Merge branch 'main' into az-device-code

.github/PULL_REQUEST_GUIDELINES/bug_guidelines.md

@@ -31,4 +31,5 @@ These guidelines serve as a reminder set of considerations when addressing a bug
 - [ ] Ensure that the bug fix does not break existing functionality.
 - [ ] Review the bug fix with a peer or team member for additional insights.
 - [ ] Verify that the bug fix works across all relevant environments (e.g., different OS versions).
-- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
+- [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
+- [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/PULL_REQUEST_GUIDELINES/enhancement_guidelines.md

@@ -32,3 +32,4 @@ These guidelines serve as a reminder set of considerations when addressing addin
 - [ ] Review the enhancement with a peer or team member for additional insights.
 - [ ] Verify that the enhancement works across all relevant environments (e.g., different OS versions).
 - [ ] Confirm that all dependencies are up-to-date and compatible with the changes.
+- [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/PULL_REQUEST_GUIDELINES/hunt_tuning_guidelines.md

@@ -27,4 +27,4 @@ These guidelines serve as a reminder set of considerations when tuning an existi
 - [ ] Evidence of testing and valid query usage.
 - [ ] Markdown Generated: Run `python -m hunting generate-markdown` with specific parameters to ensure a markdown version of the hunting TOML files is created.
 - [ ] Index Refreshed: Run `python -m hunting refresh-index` to refresh indexes.
-- [ ] Run Unit Tests: Run `pytest tests/test_hunt_data.py` to run unit tests.
+- [ ] Run Unit Tests: Run `pytest tests/test_hunt_data.py` to run unit tests.

.github/PULL_REQUEST_GUIDELINES/schema_enhancement_guidelines.md

@@ -43,4 +43,5 @@ These guidelines serve as a reminder set of considerations when addressing addin
 - [ ] Implemented requisite downgrade functionality
 - [ ] Cross-referenced the feature with product documentation for consistency
 - [ ] Incorporated a comprehensive test rule in unit tests for full schema coverage
-- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-remote-cli`)
+- [ ] Conducted system testing, including fleet, import, and create APIs (e.g., run `make test-remote-cli`)
+- [ ] Confirm that the proper version label is applied to the PR `patch`, `minor`, `major`.

.github/PULL_REQUEST_TEMPLATE.md

@@ -36,7 +36,7 @@ from your submission, but they are here to help bring them to your attention.
 
 <!-- Delete any items that are not applicable to this PR. -->
 
-- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
+- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
 - [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
 - [ ] Secret and sensitive material has been managed correctly
 - [ ] Automated testing was updated or added to match the most common scenarios

.github/release-drafter.yml

@@ -0,0 +1,37 @@
+name-template: 'dev-v$RESOLVED_VERSION'
+tag-template: 'dev-v$RESOLVED_VERSION'
+tag-prefix: 'dev-v'
+
+categories:
+  - title: 🚀 Features
+    label: 'enhancement'
+  - title: 🐛 Bug Fixes
+    label: 'bug'
+  - title: 🛠 Internal Changes
+    labels:
+      - 'maintenance'
+      - 'schema'
+      - 'documentation'
+      - 'python'
+  - title: 🔍 Hunting Updates
+    label: 'Hunting'
+
+change-template: '- $TITLE (#$NUMBER) @$AUTHOR'
+exclude-labels:
+  - 'skip-changelog'
+
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+
+template: |
+  ## Changes
+  $CHANGES

.github/workflows/lock-versions.yml

@@ -6,7 +6,7 @@ on:
           description: 'List of branches to lock versions (ordered, comma separated)'
           required: true
           # 7.17 was intentionally skipped because it was added late and was bug fix only
-          default: '8.10,8.11,8.12,8.13,8.14,8.15'
+          default: '8.11,8.12,8.13,8.14,8.15,8.16'
 
 jobs:
   pr:

.github/workflows/version-code-and-release.yml

@@ -0,0 +1,96 @@
+name: Version Code Check and Draft Release
+
+on:
+  pull_request:
+    paths:
+      - 'lib/**'
+      - 'hunting/**/*.py'
+      - 'pyproject.toml'
+      - 'Makefile'
+      - 'docs/**'
+      - 'detection_rules/**'
+      - 'tests/**'
+      - '**/*.md'
+    types: [opened, reopened, synchronize, labeled, closed]
+
+permissions:
+  contents: read
+  pull-requests: read
+
+jobs:
+  label_check:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Ensure PR has Version Bump Label
+        uses: actions/github-script@v6
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const labels = ['major', 'minor', 'patch'];
+            const prLabels = context.payload.pull_request.labels.map(label => label.name);
+            const hasVersionLabel = labels.some(label => prLabels.includes(label));
+            if (!hasVersionLabel) {
+              throw new Error("PR must have one of the following labels: major, minor, or patch.");
+            }
+
+  version_check:
+    if: github.event_name == 'pull_request'
+    needs: label_check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Check if core pyproject.toml was updated
+        run: |
+          BASE_COMMIT="${{ github.event.pull_request.base.sha }}"
+
+          if ! git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep '^pyproject.toml$'; then
+            echo "Code changes detected in core, but pyproject.toml was not updated."
+            exit 1
+          fi
+
+      - name: Check if lib pyproject.toml files were updated
+        run: |
+          BASE_COMMIT="${{ github.event.pull_request.base.sha }}"
+
+          if git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep -E 'lib/kql/|lib/kibana/'; then
+            if ! git diff --name-only "$BASE_COMMIT" "$GITHUB_SHA" | grep -E 'lib/kql/pyproject.toml|lib/kibana/pyproject.toml'; then
+              echo "Changes detected in kql or kibana library, but respective pyproject.toml was not updated."
+              exit 1
+            fi
+          fi
+
+  tag_and_draft_release:
+    if: github.event.pull_request.merged == true
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set github config
+        run: |
+          git config --global user.email "72879786+protectionsmachine@users.noreply.github.com"
+          git config --global user.name "protectionsmachine"
+
+      - name: Extract version from pyproject.toml and create tag
+        id: extract_version
+        run: |
+          version=$(grep '^version = ' pyproject.toml | cut -d '"' -f2)
+          echo "Detected version: $version"
+          git tag -a "dev-v$version" -m "Release version $version"
+          git push origin "dev-v$version"
+
+      - name: Run Release Drafter
+        uses: release-drafter/release-drafter@v6
+        with:
+          config-name: release-drafter.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Makefile

@@ -12,7 +12,6 @@ PIP := $(VENV_BIN)/pip
 all: release
 
 $(VENV):
-	python3.12 -m pip install --upgrade pip setuptools
 	python3.12 -m venv $(VENV)
 
 .PHONY: clean

detection_rules/devtools.py

@@ -836,20 +836,19 @@ def raw_permalink(raw_link):
 
     if update_coverage:
         coverage_file_path = get_path('docs', 'ATT&CK-coverage.md')
-        header_lines = textwrap.dedent("""
-        # Rule coverage
+        header_lines = textwrap.dedent("""# Rule coverage
 
-        ATT&CK navigator layer files are generated when a package is built with `make release` or
-        `python -m detection-rules`.This also means they can be downloaded from all successful builds.
+ATT&CK navigator layer files are generated when a package is built with `make release` or
+`python -m detection-rules`.This also means they can be downloaded from all successful builds.
 
-        These files can be used to pass to a custom navigator session. For convenience, the links are
-        generated below. You can also include multiple across tabs in a single session, though it is not
-        advisable to upload _all_ of them as it will likely overload your browsers resources.
+These files can be used to pass to a custom navigator session. For convenience, the links are
+generated below. You can also include multiple across tabs in a single session, though it is not
+advisable to upload _all_ of them as it will likely overload your browsers resources.
 
-        ## Current rule coverage
+## Current rule coverage
 
-        The source files for these links are regenerated with every successful merge to main. These represent
-        coverage from the state of rules in the `main` branch.
+The source files for these links are regenerated with every successful merge to main. These represent
+coverage from the state of rules in the `main` branch.
         """)
         updated_file = header_lines + '\n\n' + '\n'.join(markdown) + '\n'
         # Replace the old URLs with the new ones