diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 31ba9227c..0a3ef9750 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.9,8.10,8.11,8.12,8.13,8.14' + default: '8.10,8.11,8.12,8.13,8.14,8.15' jobs: pr: diff --git a/detection_rules/etc/api_schemas/8.15/8.15.base.json b/detection_rules/etc/api_schemas/8.15/8.15.base.json new file mode 100644 index 000000000..d5272291d --- /dev/null +++ b/detection_rules/etc/api_schemas/8.15/8.15.base.json @@ -0,0 +1,430 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.eql.json b/detection_rules/etc/api_schemas/8.15/8.15.eql.json new file mode 100644 index 000000000..d4981cbef --- /dev/null +++ b/detection_rules/etc/api_schemas/8.15/8.15.eql.json @@ -0,0 +1,508 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.esql.json b/detection_rules/etc/api_schemas/8.15/8.15.esql.json new file mode 100644 index 000000000..b8d40663a --- /dev/null +++ b/detection_rules/etc/api_schemas/8.15/8.15.esql.json @@ -0,0 +1,496 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.machine_learning.json b/detection_rules/etc/api_schemas/8.15/8.15.machine_learning.json new file mode 100644 index 000000000..547790b07 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.15/8.15.machine_learning.json @@ -0,0 +1,440 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.new_terms.json b/detection_rules/etc/api_schemas/8.15/8.15.new_terms.json new file mode 100644 index 000000000..3b2fa86e0 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.15/8.15.new_terms.json @@ -0,0 +1,551 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.query.json b/detection_rules/etc/api_schemas/8.15/8.15.query.json new file mode 100644 index 000000000..6c6d9b82f --- /dev/null +++ b/detection_rules/etc/api_schemas/8.15/8.15.query.json @@ -0,0 +1,500 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.threat_match.json b/detection_rules/etc/api_schemas/8.15/8.15.threat_match.json new file mode 100644 index 000000000..f2df907f6 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.15/8.15.threat_match.json @@ -0,0 +1,591 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "description": "AlertSuppressionGroupBy", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "description": "AlertSuppressionMissing", + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "group_by", + "missing_fields_strategy" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "items_per_search": { + "description": "PositiveInteger", + "minimum": 1, + "type": "integer" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.15/8.15.threshold.json b/detection_rules/etc/api_schemas/8.15/8.15.threshold.json new file mode 100644 index 000000000..dc6f2f0a8 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.15/8.15.threshold.json @@ -0,0 +1,526 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "description": "AlertSupressionValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "data_view_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9\\[\\]()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "description": "MarkdownField", + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/master/master.base.json b/detection_rules/etc/api_schemas/master/master.base.json index af501ab7d..d5272291d 100644 --- a/detection_rules/etc/api_schemas/master/master.base.json +++ b/detection_rules/etc/api_schemas/master/master.base.json @@ -52,109 +52,15 @@ }, "filters": { "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "enum": [ - "appState", - "globalState" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": false, - "properties": { - "alias": { - "type": "string" - }, - "controlledBy": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "group": { - "type": "string" - }, - "index": { - "type": "string" - }, - "isMultiIndex": { - "type": "boolean" - }, - "key": { - "type": "string" - }, - "negate": { - "type": "boolean" - }, - "params": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object" - }, - "query": { - "anyOf": [ - { - "additionalProperties": false, - "properties": { - "wildcard": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "case_insensitive": { - "type": "boolean" - }, - "value": { - "type": "string" - } - }, - "required": [ - "case_insensitive", - "value" - ], - "type": "object" - }, - "type": "object" - } - }, - "type": "object" - }, - { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - } - ] - } + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] }, - "required": [ - "meta" - ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.eql.json b/detection_rules/etc/api_schemas/master/master.eql.json index 3ae345171..d4981cbef 100644 --- a/detection_rules/etc/api_schemas/master/master.eql.json +++ b/detection_rules/etc/api_schemas/master/master.eql.json @@ -113,109 +113,15 @@ }, "filters": { "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "enum": [ - "appState", - "globalState" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": false, - "properties": { - "alias": { - "type": "string" - }, - "controlledBy": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "group": { - "type": "string" - }, - "index": { - "type": "string" - }, - "isMultiIndex": { - "type": "boolean" - }, - "key": { - "type": "string" - }, - "negate": { - "type": "boolean" - }, - "params": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object" - }, - "query": { - "anyOf": [ - { - "additionalProperties": false, - "properties": { - "wildcard": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "case_insensitive": { - "type": "boolean" - }, - "value": { - "type": "string" - } - }, - "required": [ - "case_insensitive", - "value" - ], - "type": "object" - }, - "type": "object" - } - }, - "type": "object" - }, - { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - } - ] - } + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] }, - "required": [ - "meta" - ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.esql.json b/detection_rules/etc/api_schemas/master/master.esql.json index 636ddbd0c..b8d40663a 100644 --- a/detection_rules/etc/api_schemas/master/master.esql.json +++ b/detection_rules/etc/api_schemas/master/master.esql.json @@ -109,109 +109,15 @@ }, "filters": { "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "enum": [ - "appState", - "globalState" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": false, - "properties": { - "alias": { - "type": "string" - }, - "controlledBy": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "group": { - "type": "string" - }, - "index": { - "type": "string" - }, - "isMultiIndex": { - "type": "boolean" - }, - "key": { - "type": "string" - }, - "negate": { - "type": "boolean" - }, - "params": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object" - }, - "query": { - "anyOf": [ - { - "additionalProperties": false, - "properties": { - "wildcard": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "case_insensitive": { - "type": "boolean" - }, - "value": { - "type": "string" - } - }, - "required": [ - "case_insensitive", - "value" - ], - "type": "object" - }, - "type": "object" - } - }, - "type": "object" - }, - { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - } - ] - } + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] }, - "required": [ - "meta" - ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.machine_learning.json b/detection_rules/etc/api_schemas/master/master.machine_learning.json index af5c31c4a..547790b07 100644 --- a/detection_rules/etc/api_schemas/master/master.machine_learning.json +++ b/detection_rules/etc/api_schemas/master/master.machine_learning.json @@ -55,109 +55,15 @@ }, "filters": { "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "enum": [ - "appState", - "globalState" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": false, - "properties": { - "alias": { - "type": "string" - }, - "controlledBy": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "group": { - "type": "string" - }, - "index": { - "type": "string" - }, - "isMultiIndex": { - "type": "boolean" - }, - "key": { - "type": "string" - }, - "negate": { - "type": "boolean" - }, - "params": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object" - }, - "query": { - "anyOf": [ - { - "additionalProperties": false, - "properties": { - "wildcard": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "case_insensitive": { - "type": "boolean" - }, - "value": { - "type": "string" - } - }, - "required": [ - "case_insensitive", - "value" - ], - "type": "object" - }, - "type": "object" - } - }, - "type": "object" - }, - { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - } - ] - } + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] }, - "required": [ - "meta" - ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.new_terms.json b/detection_rules/etc/api_schemas/master/master.new_terms.json index 7096144f3..3b2fa86e0 100644 --- a/detection_rules/etc/api_schemas/master/master.new_terms.json +++ b/detection_rules/etc/api_schemas/master/master.new_terms.json @@ -109,109 +109,15 @@ }, "filters": { "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "enum": [ - "appState", - "globalState" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": false, - "properties": { - "alias": { - "type": "string" - }, - "controlledBy": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "group": { - "type": "string" - }, - "index": { - "type": "string" - }, - "isMultiIndex": { - "type": "boolean" - }, - "key": { - "type": "string" - }, - "negate": { - "type": "boolean" - }, - "params": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object" - }, - "query": { - "anyOf": [ - { - "additionalProperties": false, - "properties": { - "wildcard": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "case_insensitive": { - "type": "boolean" - }, - "value": { - "type": "string" - } - }, - "required": [ - "case_insensitive", - "value" - ], - "type": "object" - }, - "type": "object" - } - }, - "type": "object" - }, - { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - } - ] - } + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] }, - "required": [ - "meta" - ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.query.json b/detection_rules/etc/api_schemas/master/master.query.json index 89ffd98a7..6c6d9b82f 100644 --- a/detection_rules/etc/api_schemas/master/master.query.json +++ b/detection_rules/etc/api_schemas/master/master.query.json @@ -109,109 +109,15 @@ }, "filters": { "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "enum": [ - "appState", - "globalState" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": false, - "properties": { - "alias": { - "type": "string" - }, - "controlledBy": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "group": { - "type": "string" - }, - "index": { - "type": "string" - }, - "isMultiIndex": { - "type": "boolean" - }, - "key": { - "type": "string" - }, - "negate": { - "type": "boolean" - }, - "params": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object" - }, - "query": { - "anyOf": [ - { - "additionalProperties": false, - "properties": { - "wildcard": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "case_insensitive": { - "type": "boolean" - }, - "value": { - "type": "string" - } - }, - "required": [ - "case_insensitive", - "value" - ], - "type": "object" - }, - "type": "object" - } - }, - "type": "object" - }, - { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - } - ] - } + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] }, - "required": [ - "meta" - ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.threat_match.json b/detection_rules/etc/api_schemas/master/master.threat_match.json index 9d2901f09..f2df907f6 100644 --- a/detection_rules/etc/api_schemas/master/master.threat_match.json +++ b/detection_rules/etc/api_schemas/master/master.threat_match.json @@ -114,109 +114,15 @@ }, "filters": { "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "enum": [ - "appState", - "globalState" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": false, - "properties": { - "alias": { - "type": "string" - }, - "controlledBy": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "group": { - "type": "string" - }, - "index": { - "type": "string" - }, - "isMultiIndex": { - "type": "boolean" - }, - "key": { - "type": "string" - }, - "negate": { - "type": "boolean" - }, - "params": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object" - }, - "query": { - "anyOf": [ - { - "additionalProperties": false, - "properties": { - "wildcard": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "case_insensitive": { - "type": "boolean" - }, - "value": { - "type": "string" - } - }, - "required": [ - "case_insensitive", - "value" - ], - "type": "object" - }, - "type": "object" - } - }, - "type": "object" - }, - { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - } - ] - } + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] }, - "required": [ - "meta" - ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/api_schemas/master/master.threshold.json b/detection_rules/etc/api_schemas/master/master.threshold.json index 7cf6e1ac0..dc6f2f0a8 100644 --- a/detection_rules/etc/api_schemas/master/master.threshold.json +++ b/detection_rules/etc/api_schemas/master/master.threshold.json @@ -88,109 +88,15 @@ }, "filters": { "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "enum": [ - "appState", - "globalState" - ], - "enumNames": [], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": false, - "properties": { - "alias": { - "type": "string" - }, - "controlledBy": { - "type": "string" - }, - "disabled": { - "type": "boolean" - }, - "group": { - "type": "string" - }, - "index": { - "type": "string" - }, - "isMultiIndex": { - "type": "boolean" - }, - "key": { - "type": "string" - }, - "negate": { - "type": "boolean" - }, - "params": { - "type": "string" - }, - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object" - }, - "query": { - "anyOf": [ - { - "additionalProperties": false, - "properties": { - "wildcard": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "case_insensitive": { - "type": "boolean" - }, - "value": { - "type": "string" - } - }, - "required": [ - "case_insensitive", - "value" - ], - "type": "object" - }, - "type": "object" - } - }, - "type": "object" - }, - { - "additionalProperties": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] - }, - "type": "object" - } - ] - } + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] }, - "required": [ - "meta" - ], "type": "object" }, "type": "array" diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index c499e176d..40b73d361 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.14.3.json.gz b/detection_rules/etc/beats_schemas/v8.14.3.json.gz new file mode 100644 index 000000000..4d948fb7f Binary files /dev/null and b/detection_rules/etc/beats_schemas/v8.14.3.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index e5191996f..fbeb38b08 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index 101bf1940..c57690aed 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index 308c01607..0206868a4 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index 7fa6e41b4..c7a93c331 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index 2ea7a5eaf..f9de082a7 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 73f3b2977..94cdfdcb6 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index b4d8d8d03..d8ddc7b71 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index 32923a26f..fee6888b9 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index be3f12b1b..c6dbb8493 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index f67edaedc..c29ce042e 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz index fa49b0451..fad38628a 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz index c83abbaf4..b6b691d49 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz index 41abef8c5..94c7ec0b2 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz index d3028e7fa..f4c08acf3 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz index 3342706e2..04ecc2b53 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz index 71bb49002..6e910ea58 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index b2daee501..6d08bd92c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index e2f2c6fe7..f94eba3fd 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index 027a22a99..a0f474f5f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index 087b86f30..ff0a3984c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 6fa41576a..115b2bb90 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index f6931cb85..f46e2ce39 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 85b90f6fb..379bbbdfd 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 554bd9a8a..25788ac3c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index 56279aa94..e110aedfb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index cf076502c..d2339925f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 2d1daab05..21a60727a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 07d6d4258..e68ffade9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index 77356dc42..6a7254090 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 5c511a042..89c086be9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 05e742b78..67174eeff 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 8c2aa0988..2db3fd0a5 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 87e729e0b..b8be59f40 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 68de0b27b..6925b286c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index f5063ffab..88311eeb6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 7f05f813c..c26bba1cc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index ac9ec9f87..029393fb0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 42abc0bca..7abade071 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index 4d5897672..0d9abb473 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 3fbaa8e56..266d0eec4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 1e457c8a7..096adbfd3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 62498d665..76164cd04 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index bf37a704d..b5eaae6fa 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index 91b794a97..ff98ce362 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index f04329a12..fa24ab645 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 47af0f73a..de90070d6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index b3036ba3a..6d8479629 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index b5dd97e3b..f48b16cf8 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index e7b2412a1..fb707b6de 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index fdd10da3f..44ce35d8b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 33c2534d1..82439e144 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index bc4e6ccf8..54a0c5455 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 2e1f28dac..b51124a32 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 5aed1007e..3ed132f32 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 44e08e82d..44c0d34bf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 373d8105c..9fcd1510b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 009a8cb61..51325f7d7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index 61c9bb928..6d7d9e5cc 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index c878f4f08..b507567c0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 7f96d056e..d8a213444 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz index 1c1b0b7cb..12b52562f 100644 Binary files a/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/master_8.12.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 4cf7ab622..4c14112a0 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 65b634c30..9b6ab9782 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml index e54683907..39a654bb4 100644 --- a/detection_rules/etc/packages.yaml +++ b/detection_rules/etc/packages.yaml @@ -4,7 +4,7 @@ package: maturity: - production log_deprecated: true - name: '8.15' + name: '8.16' registry_data: categories: - security @@ -13,7 +13,7 @@ package: subscription: basic capabilities: - security - kibana.version: ^8.15.0 + kibana.version: ^8.16.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -28,5 +28,5 @@ package: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 8.15.0-beta.1 + version: 8.16.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index f2ea604e4..c3941bfe0 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -72,12 +72,12 @@ # ecs: "8.8.0" # endgame: "8.4.0" -## Supported +# "8.9.0": +# beats: "8.9.0" +# ecs: "8.9.0" +# endgame: "8.4.0" -"8.9.0": - beats: "8.9.0" - ecs: "8.9.0" - endgame: "8.4.0" +## Supported "8.10.0": beats: "8.10.3" @@ -107,4 +107,9 @@ "8.15.0": beats: "8.13.4" ecs: "8.11.0" + endgame: "8.4.0" + +"8.16.0": + beats: "8.14.3" + ecs: "8.11.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 21c6d05d8..f69d21f85 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,15 +1,5 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 206, - "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "ab816235d1086e87acda877a4f3bc72e72af952ecf7a40b59d2d45991812ef73", - "type": "query", - "version": 107 - } - }, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "8e250a9c8ff04c25044e7bd0932764e6d21ad669c07dcbd9589c825b771b13f2", "type": "query", @@ -24,23 +14,23 @@ "0022d47d-39c7-4f69-a232-4fe9dc7a3acd": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 209, + "rule_name": "System Shells via Services", + "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", + "type": "eql", + "version": 110 + }, "8.11": { "max_allowable_version": 311, "rule_name": "System Shells via Services", "sha256": "41fba361b5b99330766decbe9810fc33075a30aa9e8f0cbf55f2770a20914783", "type": "eql", "version": 212 - }, - "8.9": { - "max_allowable_version": 209, - "rule_name": "System Shells via Services", - "sha256": "6685da19ff0ea1ee48d11d6029d1c69a780149fe7f8d8d9b2f60ed9766f28e71", - "type": "eql", - "version": 110 } }, "rule_name": "System Shells via Services", - "sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465", + "sha256": "d09f4a2125c3a79501aa49ac207d0826a48e71b41fcca9095d05be14c1ff1465", "type": "eql", "version": 313 }, @@ -251,19 +241,19 @@ "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 107, + "rule_name": "Local Account TokenFilter Policy Disabled", + "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", + "type": "eql", + "version": 8 + }, "8.11": { "max_allowable_version": 209, "rule_name": "Local Account TokenFilter Policy Disabled", "sha256": "1c3ab4d2b102c8ec800f2887356dbfc15b6aa901629c763e6a1a1642a1ded75d", "type": "eql", "version": 110 - }, - "8.9": { - "max_allowable_version": 107, - "rule_name": "Local Account TokenFilter Policy Disabled", - "sha256": "1a734f41fd03d0ba5772ea20c1ee6db1efa178fc9f2c859a901c9c597ffaec46", - "type": "eql", - "version": 8 } }, "rule_name": "Local Account TokenFilter Policy Disabled", @@ -356,7 +346,6 @@ "version": 103 }, "0ab319ef-92b8-4c7f-989b-5de93c852e93": { - "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity with High Confidence", "sha256": "d6a0f724b514c85dbde5be35083810d0d6e18c2cd144eef691aa03bd23590370", "type": "query", @@ -365,7 +354,7 @@ "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Remote Execution Capabilities via WinRM", "sha256": "434f9932a025ca56e9e7088380e4e35b25f922c6694252391c071315e7c84f14", @@ -590,7 +579,6 @@ "version": 5 }, "1251b98a-ff45-11ee-89a1-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "AWS Lambda Function Created or Updated", "sha256": "87966613bf1e01dcb3a76da7179be8b64db8e7af206075273d4919a384b5d773", "type": "query", @@ -635,19 +623,19 @@ "1327384f-00f3-44d5-9a8c-2373ba071e92": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 207, + "rule_name": "Persistence via Scheduled Job Creation", + "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", + "type": "eql", + "version": 108 + }, "8.11": { "max_allowable_version": 309, "rule_name": "Persistence via Scheduled Job Creation", "sha256": "f4ae219c917a8d1a55097816b0472399ed12b807ff8accd18fe53a7b1cccfb29", "type": "eql", "version": 210 - }, - "8.9": { - "max_allowable_version": 207, - "rule_name": "Persistence via Scheduled Job Creation", - "sha256": "614d79b1b8057b2eb0a33fea72890f4c745a48ab6092bb1919f7a503d2de9471", - "type": "eql", - "version": 108 } }, "rule_name": "Persistence via Scheduled Job Creation", @@ -710,7 +698,6 @@ "version": 109 }, "151d8f72-0747-11ef-a0c2-f661ea17fbcc": { - "min_stack_version": "8.9", "rule_name": "AWS Lambda Function Policy Updated to Allow Public Invocation", "sha256": "8f37f83d14e5f650d694453e7a219434d6fcac27bc91c9692f220f1502948740", "type": "query", @@ -850,7 +837,6 @@ "version": 100 }, "185c782e-f86a-11ee-9d9f-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "Rapid Secret Retrieval Attempts from AWS SecretsManager", "sha256": "1d9dfb66a70cf2a0249e4cf7248a0218c0b890257f16a5561378bc176823be8e", "type": "threshold", @@ -977,7 +963,6 @@ "version": 108 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { - "min_stack_version": "8.10", "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "50473966980c6830aa4b12aa9acafafacf8d3e86b508832e498777b302fd9b54", "type": "query", @@ -990,7 +975,6 @@ "version": 110 }, "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "AWS IAM Roles Anywhere Profile Creation", "sha256": "f668e7947688e878a2b5f5aa8a3bc7f30cf777776b49855a8b5e2c7e3b8e2449", "type": "query", @@ -1035,7 +1019,7 @@ "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 105, "rule_name": "PowerShell Script with Discovery Capabilities", "sha256": "f190de5af14bbb60e793a9add72d0cf2b89e9a8fd2f593c098664a50360aaf06", @@ -1135,7 +1119,7 @@ "20457e4f-d1de-4b92-ae69-142e27a4342a": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 206, "rule_name": "Access of Stored Browser Credentials", "sha256": "2096c9935d4a0209a44ab553fb8f3453c10cb834b1b2665a96e6f2852635d563", @@ -1276,14 +1260,12 @@ "version": 5 }, "25e7fee6-fc25-11ee-ba0f-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "Insecure AWS EC2 VPC Security Group Ingress Rule Added", "sha256": "e07c5774ac9be077fa7a454528f609d611bd70ce18b1d4ae04954c19fd243eec", "type": "query", "version": 1 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { - "min_stack_version": "8.10", "rule_name": "New Okta Authentication Behavior Detected", "sha256": "44887f3eb626b80c75a0110be4b26d1ce66bf37892a7bab818d90f36023aae1c", "type": "query", @@ -1328,7 +1310,7 @@ "27071ea3-e806-4697-8abc-e22c92aa4293": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Archive Compression Capabilities", "sha256": "e45eab95dfc89f02571c3f4a759eccf69d16d6b97a471c585cf0cea086acc29f", @@ -1448,19 +1430,19 @@ "2917d495-59bd-4250-b395-c29409b76086": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 210, + "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", + "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", + "type": "eql", + "version": 111 + }, "8.11": { "max_allowable_version": 312, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", "sha256": "4607d8429638219c1f9ece41ae92dfc7da4182560170d3fceebe3da2b397a609", "type": "eql", "version": 213 - }, - "8.9": { - "max_allowable_version": 210, - "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", - "sha256": "28ea0bbb12cf1c1a72a0c1b87a80fea6c5d0e587cd14d5b24db0b2b9550f5efc", - "type": "eql", - "version": 111 } }, "rule_name": "Web Shell Detection: Script Process Child of Common Web Processes", @@ -1471,7 +1453,7 @@ "291a0de9-937a-4189-94c0-3e847c8b13e4": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 310, "rule_name": "Enumeration of Privileged Local Groups Membership", "sha256": "4d67c645c194c7be0ae57c04360e2e8d9a4af8927da4a2dd4f0696029148e26d", @@ -1485,7 +1467,6 @@ "version": 311 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { - "min_stack_version": "8.10", "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "ed5ee5cca37901181403052c73c15575a768c00863a860235c68fae83f550ce1", "type": "query", @@ -1524,19 +1505,19 @@ "2bf78aa2-9c56-48de-b139-f169bf99cf86": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 210, + "rule_name": "Adobe Hijack Persistence", + "sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636", + "type": "eql", + "version": 112 + }, "8.11": { "max_allowable_version": 312, "rule_name": "Adobe Hijack Persistence", "sha256": "161e5a766f9c183fcb7844ab9c00e463c61b5038163292d851264e784b67e6fe", "type": "eql", "version": 213 - }, - "8.9": { - "max_allowable_version": 210, - "rule_name": "Adobe Hijack Persistence", - "sha256": "8deb745625f81d1579d5c03b75e701111c6b1b78c8c0be11bef3f51b5214c636", - "type": "eql", - "version": 112 } }, "rule_name": "Adobe Hijack Persistence", @@ -1749,19 +1730,19 @@ "32f4675e-6c49-4ace-80f9-97c9259dca2e": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 210, + "rule_name": "Suspicious MS Outlook Child Process", + "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", + "type": "eql", + "version": 111 + }, "8.11": { "max_allowable_version": 312, "rule_name": "Suspicious MS Outlook Child Process", "sha256": "ec635203600f69ea750ecaebc07cf8b1643d32bb8776c029960fc0a69b73d172", "type": "eql", "version": 213 - }, - "8.9": { - "max_allowable_version": 210, - "rule_name": "Suspicious MS Outlook Child Process", - "sha256": "ab072081c0f447b8ae3f174016da6d44b3a3a21b5a3c6ca71506c4e0fd7246d3", - "type": "eql", - "version": 111 } }, "rule_name": "Suspicious MS Outlook Child Process", @@ -1814,19 +1795,19 @@ "3535c8bb-3bd5-40f4-ae32-b7cd589d5372": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 209, + "rule_name": "Port Forwarding Rule Addition", + "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", + "type": "eql", + "version": 110 + }, "8.11": { "max_allowable_version": 311, "rule_name": "Port Forwarding Rule Addition", "sha256": "1278795e146f4388f338e9288d125c501ac2323f738e27e32771e3f98bf5983d", "type": "eql", "version": 212 - }, - "8.9": { - "max_allowable_version": 209, - "rule_name": "Port Forwarding Rule Addition", - "sha256": "6898cb41a0f614b74222c1863817dc993d7470c5953727d9199a63308685d9cd", - "type": "eql", - "version": 110 } }, "rule_name": "Port Forwarding Rule Addition", @@ -1909,7 +1890,7 @@ "37f638ea-909d-4f94-9248-edd21e4a9906": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 205, "rule_name": "Finder Sync Plugin Registered and Enabled", "sha256": "b0d1702942012aaf400be87038c53cf2ccc337510f3956545d8344b96c98a598", @@ -1923,16 +1904,6 @@ "version": 206 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 206, - "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "f4d46f02451d1b387f81c66eaf2bac499ae2b55dab8b5ff072060d572c17bae2", - "type": "query", - "version": 107 - } - }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "6873fd08617e0efde5dccf424aacbfe7057877288810c2ed68293f795964241b", "type": "query", @@ -2037,19 +2008,19 @@ "3b47900d-e793-49e8-968f-c90dc3526aa1": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 209, + "rule_name": "Unusual Parent Process for cmd.exe", + "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", + "type": "eql", + "version": 110 + }, "8.11": { "max_allowable_version": 311, "rule_name": "Unusual Parent Process for cmd.exe", "sha256": "1eeaf9397562f84443b1cd7a3422d97278a8b9aacfce241cb84f7a7fd0fa822b", "type": "eql", "version": 212 - }, - "8.9": { - "max_allowable_version": 209, - "rule_name": "Unusual Parent Process for cmd.exe", - "sha256": "b684f4c5fbb972a39c7c5707d9dd7519013e2a23854d99612acc986458b8327f", - "type": "eql", - "version": 110 } }, "rule_name": "Unusual Parent Process for cmd.exe", @@ -2078,7 +2049,7 @@ "3d3aa8f9-12af-441f-9344-9f31053e316d": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 104, "rule_name": "PowerShell Script with Log Clear Capabilities", "sha256": "89e12f38568452e05edf82a51f7ea6467b8b1350950e26a393767e49f1c702d0", @@ -2243,7 +2214,6 @@ "version": 106 }, "41f7da9e-4e9f-4a81-9b58-40d725d83bc0": { - "min_stack_version": "8.10", "rule_name": "Mount Launched Inside a Privileged Container", "sha256": "cbe5528e821d12676b1467cbad8a167c831250bb28080658e40c69119be90c7d", "type": "eql", @@ -2256,16 +2226,6 @@ "version": 2 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 206, - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "882dcaea90df31c2153dbabfb17dc21bcc8f8866c862b5a02c20026eac301621", - "type": "threshold", - "version": 108 - } - }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "191661b0af8a8c61df4f38e1c05684730daaa2e7211d90119b291ab3658f5ad3", "type": "threshold", @@ -2578,16 +2538,6 @@ "version": 107 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "8e3e57e9dbe9ec6a8cc4673f80020513ca5a4c120e4a9efb9f8acc7a646de4c8", - "type": "query", - "version": 106 - } - }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "6cf84f243e86183b9bc2efdc39aa92f7573c421593ce71f1ce90dd87daf5b2dd", "type": "query", @@ -2607,7 +2557,6 @@ "version": 109 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { - "min_stack_version": "8.10", "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "9f8682da0707ca62f5537007eb440a25605c097964d7acb1ab228c8c773845ca", "type": "threshold", @@ -2628,19 +2577,19 @@ "513f0ffd-b317-4b9c-9494-92ce861f22c7": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 207, + "rule_name": "Registry Persistence via AppCert DLL", + "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", + "type": "eql", + "version": 108 + }, "8.11": { "max_allowable_version": 309, "rule_name": "Registry Persistence via AppCert DLL", "sha256": "c5ff7eb8172555229b212c9210db00fb26898ce71473a3879fcd04d270da857d", "type": "eql", "version": 210 - }, - "8.9": { - "max_allowable_version": 207, - "rule_name": "Registry Persistence via AppCert DLL", - "sha256": "0c9dc337aa75f6fa5139ce19167e415b0d8ecd48066d478250e49d78274e2ba1", - "type": "eql", - "version": 108 } }, "rule_name": "Registry Persistence via AppCert DLL", @@ -2727,7 +2676,6 @@ "version": 106 }, "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { - "min_stack_version": "8.9", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", "sha256": "cce1af93176b643f8c69e79b1ef19c94e25df9e6f6607ba60b50433fd8914264", "type": "new_terms", @@ -2746,7 +2694,6 @@ "version": 102 }, "5397080f-34e5-449b-8e9c-4c8083d7ccc6": { - "min_stack_version": "8.10", "rule_name": "Statistical Model Detected C2 Beaconing Activity", "sha256": "d973fcbb65bfb1114bf7274eec0a49753fc3ac6e545fb635cd87b176b08276cc", "type": "query", @@ -2773,7 +2720,7 @@ "54a81f68-5f2a-421e-8eed-f888278bb712": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 107, "rule_name": "Exchange Mailbox Export via PowerShell", "sha256": "4a05779cfb9f68a05f85f4f67e3e5019e7ed90df2ad6d7626728154095aba9c2", @@ -2817,7 +2764,6 @@ "version": 5 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { - "min_stack_version": "8.10", "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "19f2524462a1935f7bd77fa31385a7dbf59740b36cd1da2d0ac2166624973870", "type": "eql", @@ -2832,7 +2778,7 @@ "565c2b44-7a21-4818-955f-8d4737967d2e": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 205, "rule_name": "Potential Admin Group Account Addition", "sha256": "f0900e40693096576a20cfd51e40984df7b6149ec534b6d6e492162d871527e4", @@ -2860,7 +2806,7 @@ "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 209, "rule_name": "PowerShell PSReflect Script", "sha256": "65cd952645b44e0f83790a6d8175f52c74830218d8ebf22044c520c4176a4179", @@ -3190,7 +3136,7 @@ "61ac3638-40a3-44b2-855a-985636ca985e": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 212, "rule_name": "PowerShell Suspicious Discovery Related Windows API Functions", "sha256": "9321d3196034baa0a52034b07bbccafb94712b2ff10a634a6a451b65d5c7a23e", @@ -3216,7 +3162,6 @@ "version": 110 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { - "min_stack_version": "8.10", "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "061bd86219770d199904efabae4bb62bbc5897cdef6b8d1e517cae8670d3398e", "type": "threshold", @@ -3345,7 +3290,7 @@ "66da12b1-ac83-40eb-814c-07ed1d82b7b9": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 205, "rule_name": "Suspicious macOS MS Office Child Process", "sha256": "fa49c48190d30ef29a48b101b182660b4498f72ff588291a7c1121e01dc0d489", @@ -3365,16 +3310,6 @@ "version": 9 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "bcc00051e5ab5b70c88a4b1559e4edcff319d79f2bbe5bfcab404a3d63457d63", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "0f0e1ba88bbda85d60bb8fc96bda554db238881ea16937d0f0fa5414a15e6ede", "type": "query", @@ -3387,16 +3322,6 @@ "version": 206 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "f58a59fe0d9f317a1998e97634f691d5f4b4b0dc6b79fc874df5f7b9185a9f93", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "e8e7b2e174c70d5a4a851a47b90138516f2a3c440e275c037a6f1334759c87de", "type": "query", @@ -3433,16 +3358,6 @@ "version": 207 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 204, - "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "44208f997fe40e0ec5625789243073bee7f66e3d2be2ed117e69e6f9b6907a21", - "type": "query", - "version": 105 - } - }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "8d04de56ef8b8f97264ebf4f9614963e43b9106d543823fdccbce9b59a0011d8", "type": "query", @@ -3542,19 +3457,19 @@ "6aace640-e631-4870-ba8e-5fdda09325db": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 210, + "rule_name": "Exporting Exchange Mailbox via PowerShell", + "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", + "type": "eql", + "version": 111 + }, "8.11": { "max_allowable_version": 312, "rule_name": "Exporting Exchange Mailbox via PowerShell", "sha256": "2d52d4dd2959183694f30b240d9b43954559672d1c81b7518f836f3ac67e449a", "type": "eql", "version": 213 - }, - "8.9": { - "max_allowable_version": 210, - "rule_name": "Exporting Exchange Mailbox via PowerShell", - "sha256": "6fd173fa6170609a487f81b30491b79df555d458fe2738216aa9cd26b1bbc98f", - "type": "eql", - "version": 111 } }, "rule_name": "Exporting Exchange Mailbox via PowerShell", @@ -3671,7 +3586,6 @@ "version": 100 }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { - "min_stack_version": "8.10", "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "4a61b8effbf32d622b658833f4b222d18ac656a1cddd5bf60629bebf6292ec7f", "type": "new_terms", @@ -3750,7 +3664,6 @@ "version": 3 }, "71de53ea-ff3b-11ee-b572-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "AWS IAM Roles Anywhere Trust Anchor Created with External CA", "sha256": "fc40abf7c58386b21b4e7ba3f8d8b900510aeaa86c789defff2aec11c20e707c", "type": "query", @@ -3763,16 +3676,6 @@ "version": 206 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "c60bc906d469f3485ac3f4e2694f2ad9335dd69d76776d4a7604221cdc4bd77c", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "a26dbdf7534708e6c75311dac75a165cbb21ce2fedc44bffa5ebd8437ffe6354", "type": "query", @@ -3811,7 +3714,7 @@ "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 205, "rule_name": "Modification of Environment Variable via Launchctl", "sha256": "baaab449ef5b78ab10fc6dec249fb8d0f5ba0a06cd5c58df962d3b5c0683adeb", @@ -3893,19 +3796,19 @@ "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 209, + "rule_name": "Potential Remote Desktop Tunneling Detected", + "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", + "type": "eql", + "version": 110 + }, "8.11": { "max_allowable_version": 311, "rule_name": "Potential Remote Desktop Tunneling Detected", "sha256": "798b0bc1aa4d176b16df395288002a2230428379590ddac8a418f1d42b23d435", "type": "eql", "version": 212 - }, - "8.9": { - "max_allowable_version": 209, - "rule_name": "Potential Remote Desktop Tunneling Detected", - "sha256": "7aa6802a0f3b68b47c51cf9c2bf2173bd894ec4c8c10b615109d165e50bdfb33", - "type": "eql", - "version": 110 } }, "rule_name": "Potential Remote Desktop Tunneling Detected", @@ -3970,19 +3873,19 @@ "78de1aeb-5225-4067-b8cc-f4a1de8a8546": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 100, + "rule_name": "Suspicious ScreenConnect Client Child Process", + "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", + "type": "eql", + "version": 1 + }, "8.11": { "max_allowable_version": 202, "rule_name": "Suspicious ScreenConnect Client Child Process", "sha256": "49a6b4db003e5979ea703d08bd0b70fac84ca643c074a444e673d90ab43d8b3c", "type": "eql", "version": 103 - }, - "8.9": { - "max_allowable_version": 100, - "rule_name": "Suspicious ScreenConnect Client Child Process", - "sha256": "3a5b48b246dc6b94292ab3d37f29c9ee4894804983a6c4e75b67a8c520f24ef0", - "type": "eql", - "version": 1 } }, "rule_name": "Suspicious ScreenConnect Client Child Process", @@ -4105,7 +4008,6 @@ "version": 104 }, "7d091a76-0737-11ef-8469-f661ea17fbcc": { - "min_stack_version": "8.9", "rule_name": "AWS Lambda Layer Added to Existing Function", "sha256": "26e76de9328e30fd2a1ccfedc25b238243c1c82d255dd6d1e3f7ccc9e67d7898", "type": "query", @@ -4132,7 +4034,7 @@ "7e23dfef-da2c-4d64-b11d-5f285b638853": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 102, "rule_name": "Microsoft Management Console File from Unusual Path", "sha256": "a3c1779146ac37db61c960f0dd8090df03ff5ca4d862a830cb4f276b73ad4a49", @@ -4189,7 +4091,6 @@ "version": 1 }, "804a7ac8-fc00-11ee-924b-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "SSM Session Started to EC2 Instance", "sha256": "1810d2feab3a3ab42bfb40d5b25dba1fdfff834237355e59824fb8d89879f0dc", "type": "new_terms", @@ -4234,7 +4135,7 @@ "81fe9dc6-a2d7-4192-a2d8-eed98afc766a": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 210, "rule_name": "PowerShell Suspicious Payload Encoded and Compressed", "sha256": "b37f48d5442be42df0d2783a9a8c3a2aa4e791636a90f115ebc567ee730ba2de", @@ -4256,7 +4157,7 @@ "827f8d8f-4117-4ae4-b551-f56d54b9da6b": { "min_stack_version": "8.11", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 206, "rule_name": "Apple Scripting Execution with Administrator Privileges", "sha256": "c86e89c5415c3f38817090bc99e25901d75e58b5f7387022f61bd609df89272a", @@ -4372,7 +4273,6 @@ "version": 112 }, "873b5452-074e-11ef-852e-f661ea17fbcc": { - "min_stack_version": "8.9", "rule_name": "AWS EC2 Instance Connect SSH Public Key Uploaded", "sha256": "f5bb109e123b34f550ec9a57fc0152a04bc3bc4de3e5adc847b07ef34d39fc68", "type": "query", @@ -4457,7 +4357,6 @@ "version": 5 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { - "min_stack_version": "8.10", "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "9b0a2839f4cf78cbec03a3af5cacad652fcad5f72e5e9f06e2c3324a6014727c", "type": "eql", @@ -4482,16 +4381,6 @@ "version": 108 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "f01b127b08601cf43cda877946ee97bf4bc51e4cff8f27b3e3dc4a809a3bf009", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "42864ccbb8e48936452a309318951454ac5820199a0b5e62be20a53c6846eb2b", "type": "query", @@ -4692,7 +4581,7 @@ "92984446-aefb-4d5e-ad12-598042ca80ba": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 107, "rule_name": "PowerShell Suspicious Script with Clipboard Retrieval Capabilities", "sha256": "2f82ee830e43259016d4adf959d1c08b65e5c44f66accebde1c7a3aece556548", @@ -4718,7 +4607,6 @@ "version": 3 }, "93075852-b0f5-4b8b-89c3-a226efae5726": { - "min_stack_version": "8.9", "rule_name": "AWS Security Token Service (STS) AssumeRole Usage", "sha256": "eccf879f86a18747a6744cb2d0084cf9aef85286bfb2fb37f3302d9f20d3d86c", "type": "query", @@ -4745,19 +4633,19 @@ "93c1ce76-494c-4f01-8167-35edfb52f7b1": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 206, + "rule_name": "Encoded Executable Stored in the Registry", + "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", + "type": "eql", + "version": 107 + }, "8.11": { "max_allowable_version": 308, "rule_name": "Encoded Executable Stored in the Registry", "sha256": "f95c49826eef33b30e01391a89c37ed1375e8b0a6057adbe2925f8e4f9d7f4c4", "type": "eql", "version": 209 - }, - "8.9": { - "max_allowable_version": 206, - "rule_name": "Encoded Executable Stored in the Registry", - "sha256": "d3a171c7ed51757d8f3f02d63a51e5a37f3a6d639b0766a24c42f22c01c87851", - "type": "eql", - "version": 107 } }, "rule_name": "Encoded Executable Stored in the Registry", @@ -4846,16 +4734,6 @@ "version": 111 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 204, - "rule_name": "Attempt to Create Okta API Token", - "sha256": "14b3f9e9b5e605ca66fa3d7115e312ba72ced80772e0d51928496be9202b6353", - "type": "query", - "version": 105 - } - }, "rule_name": "Attempt to Create Okta API Token", "sha256": "00e7844e7b50556df54dd1a80585ef3b0d6e18949813883d66e9467cd40a90f9", "type": "query", @@ -4892,7 +4770,6 @@ "version": 104 }, "97697a52-4a76-4f0a-aa4f-25c178aae6eb": { - "min_stack_version": "8.10", "rule_name": "File System Debugger Launched Inside a Privileged Container", "sha256": "8b70f35aa7a70d475832890edfe725b921a6d72b0a57011af9fb02e3d81525b9", "type": "eql", @@ -4905,16 +4782,6 @@ "version": 206 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 206, - "rule_name": "Potential Abuse of Repeated MFA Push Notifications", - "sha256": "c65175629b87978771837a807d4ff8b51d3ae081548603d49475754979b246b4", - "type": "eql", - "version": 107 - } - }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "b5fcc4e747c548c7f941007c4c619f12ac40c55649e2cb4c8fdf0cba578433ed", "type": "eql", @@ -4923,19 +4790,19 @@ "97aba1ef-6034-4bd3-8c1a-1e0996b27afa": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 209, + "rule_name": "Suspicious Zoom Child Process", + "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", + "type": "eql", + "version": 110 + }, "8.11": { "max_allowable_version": 311, "rule_name": "Suspicious Zoom Child Process", "sha256": "745bbfc9daf71b081b3cbc422438c9c11dd5c34eee59681b1a8ee21dea74b4a6", "type": "eql", "version": 212 - }, - "8.9": { - "max_allowable_version": 209, - "rule_name": "Suspicious Zoom Child Process", - "sha256": "5cefb7cdb856211a9d1070aa4ef9637c41633768b6b8b4d92c520b3d0544b976", - "type": "eql", - "version": 110 } }, "rule_name": "Suspicious Zoom Child Process", @@ -5192,7 +5059,6 @@ "version": 210 }, "a00681e3-9ed6-447c-ab2c-be648821c622": { - "min_stack_version": "8.9", "rule_name": "First Time Seen AWS Secret Value Accessed in Secrets Manager", "sha256": "0c2d0945e3f41272d93b2c57b804fd2de409098f64d87e59387ed6edc5f29da9", "type": "new_terms", @@ -5386,7 +5252,6 @@ "version": 102 }, "a8aaa49d-9834-462d-bf8f-b1255cebc004": { - "min_stack_version": "8.9", "rule_name": "Authentication via Unusual PAM Grantor", "sha256": "60aa85a93569474f9a1f9615a864f2472923f7f351a0f0a5e4770e668e072e3a", "type": "new_terms", @@ -5492,19 +5357,19 @@ "ac5012b8-8da8-440b-aaaf-aedafdea2dff": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 211, + "rule_name": "Suspicious WerFault Child Process", + "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", + "type": "eql", + "version": 112 + }, "8.11": { "max_allowable_version": 313, "rule_name": "Suspicious WerFault Child Process", "sha256": "624162b798c838d61c2764e0dfa953b896f800a9c5539ef5aee7051fb240ce10", "type": "eql", "version": 214 - }, - "8.9": { - "max_allowable_version": 211, - "rule_name": "Suspicious WerFault Child Process", - "sha256": "f629cc7dcdd6c44a3cfdd1ee14a69394676bb2d7612c1cf102e2378dc225e2bf", - "type": "eql", - "version": 112 } }, "rule_name": "Suspicious WerFault Child Process", @@ -5754,16 +5619,6 @@ "version": 3 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "c3fda77e2d67870f675065527fb363156e723e6bc1090d9bdda28d930d7f3d04", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "614c1c668c20b47ea3131ada30c8e3553492804e1a59c5580715f70c757d07b6", "type": "query", @@ -5788,7 +5643,6 @@ "version": 111 }, "b605f262-f7dc-41b5-9ebc-06bafe7a83b6": { - "min_stack_version": "8.9", "rule_name": "Systemd Service Started by Unusual Parent Process", "sha256": "a074138b6a33a4b9b1a130c6f7b65c67cdb9876c041ca0b69884d42473c8b69b", "type": "new_terms", @@ -5825,16 +5679,6 @@ "version": 103 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "48e769c5aedb715bdbc0f990b68ced02323c1eef17b02595550b368f66a3c9c8", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "6a65ec96ad5423adc711dfec4c404f2e552f894f68eaa80a1f242d64218bbdc6", "type": "query", @@ -5847,16 +5691,6 @@ "version": 3 }, "b8075894-0b62-46e5-977c-31275da34419": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 204, - "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "8d9fe19feb7f250c14755465615f7a3fb4f831e20ba19b6ba0eeec6637d056e3", - "type": "query", - "version": 105 - } - }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "1177bae4785512b7c84e85287f4a1e6555c016a06a1a91407ee74cee2c622ae3", "type": "query", @@ -5877,19 +5711,19 @@ "b83a7e96-2eb3-4edf-8346-427b6858d3bd": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 207, + "rule_name": "Creation or Modification of Domain Backup DPAPI private key", + "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", + "type": "eql", + "version": 108 + }, "8.11": { "max_allowable_version": 309, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", "sha256": "45e53a796c682966471bda3cced6a2f51648bd4fac591899b88b9b5111ee3d04", "type": "eql", "version": 210 - }, - "8.9": { - "max_allowable_version": 207, - "rule_name": "Creation or Modification of Domain Backup DPAPI private key", - "sha256": "e7c8ba3a35c054655d550038f664cb613343ad804cc463f1d4b90aa0a0d23d93", - "type": "eql", - "version": 108 } }, "rule_name": "Creation or Modification of Domain Backup DPAPI private key", @@ -5906,19 +5740,19 @@ "b8f8da2d-a9dc-48c0-90e4-955c0aa1259a": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 104, + "rule_name": "Kirbi File Creation", + "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", + "type": "eql", + "version": 5 + }, "8.11": { "max_allowable_version": 206, "rule_name": "Kirbi File Creation", "sha256": "52733bb7e64cb9cd415a8e7906dafb89ab3d959b851c1ad8b6afd29cfc6eae22", "type": "eql", "version": 107 - }, - "8.9": { - "max_allowable_version": 104, - "rule_name": "Kirbi File Creation", - "sha256": "d4daec4cc60bd33718968bd73ffc21fabf7d837ae866f7a7fcabf5d7d039655f", - "type": "eql", - "version": 5 } }, "rule_name": "Kirbi File Creation", @@ -6180,7 +6014,6 @@ "version": 206 }, "c1e79a70-fa6f-11ee-8bc8-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "Attempt to Retrieve User Data from AWS EC2 Instance", "sha256": "e91c1937b74003d85688ec403aaac6adde3afedc30ff608772e3b3f8346e2bdc", "type": "query", @@ -6232,19 +6065,19 @@ "c3b915e0-22f3-4bf7-991d-b643513c722f": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 206, + "rule_name": "Persistence via BITS Job Notify Cmdline", + "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", + "type": "eql", + "version": 107 + }, "8.11": { "max_allowable_version": 308, "rule_name": "Persistence via BITS Job Notify Cmdline", "sha256": "9739d6cb844a334bc159de23e8d565d195f79368a52e93838ee883fa2049ec87", "type": "eql", "version": 209 - }, - "8.9": { - "max_allowable_version": 206, - "rule_name": "Persistence via BITS Job Notify Cmdline", - "sha256": "54084b270ff6d62016cb72d63b981f4db5bac2d188dd59aa5079986bd918e156", - "type": "eql", - "version": 107 } }, "rule_name": "Persistence via BITS Job Notify Cmdline", @@ -6337,32 +6170,12 @@ "version": 100 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "fdb6f5c18f3893647e63e19723c1ad7c3f352be39e233b1273d08b6cd09edd5a", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "32aa247af72d8bfb3ed85d34d5c359b595a21f5b5ef6703aec68875147b2110f", "type": "query", "version": 206 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 204, - "rule_name": "Attempt to Modify an Okta Application", - "sha256": "d467d49b83c884e4c1d43dc2f0e1dc879ceda77762f45968124a97e4fbacd2b0", - "type": "query", - "version": 105 - } - }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "d9ce411d12a9dcd03a68e93eedabd0fc200c743908746faf634ade8744ff7f32", "type": "query", @@ -6541,16 +6354,6 @@ "version": 104 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 206, - "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "ed2062f991db0a0dce267846fe8363883628421221166f8246b4924828f02999", - "type": "query", - "version": 107 - } - }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "b478201ba15dcd2c82b79fa58c4c175e917d642653a86009ecf389042156d85c", "type": "query", @@ -6563,16 +6366,6 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "32c09cb649d10eb0d58645624f6534db9c40073e42552b0381f5b414e9c58bb6", - "type": "query", - "version": 106 - } - }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "06745b57fd263169ae59b2d860b840a6deb4a911da424fa9267827a54e77c61f", "type": "query", @@ -6603,32 +6396,12 @@ "version": 2 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Deactivate MFA for an Okta User Account", - "sha256": "173487533fb84ffd2bbd8598bf0ac4f518f295cc6715c381743a3fe6d0f14ec7", - "type": "query", - "version": 106 - } - }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "68ad2d14c4876759c36eb2916aee5dc6a93ce9aba5183bea4fde222d94ad4fa5", "type": "eql", "version": 207 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 206, - "rule_name": "Okta User Session Impersonation", - "sha256": "36a5fb5b929045a84f302c057459e3b5e6eb50cb409fc5a9edf6cdcd47f30ee5", - "type": "query", - "version": 107 - } - }, "rule_name": "Okta User Session Impersonation", "sha256": "0a3253294eddbc09d843b81fe8f461f26e5b01e8456dc88dbce7c79923ff93b7", "type": "query", @@ -6637,7 +6410,7 @@ "cde1bafa-9f01-4f43-a872-605b678968b0": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 110, "rule_name": "Potential PowerShell HackTool Script by Function Names", "sha256": "e4ac68b4b9ff58cc55eedd8f6d7ef11a2ddc48c4f339955ad2f2ecf0e531e8aa", @@ -6783,16 +6556,6 @@ "version": 107 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 204, - "rule_name": "Attempt to Delete an Okta Application", - "sha256": "ec2d2014d13ce312c51e80554c30af695049e703918b7f1b19da53f58154d6f7", - "type": "query", - "version": 105 - } - }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "ed729064054fe9156b2909c7970d2e38aa98c9ee0337d7f86e1ad0d8f28300c6", "type": "query", @@ -6842,16 +6605,6 @@ "version": 106 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "ef00abb177343a787a119303eaa0cb71aef503d40d309b2699d05fe0178157a6", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "537f87bddcb81e9ba189e215fbb67e630dc5362f718cb3d8e57f843bd129033a", "type": "query", @@ -7184,16 +6937,6 @@ "version": 6 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 206, - "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "8e33c2c08ab3335a16db298608f1b8b793646a2abf1362acb2c0f316433293d0", - "type": "threshold", - "version": 108 - } - }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "19b34876e0825396f2b8927609d08f7ba1b4401e0db2baf6f757df3fc826c18e", "type": "threshold", @@ -7256,7 +6999,7 @@ "e26f042e-c590-4e82-8e05-41e81bd822ad": { "min_stack_version": "8.12", "previous": { - "8.9": { + "8.10": { "max_allowable_version": 211, "rule_name": "Suspicious .NET Reflection via PowerShell", "sha256": "a85be96f9a8185ce72aee9271706a90a0667bc9dc8340ec37a74fc874c3ba6d9", @@ -7343,16 +7086,6 @@ "version": 2 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "5f65ddaac1e8431e60917074c8cb8ead43d51ca2475c63ef74c89e0b558c3456", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "6d57260382880fab2e20021bd0235b13974bf1bde3fcdb2fe4b85484ea80f4c6", "type": "query", @@ -7395,16 +7128,6 @@ "version": 107 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 204, - "rule_name": "Possible Okta DoS Attack", - "sha256": "0068f7eda335ee0ee3e6452f9a91166dd50e098862de1791f4e6b6bd0ff4a391", - "type": "query", - "version": 105 - } - }, "rule_name": "Possible Okta DoS Attack", "sha256": "065c5e51d3541a24ee401d4b9da8787e8fb858c1e89938d7f7fa8daf46e7199e", "type": "query", @@ -7489,7 +7212,6 @@ "version": 7 }, "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "AWS S3 Bucket Policy Added to Share with External Account", "sha256": "5b1937ed0f1a2ea8d8b793ad31baa79ae277d949a84917d1c7a94395daa4a29b", "type": "eql", @@ -7502,16 +7224,6 @@ "version": 105 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 206, - "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "36586610b72fd3df43dda1d0bfca8e2b7a439cde98a6b85da439993e98b9978d", - "type": "threshold", - "version": 108 - } - }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "6634f9bec3320679b3bd0b35bff114eac9820ee185c7345ca2d15e8cd1d53bce", "type": "threshold", @@ -7622,19 +7334,19 @@ "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 208, + "rule_name": "Mimikatz Memssp Log File Detected", + "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", + "type": "eql", + "version": 109 + }, "8.11": { "max_allowable_version": 310, "rule_name": "Mimikatz Memssp Log File Detected", "sha256": "91956d073fa6d286f31807a9450036536a930c0aaa7838a91e4ce882353f6140", "type": "eql", "version": 211 - }, - "8.9": { - "max_allowable_version": 208, - "rule_name": "Mimikatz Memssp Log File Detected", - "sha256": "1fe569e32abbc334bce0864e3ec5b30c47d3531f6d884186b2b40c52c0230f98", - "type": "eql", - "version": 109 } }, "rule_name": "Mimikatz Memssp Log File Detected", @@ -7691,16 +7403,6 @@ "version": 112 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 205, - "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "561500f4153a16fe94b06be9237be4ba8933a3192116af5ef57bdb83da24f973", - "type": "query", - "version": 106 - } - }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "6015ee3b4d4c29fbd1e06ca5bb2947716089acffc92c07d1e1ef36a3aace0a7c", "type": "query", @@ -7719,16 +7421,6 @@ "version": 5 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 102, - "rule_name": "Okta FastPass Phishing Detection", - "sha256": "ec087af423a304d3b2f85af7926ba24f67f6207424c00d258a6e350a6721c932", - "type": "query", - "version": 3 - } - }, "rule_name": "Okta FastPass Phishing Detection", "sha256": "7957913d2c6870b3555352c9d5fff8bfa7ff001d9caf6ea1db026023c46d044c", "type": "query", @@ -7801,16 +7493,6 @@ "version": 107 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 204, - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "333aec880e8bd1653cea01f896e3df2e136839275bf1cffd71197ec4068129ba", - "type": "query", - "version": 105 - } - }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "129a8d5f0cd2075e7fe6a38059a5ddcd26d18f1d6b9d8b93950bf60863671395", "type": "query", @@ -8137,16 +7819,6 @@ "version": 9 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { - "min_stack_version": "8.10", - "previous": { - "8.9": { - "max_allowable_version": 204, - "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "f35146f9e2f6aef85cb21013ab2bc3039a0a449e1bf4ed3322496b0dbc449e06", - "type": "query", - "version": 105 - } - }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "248121396e46c80ff9a64d88848fd372e40eef61b3d43d31e6ef56a70477f392", "type": "query", @@ -8173,19 +7845,19 @@ "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.13", "previous": { + "8.10": { + "max_allowable_version": 108, + "rule_name": "Suspicious Antimalware Scan Interface DLL", + "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", + "type": "eql", + "version": 9 + }, "8.11": { "max_allowable_version": 210, "rule_name": "Suspicious Antimalware Scan Interface DLL", "sha256": "f58df538eeccfc02fa924db986802d071a12e0f586a6d6af10a2da58c19243cc", "type": "eql", "version": 111 - }, - "8.9": { - "max_allowable_version": 108, - "rule_name": "Suspicious Antimalware Scan Interface DLL", - "sha256": "edd75807f5ee2bac491abccd490d597eb1ee40098cfeac22e328318c76943642", - "type": "eql", - "version": 9 } }, "rule_name": "Suspicious Antimalware Scan Interface DLL", @@ -8254,7 +7926,6 @@ "version": 1 }, "fd332492-0bc6-11ef-b5be-f661ea17fbcc": { - "min_stack_version": "8.9", "rule_name": "AWS Systems Manager SecureString Parameter Request with Decryption Flag", "sha256": "100db09c2d29764aa7b946d7b316cc9a17183ce57593ca72f84d578faa490b68", "type": "new_terms", @@ -8345,14 +8016,12 @@ "version": 5 }, "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { - "min_stack_version": "8.9", "rule_name": "Cron Job Created or Modified", "sha256": "8b90331ba2cd07c2de41d17ca68bee336ea36c749c9c78f7dc5187704d786cc4", "type": "eql", "version": 11 }, "ff320c56-f8fa-11ee-8c44-f661ea17fbce": { - "min_stack_version": "8.9", "rule_name": "AWS S3 Bucket Expiration Lifecycle Configuration Added", "sha256": "f2663204a55cb4e897803fbc5d1f136637511d520fa0c559bf7234323858ab5e", "type": "query", diff --git a/docs/versioning.md b/docs/versioning.md index 120c88b70..3b6d212fe 100644 --- a/docs/versioning.md +++ b/docs/versioning.md @@ -4,22 +4,22 @@ This document provides detailed information about the different versions that ar ## Current Version -The current version of prebuilt detection rules is `v8.14`. +The current version of prebuilt detection rules is `v8.15`. ## Previous Versions Released The following version(s) are released along with the current version. +- `v8.14` - `v8.13` - `v8.12` -- `v8.11` ### Previous Versions Maintained The following version(s) are maintained along with the current version. +- `v8.11` - `v8.10` -- `v8.9` ## End of Life Policy diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index 0d26d2a0a..6ef420d4e 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -2,20 +2,18 @@ creation_date = "2020/07/06" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/21" +updated_date = "2024/07/23" [rule] author = ["Nick Jones", "Elastic"] description = """ An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service may attempt to leverage the compromised service to access secrets in AWS Secrets Manager. This rule looks for the first time -a specific user identity has programmatically retrieved a secret value from Secrets Manager using the -`GetSecretValue` or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 -instances are setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets -Manager. An adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other -service would rely on the compromised service's IAM role to access the secrets in Secrets Manager. +a specific user identity has programmatically retrieved a secret value from Secrets Manager using the `GetSecretValue` +or `BatchGetSecretValue` actions. This rule assumes that AWS services such as Lambda functions and EC2 instances are +setup with IAM role's assigned that have the necessary permissions to access the secrets in Secrets Manager. An +adversary with access to a compromised AWS service such as an EC2 instance, Lambda function, or other service would rely +on the compromised service's IAM role to access the secrets in Secrets Manager. """ false_positives = [ """ diff --git a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml index 6a461c5fd..f549188c2 100644 --- a/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml +++ b/rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/11" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/06" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -75,7 +73,7 @@ references = [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "https://detectioninthe.cloud/ttps/credential_access/access_secret_in_secrets_manager/", "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-secrets-manager-enum", - "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html" + "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_BatchGetSecretValue.html", ] risk_score = 47 rule_id = "185c782e-f86a-11ee-9d9f-f661ea17fbce" diff --git a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml index 49991c235..b77b7bdd9 100644 --- a/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml +++ b/rules/integrations/aws/credential_access_retrieve_secure_string_parameters_via_ssm.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/06/03" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -30,7 +28,6 @@ language = "kuery" license = "Elastic License v2" name = "AWS Systems Manager SecureString Parameter Request with Decryption Flag" note = """ - ## Triage and Analysis ### Investigating AWS Systems Manager SecureString Parameter Request with Decryption Flag diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml index 2a418c92b..00d6eb47d 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_lifecycle_expiration_added.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/12" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/09" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -29,7 +27,6 @@ language = "kuery" license = "Elastic License v2" name = "AWS S3 Bucket Expiration Lifecycle Configuration Added" note = """ - ## Triage and Analysis ### Investigating AWS S3 Bucket Expiration Lifecycle Configuration Added diff --git a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml index 68e331cd8..305ae622f 100644 --- a/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml +++ b/rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/28" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -27,8 +25,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Insecure AWS EC2 VPC Security Group Ingress Rule Added" -note = """ -## Triage and Analysis +note = """## Triage and Analysis ### Investigating Insecure AWS EC2 VPC Security Group Ingress Rule Added diff --git a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml index bb931db93..edd6adb37 100644 --- a/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml +++ b/rules/integrations/aws/execution_lambda_external_layer_added_to_function.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/28" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -21,7 +19,6 @@ language = "kuery" license = "Elastic License v2" name = "AWS Lambda Layer Added to Existing Function" note = """ - ## Triage and Analysis ### Investigating AWS Lambda Layer Added to Existing Function @@ -61,7 +58,7 @@ For further guidance on managing Lambda functions and securing AWS environments, references = [ "https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-lambda-persistence/aws-lambda-layers-persistence", "https://docs.aws.amazon.com/lambda/latest/api/API_PublishLayerVersion.html", - "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html" + "https://docs.aws.amazon.com/lambda/latest/api/API_UpdateFunctionConfiguration.html", ] risk_score = 21 rule_id = "7d091a76-0737-11ef-8469-f661ea17fbcc" diff --git a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml index de6ffb8f6..814222060 100644 --- a/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml +++ b/rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/29" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -25,7 +23,6 @@ language = "eql" license = "Elastic License v2" name = "AWS S3 Bucket Policy Added to Share with External Account" note = """ - ## Triage and Analysis ### Investigating AWS S3 Bucket Policy Change to Share with External Account @@ -65,7 +62,6 @@ references = [ risk_score = 47 rule_id = "e8c9ff14-fd1e-11ee-a0df-f661ea17fbce" setup = """ - ## Setup S3 data event types must be collected in the AWS CloudTrail logs. Please refer to [AWS documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html) for more information. @@ -103,3 +99,4 @@ reference = "https://attack.mitre.org/techniques/T1537/" id = "TA0010" name = "Exfiltration" reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml b/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml index b78ef5fb5..a32e91109 100644 --- a/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml +++ b/rules/integrations/aws/lateral_movement_aws_ssm_start_session_to_ec2_instance.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/16" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/14" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml index de2c9e7b1..1d800bd68 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_profile_created.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/06/03" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -28,7 +26,6 @@ language = "kuery" license = "Elastic License v2" name = "AWS IAM Roles Anywhere Profile Creation" note = """ - ## Triage and Analysis ### Investigating AWS IAM Roles Anywhere Profile Creation @@ -68,7 +65,7 @@ references = [ "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", "https://docs.datadoghq.com/security/default_rules/cloudtrail-aws-iam-roles-anywhere-trust-anchor-created/", "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", - "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html" + "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateProfile.html", ] risk_score = 21 rule_id = "1d4ca9c0-ff1e-11ee-91cc-f661ea17fbce" diff --git a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml index 4b861a95d..d55e1007a 100644 --- a/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml +++ b/rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/06/03" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -29,7 +27,6 @@ language = "kuery" license = "Elastic License v2" name = "AWS IAM Roles Anywhere Trust Anchor Created with External CA" note = """ - ## Triage and Analysis ### Investigating AWS IAM Roles Anywhere Trust Anchor Created with External CA @@ -68,7 +65,7 @@ For further guidance on managing IAM Roles Anywhere and securing AWS environment references = [ "https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html", "https://ermetic.com/blog/aws/keep-your-iam-users-close-keep-your-third-parties-even-closer-part-1/", - "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html" + "https://docs.aws.amazon.com/rolesanywhere/latest/APIReference/API_CreateTrustAnchor.html", ] risk_score = 47 rule_id = "71de53ea-ff3b-11ee-b572-f661ea17fbce" diff --git a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml index bcb5afe62..7bc76bfde 100644 --- a/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml +++ b/rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/28" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -14,17 +12,14 @@ the `AddPermission` API call with the `Principal` set to `*` which allows any AW Adversaries may abuse this permission to create a backdoor in the Lambda function that allows them to execute arbitrary code. """ -false_positives = [ - "Lambda function owners may legitimately update the function policy to allow public invocation.", -] +false_positives = ["Lambda function owners may legitimately update the function policy to allow public invocation."] from = "now-60m" index = ["filebeat-*", "logs-aws.cloudtrail-*"] interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Lambda Function Policy Updated to Allow Public Invocation" -note = """ -## Triage and Analysis +note = """## Triage and Analysis ### Investigating AWS Lambda Function Policy Updated to Allow Public Invocation diff --git a/rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml b/rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml index 192f021e8..1e152b855 100644 --- a/rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml +++ b/rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/30" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/06/03" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -20,8 +18,7 @@ index = ["filebeat-*", "logs-aws.cloudtrail-*"] language = "kuery" license = "Elastic License v2" name = "AWS EC2 Instance Connect SSH Public Key Uploaded" -note = """ -## Triage and Analysis +note = """## Triage and Analysis ### Investigating AWS EC2 Instance Connect SSH Public Key Uploaded diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index a829a60fe..a9ae9733a 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/17" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/05/21" +updated_date = "2024/07/23" [rule] author = ["Austin Songer"] diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index 4a2eb5c70..ac452d698 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "Beaconing package updates and support" -min_stack_version = "8.10.1" -updated_date = "2024/06/10" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -18,6 +16,13 @@ index = ["ml_beaconing.all"] language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", +] +risk_score = 21 +rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6" setup = """## Setup The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. @@ -37,17 +42,10 @@ The Network Beaconing Identification integration consists of a statistical frame - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. - Follow the instructions under the **Installation** section. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/beaconing", - "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", -] -risk_score = 21 -rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6" severity = "low" tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' beacon_stats.is_beaconing: true and diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index d14ed4e45..51d871428 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -2,9 +2,7 @@ creation_date = "2023/09/22" integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" -min_stack_comments = "Beaconing package updates and support" -min_stack_version = "8.10.1" -updated_date = "2024/01/05" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -18,6 +16,13 @@ index = ["ml_beaconing.all"] language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity with High Confidence" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/beaconing", + "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", +] +risk_score = 21 +rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93" setup = """## Setup The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. @@ -37,17 +42,10 @@ The Network Beaconing Identification integration consists of a statistical frame - In the query bar, search for Network Beaconing Identification and select the integration to see more details about it. - Follow the instructions under the **Installation** section. """ -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/beaconing", - "https://www.elastic.co/security-labs/identifying-beaconing-malware-using-elastic", -] -risk_score = 21 -rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93" severity = "low" tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] -type = "query" timestamp_override = "event.ingested" +type = "query" query = ''' beacon_stats.beaconing_score: 3 diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index 4cf8e6fd7..84a94f11e 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New field added to ecs : container.security_context.privileged" -min_stack_version = "8.10.0" -updated_date = "2024/01/05" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml index b31bbb7fb..b8ce04a31 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml +++ b/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml @@ -2,9 +2,7 @@ creation_date = "2023/10/26" integration = ["cloud_defend"] maturity = "production" -min_stack_comments = "New field added to ecs : container.security_context.privileged" -min_stack_version = "8.10.0" -updated_date = "2024/01/05" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index ea7727195..9c8bc89db 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 41faf63df..784415774 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2024/01/05" +updated_date = "2024/07/23" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -64,8 +62,8 @@ risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] -type = "threshold" timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:okta.system and event.action:user.account.lock diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index a37c44ed5..97acf978e 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/12/05" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -91,21 +89,22 @@ framework = "MITRE ATT&CK" id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" - [[rule.threat.technique.subtechnique]] - id = "T1110.003" - name = "Password Spraying" - reference = "https://attack.mitre.org/techniques/T1110/003/" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + - [[rule.threat.technique.subtechnique]] - id = "T1110.004" - name = "Credential Stuffing" - reference = "https://attack.mitre.org/techniques/T1110/004/" [rule.threat.tactic] id = "TA0006" diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 90a04039a..028c53515 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2024/01/05" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -64,8 +62,8 @@ risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] -type = "threshold" timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:okta.system and event.category:authentication and event.outcome:failure diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index cb94c0ab0..4928a9685 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/27" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index 99463df31..3805fbaab 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/27" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 2fd57af1d..ad52a9a46 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,9 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 856ad4b93..ce7bba717 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -64,7 +62,12 @@ references = [ risk_score = 47 rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 81e9923cb..46ef83fbb 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -64,7 +62,12 @@ references = [ risk_score = 47 rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index 299402106..acd680fa6 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index b8808bd73..36613952a 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 3eacae43c..cce0b1165 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index a4d1686a6..ed5c99bdb 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 46d6272fc..59904f601 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -70,7 +68,12 @@ references = [ risk_score = 47 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Network Security Monitoring", + "Tactic: Defense Evasion", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 396b1a511..c41eaf5ac 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index ed6f28598..aaa03a77d 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 4155e2adb..81b03d599 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2024/01/05" +updated_date = "2024/07/23" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -54,7 +52,6 @@ This rule is designed to detect a suspiciously high number of password reset or The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ - references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", @@ -64,8 +61,8 @@ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] -type = "threshold" timestamp_override = "event.ingested" +type = "threshold" query = ''' event.dataset:okta.system and diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index d8a9dbacb..4206790ee 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -50,7 +48,6 @@ The rule alerts when attempts are made to revoke an Okta API token. The API toke The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ - references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index e50772963..bb616b52b 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -22,8 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Application" -note = """ -## Triage and analysis +note = """## Triage and analysis ### Investigating Attempt to Deactivate an Okta Application diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index f7a58cf61..491434bdc 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index c1d8d4462..54eebeb0a 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 50fbb993e..df11b192b 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 40fc9df68..c43477fdb 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/07" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml index 72f8d4059..7cf72503b 100644 --- a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml +++ b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/07" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -56,15 +54,13 @@ references = [ risk_score = 47 rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Data Source: Okta", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" -query = '''event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*''' +query = ''' +event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:* +''' [[rule.threat]] diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index e67cf18bd..054c5ca07 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,16 +2,11 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/07" +updated_date = "2024/07/23" [rule] author = ["Austin Songer"] -description = """ -Detects when Okta FastPass prevents a user from authenticating to a phishing website. -""" - +description = "Detects when Okta FastPass prevents a user from authenticating to a phishing website.\n" index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" @@ -28,7 +23,7 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://sec.okta.com/fastpassphishingdetection", - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", ] risk_score = 47 rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e" @@ -55,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1566/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 1065307a1..cca876385 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index 179c342c0..a752278a6 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/06" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 0edfa5597..d029b99e5 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index bd2b55415..31391fa33 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,22 +2,19 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/07" - +updated_date = "2024/07/23" [rule] author = ["Elastic"] description = """ -Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location. +Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may +indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a +different location. """ -false_positives = [ - "A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.", -] +false_positives = ["A user may have multiple sessions open at the same time, such as on a mobile device and a laptop."] from = "now-30m" -interval = "60m" index = ["filebeat-*", "logs-okta*"] +interval = "60m" language = "kuery" license = "Elastic License v2" name = "Multiple Okta Sessions Detected for a Single User" @@ -28,7 +25,7 @@ references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", - "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection" + "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", ] risk_score = 47 rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd" @@ -36,24 +33,26 @@ severity = "medium" tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "threshold" + query = ''' event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:* - and not (okta.actor.id: okta* or okta.actor.display_name: okta*) + and not (okta.actor.id: okta* or okta.actor.display_name: okta*) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1550" name = "Use Alternate Authentication Material" reference = "https://attack.mitre.org/techniques/T1550/" - [[rule.threat.technique.subtechnique]] id = "T1550.004" name = "Web Session Cookie" reference = "https://attack.mitre.org/techniques/T1550/004/" + + [rule.threat.tactic] id = "TA0008" name = "Lateral Movement" @@ -62,8 +61,8 @@ reference = "https://attack.mitre.org/tactics/TA0008/" [rule.threshold] field = ["okta.actor.id"] value = 1 - [[rule.threshold.cardinality]] field = "okta.authentication_context.external_session_id" value = 3 + diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index 007370eca..163765359 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -2,10 +2,8 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" promotion = true +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 3d6cc61ca..41a42b3ea 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index e43376c7a..509a3b9c5 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index e4747856d..21dae60ef 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index e80120621..ba2223c67 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index ef170cd0c..edbca91a4 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/12/16" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index 512118891..4192b2904 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,14 +2,13 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/06" +updated_date = "2024/07/23" [rule] author = ["Elastic"] description = """ -Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta. +Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within +Okta. """ from = "now-30m" index = ["filebeat-*", "logs-okta*"] @@ -55,7 +54,6 @@ references = [ "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", "https://unit42.paloaltonetworks.com/muddled-libra/", - ] risk_score = 47 rule_id = "29b53942-7cd4-11ee-b70e-f661ea17fbcd" @@ -68,20 +66,22 @@ query = ''' event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS" ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" - [[rule.threat.technique.subtechnique]] id = "T1556.007" name = "Hybrid Identity" reference = "https://attack.mitre.org/techniques/T1556/007/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" -reference = "https://attack.mitre.org/tactics/TA0003/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 393117f63..b751ae40e 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index 542cf5ae6..a4901c38e 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" -min_stack_version = "8.10.0" -updated_date = "2023/11/10" +updated_date = "2024/07/23" [rule] author = ["Elastic"] diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 056dc2937..7a2ef3b84 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -2,9 +2,7 @@ creation_date = "2023/06/14" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/07/18" +updated_date = "2024/07/23" [transform] [[transform.osquery]] @@ -36,10 +34,10 @@ query = "SELECT name, cmdline, parent, path, uid FROM processes" author = ["Elastic"] description = """ This rule monitors for network connectivity to the internet from a previously unknown executable located in a suspicious -directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution -of unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such -as a command and control server. Detecting and investigating such behavior can help identify and mitigate potential -security threats, protecting the system and its data from potential compromise. +directory. An alert from this rule can indicate the presence of potentially malicious activity, such as the execution of +unauthorized or suspicious processes attempting to establish connections to unknown or suspicious destinations such as a +command and control server. Detecting and investigating such behavior can help identify and mitigate potential security +threats, protecting the system and its data from potential compromise. """ from = "now-59m" index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*", "endgame-*"] @@ -202,14 +200,15 @@ not destination.ip:( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1071" name = "Application Layer Protocol" reference = "https://attack.mitre.org/techniques/T1071/" + [rule.threat.tactic] id = "TA0011" name = "Command and Control" @@ -218,7 +217,8 @@ reference = "https://attack.mitre.org/tactics/TA0011/" [rule.new_terms] field = "new_terms_fields" value = ["process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-20d" + + diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index bd76cff86..456ee5921 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -2,22 +2,20 @@ creation_date = "2023/06/09" integration = ["endpoint"] maturity = "production" -updated_date = "2024/07/18" +updated_date = "2024/07/23" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE -'/etc/cron.hourly/%' OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE -'/etc/cron.monthly/%' OR path LIKE '/var/spool/cron/crontabs/%') +SELECT * FROM file WHERE (path LIKE '/etc/cron.allow.d/%' OR path LIKE '/etc/cron.d/%' OR path LIKE '/etc/cron.hourly/%' +OR path LIKE '/etc/cron.daily/%' OR path LIKE '/etc/cron.weekly/%' OR path LIKE '/etc/cron.monthly/%' OR path LIKE +'/var/spool/cron/crontabs/%') """ [[transform.osquery]] label = "Osquery - Retrieve Cron File Information" -query = """ -SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab') -""" +query = "SELECT * FROM file WHERE (path = '/etc/cron.allow' OR path = '/etc/cron.deny' OR path = '/etc/crontab')\n" [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" @@ -50,6 +48,7 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ @@ -176,6 +175,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("rename", "creation") and file.path : ( @@ -207,56 +207,56 @@ event.action in ("rename", "creation") and file.path : ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1053" name = "Scheduled Task/Job" reference = "https://attack.mitre.org/techniques/T1053/" - [[rule.threat.technique.subtechnique]] id = "T1053.003" name = "Cron" reference = "https://attack.mitre.org/techniques/T1053/003/" + + [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/linux/persistence_systemd_service_started.toml b/rules/linux/persistence_systemd_service_started.toml index ed5a45ca2..505f5f00c 100644 --- a/rules/linux/persistence_systemd_service_started.toml +++ b/rules/linux/persistence_systemd_service_started.toml @@ -2,46 +2,25 @@ creation_date = "2024/05/17" integration = ["endpoint"] maturity = "production" -min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" -min_stack_version = "8.4.0" -updated_date = "2024/05/17" +updated_date = "2024/07/23" [transform] [[transform.osquery]] label = "Osquery - Retrieve File Listing Information" query = """ -SELECT * FROM file WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/user/.config/systemd/user/%' -) +SELECT * FROM file WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE '/usr/local/lib/systemd/system/%' OR path LIKE +'/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path LIKE '/home/user/.config/systemd/user/%' ) """ [[transform.osquery]] label = "Osquery - Retrieve Additional File Listing Information" query = """ -SELECT - f.path, - u.username AS file_owner, - g.groupname AS group_owner, - datetime(f.atime, 'unixepoch') AS file_last_access_time, - datetime(f.mtime, 'unixepoch') AS file_last_modified_time, - datetime(f.ctime, 'unixepoch') AS file_last_status_change_time, - datetime(f.btime, 'unixepoch') AS file_created_time, - f.size AS size_bytes -FROM - file f - LEFT JOIN users u ON f.uid = u.uid - LEFT JOIN groups g ON f.gid = g.gid -WHERE ( -path LIKE '/etc/systemd/system/%' OR -path LIKE '/usr/local/lib/systemd/system/%' OR -path LIKE '/lib/systemd/system/%' OR -path LIKE '/usr/lib/systemd/system/%' OR -path LIKE '/home/{{user.name}}/.config/systemd/user/%' -) +SELECT f.path, u.username AS file_owner, g.groupname AS group_owner, datetime(f.atime, 'unixepoch') AS +file_last_access_time, datetime(f.mtime, 'unixepoch') AS file_last_modified_time, datetime(f.ctime, 'unixepoch') AS +file_last_status_change_time, datetime(f.btime, 'unixepoch') AS file_created_time, f.size AS size_bytes FROM file f LEFT +JOIN users u ON f.uid = u.uid LEFT JOIN groups g ON f.gid = g.gid WHERE ( path LIKE '/etc/systemd/system/%' OR path LIKE +'/usr/local/lib/systemd/system/%' OR path LIKE '/lib/systemd/system/%' OR path LIKE '/usr/lib/systemd/system/%' OR path +LIKE '/home/{{user.name}}/.config/systemd/user/%' ) """ [[transform.osquery]] @@ -68,10 +47,11 @@ query = "SELECT * FROM users WHERE username = {{user.name}}" label = "Osquery - Investigate the Account Authentication Status" query = "SELECT * FROM logged_in_users WHERE user = {{user.name}}" + [rule] author = ["Elastic"] description = """ -Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious +Systemctl is a process used in Linux systems to manage systemd processes through service configuration files. Malicious actors can leverage systemd services to achieve persistence by creating or modifying service files to execute malicious commands or payloads during system startup. This allows them to maintain unauthorized access, execute additional malicious activities, or evade detection. @@ -154,7 +134,7 @@ This rule monitors the execution of the systemctl binary to start, enable or ree """ references = [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage", - "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/" + "https://pberba.github.io/security/2022/01/30/linux-threat-hunting-for-persistence-systemd-timers-cron/", ] risk_score = 47 rule_id = "b605f262-f7dc-41b5-9ebc-06bafe7a83b6" @@ -185,15 +165,16 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast """ severity = "medium" tags = [ - "Domain: Endpoint", - "OS: Linux", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" - ] + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend", +] timestamp_override = "event.ingested" type = "new_terms" + query = ''' host.os.type:linux and event.category:process and event.type:start and event.action:exec and process.executable:/usr/bin/systemctl and process.args:(enable or reenable or start) and @@ -212,37 +193,37 @@ not ( ) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" - [[rule.threat.technique.subtechnique]] id = "T1543.002" name = "Systemd Service" reference = "https://attack.mitre.org/techniques/T1543/002/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" @@ -251,7 +232,8 @@ reference = "https://attack.mitre.org/tactics/TA0004/" [rule.new_terms] field = "new_terms_fields" value = ["process.parent.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-7d" + + diff --git a/rules/linux/persistence_unusual_pam_grantor.toml b/rules/linux/persistence_unusual_pam_grantor.toml index 94635f5bf..2fee0dc96 100644 --- a/rules/linux/persistence_unusual_pam_grantor.toml +++ b/rules/linux/persistence_unusual_pam_grantor.toml @@ -2,9 +2,7 @@ creation_date = "2024/03/06" integration = ["auditd_manager"] maturity = "production" -min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" -min_stack_version = "8.6.0" -updated_date = "2024/03/06" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -43,32 +41,33 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:authentication and host.os.type:linux and event.action:authenticated and event.outcome:success and auditd.data.grantors:(* and not (pam_rootok or *pam_cap* or *pam_permit*)) ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1543" name = "Create or Modify System Process" reference = "https://attack.mitre.org/techniques/T1543/" + [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" - [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1556" name = "Modify Authentication Process" reference = "https://attack.mitre.org/techniques/T1556/" + [rule.threat.tactic] id = "TA0006" name = "Credential Access" @@ -77,7 +76,8 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.new_terms] field = "new_terms_fields" value = ["auditd.data.grantors", "agent.id"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules_building_block/discovery_userdata_request_from_ec2_instance.toml b/rules_building_block/discovery_userdata_request_from_ec2_instance.toml index b00fc3db0..86698b837 100644 --- a/rules_building_block/discovery_userdata_request_from_ec2_instance.toml +++ b/rules_building_block/discovery_userdata_request_from_ec2_instance.toml @@ -2,9 +2,7 @@ creation_date = "2024/04/14" integration = ["aws"] maturity = "production" -min_stack_comments = "New fields added: required_fields, related_integrations, setup" -min_stack_version = "8.9.0" -updated_date = "2024/06/10" +updated_date = "2024/07/23" [rule] author = ["Elastic"] @@ -35,7 +33,7 @@ tags = [ "Data Source: Amazon EC2", "Use Case: Log Auditing", "Tactic: Discovery", - "Rule Type: BBR" + "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules_building_block/execution_aws_lambda_function_updated.toml b/rules_building_block/execution_aws_lambda_function_updated.toml index 4e6bcfea4..134b5db50 100644 --- a/rules_building_block/execution_aws_lambda_function_updated.toml +++ b/rules_building_block/execution_aws_lambda_function_updated.toml @@ -1,11 +1,9 @@ [metadata] +bypass_bbr_timing = true creation_date = "2024/04/20" integration = ["aws"] maturity = "production" -min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" -min_stack_version = "8.9.0" -updated_date = "2024/04/20" -bypass_bbr_timing = true +updated_date = "2024/07/23" [rule] author = ["Elastic"]