rules/endpoint/endpoint_exploit_detected.toml

[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.4.0"]
maturity = "production"
updated_date = "2020/02/18"

[rule]
author = ["Elastic"]
description = """
Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the
rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
"""
from = "now-15m"
index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Exploit - Detected - Elastic Endpoint"
risk_score = 73
rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
severity = "high"
tags = ["Elastic", "Endpoint"]
type = "query"

query = '''
event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
'''
Populate rules/ directory. 2020-06-29 22:57:00 -06:00			`[metadata]`
			`creation_date = "2020/02/18"`
			`ecs_version = ["1.4.0"]`
			`maturity = "production"`
			`updated_date = "2020/02/18"`

			`[rule]`
			`author = ["Elastic"]`
			`description = """`
			`Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the`
			`rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.`
			`"""`
			`from = "now-15m"`
			`index = ["endgame-*"]`
			`interval = "10m"`
			`language = "kuery"`
			`license = "Elastic License"`
			`name = "Exploit - Detected - Elastic Endpoint"`
			`risk_score = 73`
			`rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"`
			`severity = "high"`
			`tags = ["Elastic", "Endpoint"]`
			`type = "query"`

			`query = '''`
			`event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)`
			`'''`