elastic · mtojek · May 13, 2021 · May 13, 2021 · May 13, 2021 · rw-access
diff --git a/code/go/internal/spec/statik.go b/code/go/internal/spec/statik.go
diff --git a/code/go/internal/validator/semantic/kibana_matching_object_ids.go b/code/go/internal/validator/semantic/kibana_matching_object_ids.go
@@ -32,18 +32,26 @@ func ValidateKibanaObjectIDs(pkgRoot string) ve.ValidationErrors {
 	for _, objectFile := range objectFiles {
 		filePath := objectFile.Path()
 
-		idPath := "$.id"
-		// Special case: object is of type 'security_rule'
-		if filepath.Base(filepath.Dir(filePath)) == "security_rule" {
-			idPath = "$.rule_id"
-		}
-
-		objectID, err := objectFile.Values(idPath)
+		objectID, err := objectFile.Values("$.id")
 		if err != nil {
 			errs = append(errs, errors.Wrapf(err, "unable to get Kibana object ID in file [%s]", filePath))
 			continue
 		}
 
+		// Special case: object is of type 'security_rule'
+		if filepath.Base(filepath.Dir(filePath)) == "security_rule" {
+			ruleID, err := objectFile.Values("$.attributes.rule_id")
+			if err != nil {
+				errs = append(errs, errors.Wrapf(err, "unable to get rule ID in file [%s]", filePath))
+				continue
+			}
+
+			if ruleID != objectID {
+				errs = append(errs, errors.New("rule ID is different from the object ID"))
+				continue
+			}
+		}
+
 		// fileID == filename without the extension == expected ID of Kibana object defined inside file.
 		fileName := filepath.Base(filePath)
 		fileExt := filepath.Ext(filePath)

diff --git a/test/packages/bad_kibana_ids/kibana/security_rule/bad_kibana_ids-bar-baz.json b/test/packages/bad_kibana_ids/kibana/security_rule/bad_kibana_ids-bar-baz.json
@@ -1,3 +1,6 @@
 {
-  "rule_id": "something-else"
+  "attributes": {
+    "rule_id": "something-else"
+  },
+  "id": "something-else"
 }
diff --git a/test/packages/good/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json b/test/packages/good/kibana/security_rule/000047bb-b27a-47ec-8b62-ef1a5d2c9e19.json
@@ -1,37 +1,41 @@
 {
-  "author": [
-    "Elastic"
-  ],
-  "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
-  "false_positives": [
-    "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
-  ],
-  "index": [
-    "filebeat-*",
-    "logs-okta*"
-  ],
-  "language": "kuery",
-  "license": "Elastic License v2",
-  "name": "Attempt to Modify an Okta Policy Rule",
-  "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
-  "query": "event.dataset:okta.system and event.action:policy.rule.update",
-  "references": [
-    "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
-    "https://developer.okta.com/docs/reference/api/system-log/",
-    "https://developer.okta.com/docs/reference/api/event-types/"
-  ],
-  "risk_score": 21,
-  "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
-  "severity": "low",
-  "tags": [
-    "Elastic",
-    "Identity",
-    "Okta",
-    "Continuous Monitoring",
-    "SecOps",
-    "Identity and Access"
-  ],
-  "timestamp_override": "event.ingested",
-  "type": "query",
-  "version": 5
-}
+  "attributes": {
+    "author": [
+      "Elastic"
+    ],
+    "description": "Detects attempts to modify a rule within an Okta policy. An adversary may attempt to modify an Okta policy rule in order to weaken an organization's security controls.",
+    "false_positives": [
+      "Consider adding exceptions to this rule to filter false positives if Okta MFA rules are regularly modified in your organization."
+    ],
+    "index": [
+      "filebeat-*",
+      "logs-okta*"
+    ],
+    "language": "kuery",
+    "license": "Elastic License v2",
+    "name": "Attempt to Modify an Okta Policy Rule",
+    "note": "The Okta Fleet integration or Filebeat module must be enabled to use this rule.",
+    "query": "event.dataset:okta.system and event.action:policy.rule.update",
+    "references": [
+      "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm",
+      "https://developer.okta.com/docs/reference/api/system-log/",
+      "https://developer.okta.com/docs/reference/api/event-types/"
+    ],
+    "risk_score": 21,
+    "rule_id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+    "severity": "low",
+    "tags": [
+      "Elastic",
+      "Identity",
+      "Okta",
+      "Continuous Monitoring",
+      "SecOps",
+      "Identity and Access"
+    ],
+    "timestamp_override": "event.ingested",
+    "type": "query",
+    "version": 5
+  },
+  "id": "000047bb-b27a-47ec-8b62-ef1a5d2c9e19",
+  "type": "security-rule"
+}
diff --git a/versions/1/changelog.yml b/versions/1/changelog.yml
@@ -120,4 +120,7 @@
     link: https://github.com/elastic/package-spec/pull/172
   - description: Improve version consistency in case of missing/undefined version
     type: enhancement
-    link: https://github.com/elastic/package-spec/pull/174
+    link: https://github.com/elastic/package-spec/pull/174
+  - description: Fix security_rule format
+    type: bugfix
+    link: https://github.com/elastic/package-spec/pull/175