diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 566d3eb2c..94dabf82a 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 85afaa38b..1cd8f9294 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index aa4f683af..481da84d7 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -40,7 +40,8 @@ NON_DATASET_PACKAGES = ['apm', 'network_traffic', 'system', 'windows', - 'sentinel_one_cloud_funnel'] + 'sentinel_one_cloud_funnel', + 'ti_rapid7_threat_command'] NON_PUBLIC_FIELDS = { "related_integrations": (Version.parse('8.3.0'), None), "required_fields": (Version.parse('8.3.0'), None), diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/threat_intel/threat_intel_indicator_match_address.toml similarity index 99% rename from rules/cross-platform/threat_intel_indicator_match_address.toml rename to rules/threat_intel/threat_intel_indicator_match_address.toml index 07ed6b5d0..6026f6f26 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/threat_intel/threat_intel_indicator_match_address.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/10" [transform] [[transform.osquery]] @@ -113,7 +113,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "critical" -tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/threat_intel/threat_intel_indicator_match_hash.toml similarity index 99% rename from rules/cross-platform/threat_intel_indicator_match_hash.toml rename to rules/threat_intel/threat_intel_indicator_match_hash.toml index 54bc25feb..236fb01db 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/threat_intel/threat_intel_indicator_match_hash.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/10" [transform] [[transform.osquery]] @@ -112,7 +112,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "critical" -tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/threat_intel/threat_intel_indicator_match_registry.toml similarity index 99% rename from rules/cross-platform/threat_intel_indicator_match_registry.toml rename to rules/threat_intel/threat_intel_indicator_match_registry.toml index fee4820ef..5612c34e4 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/threat_intel/threat_intel_indicator_match_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/10" [transform] [[transform.osquery]] @@ -107,7 +107,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "critical" -tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/threat_intel/threat_intel_indicator_match_url.toml similarity index 99% rename from rules/cross-platform/threat_intel_indicator_match_url.toml rename to rules/threat_intel/threat_intel_indicator_match_url.toml index cba88abb5..1f829b8c2 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/threat_intel/threat_intel_indicator_match_url.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/06/10" [transform] [[transform.osquery]] @@ -116,7 +116,7 @@ or a [custom integration](https://www.elastic.co/guide/en/security/current/es-th More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). """ severity = "critical" -tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Threat Match"] threat_index = ["filebeat-*", "logs-ti_*"] threat_indicator_path = "threat.indicator" threat_language = "kuery" diff --git a/rules/threat_intel/threat_intel_rapid7_threat_command.toml b/rules/threat_intel/threat_intel_rapid7_threat_command.toml new file mode 100644 index 000000000..85a6d0d45 --- /dev/null +++ b/rules/threat_intel/threat_intel_rapid7_threat_command.toml @@ -0,0 +1,111 @@ +[metadata] +creation_date = "2024/05/29" +integration = ["ti_rapid7_threat_command"] +maturity = "production" +updated_date = "2024/06/12" + +[rule] +author = ["Elastic"] +description = """ +This rule is triggered when CVEs collected from the Rapid7 Threat Command Integration have a match against +vulnerabilities that were found in the customer environment. +""" +from = "now-35m" +index = ["auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] +interval = "30m" +language = "kuery" +license = "Elastic License v2" +max_signals = 10000 +name = "Rapid7 Threat Command CVEs Correlation" +note = """## Triage and Analysis + +### Investigating Rapid7 Threat Command CVEs Correlation + +Rapid7 Threat Command CVEs Correlation rule allows matching CVEs from user indices within the vulnerabilities collected from Rapid7 Threat Command integrations. + +The matches will be based on the latest values of CVEs from the last 180 days. So it's essential to validate the data and review the results by investigating the associated activity to determine if it requires further investigation. + +If a vulnerability matches a local observation, the following enriched fields will be generated to identify the vulnerability, field, and type matched. + +- `threat.indicator.matched.atomic` - this identifies the atomic vulnerability that matched the local observation +- `threat.indicator.matched.field` - this identifies the vulnerability field that matched the local observation +- `threat.indicator.matched.type` - this identifies the vulnerability type that matched the local observation + +Additional investigation can be done by reviewing the source of the activity and considering the history of the vulnerability that was matched. This can help understand if the activity is related to legitimate behavior. + +- Investigation can be validated and reviewed based on the data that was matched and by viewing the source of that activity. +- Consider the history of the vulnerability that was matched. Has it happened before? Is it happening on multiple machines? These kinds of questions can help understand if the activity is related to legitimate behavior. +- Consider the user and their role within the company: is this something related to their job or work function? +""" +references = [ + "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-threatintel.html", + "https://docs.elastic.co/integrations/ti_rapid7_threat_command"] +risk_score = 99 +rule_id = "3a657da0-1df2-11ef-a327-f661ea17fbcc" +setup = """ + +## Setup + +This rule needs threat intelligence indicators to work. +Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration), +the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration), +or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration). + +More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html). + +## Max Signals + +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects. +""" +severity = "critical" +tags = [ + "OS: Windows", + "Data Source: Elastic Endgame", + "Data Source: Windows", + "Data Source: Network", + "Data Source: Rapid7 Threat Command", + "Rule Type: Threat Match", + "Resources: Investigation Guide", + "Use Case: Vulnerability", + "Use Case: Asset Visibility", + "Use Case: Continuous Monitoring", +] +threat_index = ["logs-ti_rapid7_threat_command_latest.ioc"] +threat_indicator_path = "rapid7.tc.vulnerability" +threat_language = "kuery" +threat_query = """ +@timestamp >= "now-30d/d" and vulnerability.id : * and event.module: ti_rapid7_threat_command +""" +timestamp_override = "event.ingested" +type = "threat_match" + +query = ''' +vulnerability.id : * +''' + + +[[rule.threat_filters]] + +[rule.threat_filters."$state"] +store = "appState" +[rule.threat_filters.meta] +disabled = false +key = "rapid7.tc.vulnerability.id" +negate = true +type = "exists" +[rule.threat_filters.query.exists] +field = "rapid7.tc.vulnerability.id" +[[rule.threat_mapping]] + +[[rule.threat_mapping.entries]] +field = "vulnerability.id" +type = "mapping" +value = "vulnerability.id" + + diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index ea3fc4e95..85994f02e 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -685,6 +685,8 @@ class TestRuleMetadata(BaseRuleTest): any(ri in [*map(str.lower, definitions.MACHINE_LEARNING_PACKAGES)] for ri in rule_integrations): continue + elif rule.contents.data.type == 'threat_match': + continue err_msg = f'{self.rule_str(rule)} {rule_integration} tag, index pattern missing.' failures.append(err_msg)