Add os group solver

.license_ignore

@@ -14,6 +14,8 @@ requirements.txt
 runtime.txt
 setup.cfg
 
+geneve/solver/datasets/*
+
 tests/deployment.json
 tests/data/config_elastic-package.yaml
 tests/data/config_geneve-test-env.yaml

geneve/solver/__init__.py

@@ -164,6 +164,20 @@ def solve(cls, doc, group, fields, schema, environment):
         solve_group = cls.solvers.get(group + ".", cls.solve_nogroup)
         solve_group(doc, group, fields, schema, environment)
 
+    @classmethod
+    def match_fields(cls, candidate, fields, schema):
+        for field, constraints in fields.items():
+            if constraints is None:
+                if field in candidate:
+                    return False
+                continue
+            constraints = constraints + [("==", candidate[field])]
+            try:
+                cls.solve_field({}, None, field, constraints, schema, {})
+            except ConflictError:
+                return False
+        return True
+
 
 def load_solvers():
     from importlib import import_module

geneve/solver/datasets/LICENSE.txt

@@ -0,0 +1,4 @@
+This work is licensed under the Creative Commons Attribution-ShareAlike
+4.0 International License. To view a copy of this license, visit
+http://creativecommons.org/licenses/by-sa/4.0/ or send a letter to
+Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.

geneve/solver/datasets/README.md

@@ -0,0 +1,4 @@
+<a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">
+  <img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-sa/4.0/88x31.png" />
+</a><br />
+This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>.

geneve/solver/datasets/os.json

@@ -0,0 +1,18 @@
+[
+	{"platform": "darwin", "family": "macos", "type": "macos", "name": "macOS", "version": "Catalina 10.15", "codename": "catalina", "kernel": "19.0.0"},
+	{"platform": "darwin", "family": "macos", "type": "macos", "name": "macOS", "version": "Big Sur 11", "codename": "bigsur", "kernel": "20.1.0 xnu-7195.41.8~9"},
+	{"platform": "darwin", "family": "macos", "type": "macos", "name": "macOS", "version": "Monterey 12", "codename": "monterey", "kernel": "21.0.1 xnu-8019.30.61~4"},
+	{"platform": "darwin", "family": "macos", "type": "macos", "name": "macOS", "version": "Ventura 13", "codename": "ventura", "kernel": "22.1.0 xnu-8792.41.9~2"},
+
+	{"platform": "debian", "family": "debian", "type": "linux", "name": "Debian GNU/Linux", "version": "10 (buster)", "codename": "buster", "kernel": "4.19.0-21-cloud-amd64"},
+	{"platform": "debian", "family": "debian", "type": "linux", "name": "Debian GNU/Linux", "version": "11 (bullseye)", "codename": "bullseye", "kernel": "5.10.0-20-cloud-amd64"},
+
+	{"platform": "ubuntu", "family": "debian", "type": "linux", "name": "Ubuntu", "version": "18.04 LTS (Bionic Beaver)", "codename": "bionic", "kernel": "4.15.0-20.21"},
+	{"platform": "ubuntu", "family": "debian", "type": "linux", "name": "Ubuntu", "version": "20.04 LTS (Focal Fossa)", "codename": "focal", "kernel": "5.4.0-26.30"},
+	{"platform": "ubuntu", "family": "debian", "type": "linux", "name": "Ubuntu", "version": "22.04 LTS (Jammy Jellyfish)", "codename": "jammy", "kernel": "5.15.0-25.25"},
+
+	{"platform": "windows", "family": "windows", "type": "windows", "name": "Windows 10 22H2", "version": "10.0", "kernel": "10.0.19045.2486"},
+	{"platform": "windows", "family": "windows", "type": "windows", "name": "Windows 11 22H2", "version": "10.0", "kernel": "10.0.22621.1105"},
+	{"platform": "windows", "family": "windows", "type": "windows", "name": "Windows Server 2019", "version": "10.0", "kernel": "10.0.17763.107"},
+	{"platform": "windows", "family": "windows", "type": "windows", "name": "Windows Server 2022", "version": "10.0", "kernel": "10.0.20348.169"}
+]

geneve/solver/group_os.py

@@ -0,0 +1,44 @@
+# Licensed to Elasticsearch B.V. under one or more contributor
+# license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright
+# ownership. Elasticsearch B.V. licenses this file to you under
+# the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# 	http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+"""OS group constraints solver."""
+
+from functools import partial
+from pathlib import Path
+
+from faker import Faker
+from faker_datasets import Provider, add_dataset
+
+from geneve.solver import emit_group, solver
+
+
+@add_dataset("os", Path(__file__).parent / "datasets" / "os.json", picker="os")
+class OSProvider(Provider):
+    pass
+
+
+fake = Faker()
+fake.add_provider(OSProvider)
+
+
+@solver("host.os.")
+@solver("observer.os.")
+@solver("user_agent.os.")
+def resolve_os_group(doc, group, fields, schema, env):
+    match = partial(solver.match_fields, fields=fields, schema=schema)
+    os = fake.os(match=match)
+    emit_group(doc, group, os)

requirements.txt

@@ -3,6 +3,7 @@ build
 elasticsearch>=8.2.0
 eql>=0.9.12
 faker==15.3.4
+faker-datasets
 isort
 nbformat
 pytest

setup.cfg

@@ -35,6 +35,7 @@ install_requires =
     elasticsearch>=8.2.0
     eql>=0.9.12
     faker
+    faker-datasets
     pytoml
     requests
     ruamel.yaml

tests/reports/alerts_from_rules.md

@@ -13894,8 +13894,8 @@ sequence by process.entity_id with maxspan=1m
 ```
 
 ```python
-[{'host': {'os': {'family': 'macos'}}, 'process': {'parent': {'executable': '/usr/sbin/installer'}, 'entity_id': 'ZFy'}, 'event': {'type': ['start'], 'category': ['process']}, '@timestamp': 0},
- {'destination': {'ip': '170.121.236.89'}, 'event': {'category': ['network']}, 'process': {'entity_id': 'ZFy'}, '@timestamp': 1},
- {'host': {'os': {'family': 'macos'}}, 'process': {'parent': {'executable': '/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer'}, 'entity_id': 'fUy'}, 'event': {'type': ['start'], 'category': ['process']}, '@timestamp': 2},
- {'destination': {'ip': '196.67.182.123'}, 'event': {'category': ['network']}, 'process': {'entity_id': 'fUy'}, '@timestamp': 3}]
+[{'host': {'os': {'platform': 'darwin', 'family': 'macos', 'type': 'macos', 'name': 'macOS', 'version': 'Big Sur 11', 'codename': 'bigsur', 'kernel': '20.1.0 xnu-7195.41.8~9'}}, 'process': {'parent': {'executable': '/usr/sbin/installer'}, 'entity_id': 'Utk'}, 'event': {'type': ['start'], 'category': ['process']}, '@timestamp': 0},
+ {'destination': {'ip': '499d:4f18:3023:5fa9:a92d:c839:9a9f:e89b'}, 'event': {'category': ['network']}, 'process': {'entity_id': 'Utk'}, '@timestamp': 1},
+ {'host': {'os': {'platform': 'darwin', 'family': 'macos', 'type': 'macos', 'name': 'macOS', 'version': 'Monterey 12', 'codename': 'monterey', 'kernel': '21.0.1 xnu-8019.30.61~4'}}, 'process': {'parent': {'executable': '/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer'}, 'entity_id': 'vIL'}, 'event': {'type': ['start'], 'category': ['process']}, '@timestamp': 2},
+ {'destination': {'ip': 'c77f:b9c1:95ef:56ae:467b:3f4c:3786:ab03'}, 'event': {'category': ['network']}, 'process': {'entity_id': 'vIL'}, '@timestamp': 3}]
 ```

tests/test_group_solvers.py

@@ -90,3 +90,27 @@ def test_as(self):
             },
             c.solve(schema),
         )
+
+    def test_os(self):
+        from geneve.solver import group_os
+
+        schema = {}
+        c = Constraints()
+        c.append_constraint("host.os.")
+
+        self.assertEqual(
+            {
+                "host": {
+                    "os": {
+                        "codename": "bullseye",
+                        "family": "debian",
+                        "kernel": "5.10.0-20-cloud-amd64",
+                        "name": "Debian GNU/Linux",
+                        "platform": "debian",
+                        "type": "linux",
+                        "version": "11 (bullseye)",
+                    }
+                }
+            },
+            c.solve(schema),
+        )