_detector_event(config: "PreDetectorRule.Config", _,
 
     if value & illegal_field_names:
         raise ValueError(
-            f"Illegal fields specified for `copy_fields_to_detector_event`. "
+            f"Illegal fields specified for `copy_fields_to_detection_event`. "
             f"Fields ({', '.join(value & illegal_field_names)}) are not allowed. "
         )
 
@@ -206,15 +206,15 @@ class Config(Rule.Config):  # pylint: disable=too-many-instance-attributes
             validator=validators.instance_of(list), default=["pre_detector_failure"]
         )
         """ tags to be added if processing of the rule fails"""
-        copy_fields_to_detector_event: set[str] = field(
+        copy_fields_to_detection_event: set[str] = field(
             validator=[
                 validators.deep_iterable(
                     member_validator=validators.instance_of(str),
                     iterable_validator=validators.or_(
                         validators.instance_of(set), validators.instance_of(list)
                     ),
                 ),
-                _validate_copy_fields_to_detector_event,
+                _validate_copy_fields_to_detection_event,
             ],
             converter=set,
             default={"host.name"},
@@ -274,7 +274,7 @@ def timestamp_field(self) -> str:
         return self.config.timestamp_field
 
     @property
-    def copy_fields_to_detector_event(self) -> set[str]:
-        return self.config.copy_fields_to_detector_event
+    def copy_fields_to_detection_event(self) -> set[str]:
+        return self.config.copy_fields_to_detection_event
 
     # pylint: enable=C0111

tests/unit/processor/pre_detector/test_pre_detector.py

@@ -501,7 +501,7 @@ def test_perform_successful_pre_detection_with_custom_field_copied(self):
                     "severity": "critical",
                     "mitre": ["attack.test1", "attack.test2"],
                     "case_condition": "directly",
-                    "copy_fields_to_detector_event": {"custom", "winlog.custom"},
+                    "copy_fields_to_detection_event": {"custom", "winlog.custom"},
                 },
                 "description": "Test rule one",
             }
@@ -547,7 +547,7 @@ def test_perform_successful_pre_detection_with_nothing_extra_copied(self):
                     "severity": "critical",
                     "mitre": ["attack.test1", "attack.test2"],
                     "case_condition": "directly",
-                    "copy_fields_to_detector_event": set(),
+                    "copy_fields_to_detection_event": set(),
                 },
                 "description": "Test rule one",
             }
@@ -581,7 +581,7 @@ def test_perform_successful_pre_detection_with_nothing_extra_copied(self):
             document, expected, detection_results.data, expected_detection_results
         )
 
-    def test_copy_fields_to_detector_event_validation_supports_lists(self):
+    def test_copy_fields_to_detection_event_validation_supports_lists(self):
         self._load_rule(
             {
                 "filter": "*",
@@ -591,13 +591,13 @@ def test_copy_fields_to_detector_event_validation_supports_lists(self):
                     "severity": "critical",
                     "mitre": ["attack.test1", "attack.test2"],
                     "case_condition": "directly",
-                    "copy_fields_to_detector_event": ["host.name"],
+                    "copy_fields_to_detection_event": ["host.name"],
                 },
                 "description": "Test rule one",
             }
         )
 
-    def test_copy_fields_to_detector_event_validation_supports_sets(self):
+    def test_copy_fields_to_detection_event_validation_supports_sets(self):
         self._load_rule(
             {
                 "filter": "*",
@@ -607,7 +607,7 @@ def test_copy_fields_to_detector_event_validation_supports_sets(self):
                     "severity": "critical",
                     "mitre": ["attack.test1", "attack.test2"],
                     "case_condition": "directly",
-                    "copy_fields_to_detector_event": {"host.name"},
+                    "copy_fields_to_detection_event": {"host.name"},
                 },
                 "description": "Test rule one",
             }
@@ -627,7 +627,7 @@ def test_copy_fields_to_detector_event_validation_supports_sets(self):
             "link",
         ],
     )
-    def test_copy_fields_to_detector_event_fails_on_illegal_fields(self, field_name: str):
+    def test_copy_fields_to_detection_event_fails_on_illegal_fields(self, field_name: str):
         with pytest.raises(ValueError, match="Illegal fields") as exc_info:
             self._load_rule(
                 {
@@ -638,7 +638,7 @@ def test_copy_fields_to_detector_event_fails_on_illegal_fields(self, field_name:
                         "severity": "critical",
                         "mitre": ["attack.test1", "attack.test2"],
                         "case_condition": "directly",
-                        "copy_fields_to_detector_event": {field_name},
+                        "copy_fields_to_detection_event": {field_name},
                     },
                     "description": "Test rule one",
                 }