From 0993ced30910fd483a3248361680c262a3d604e1 Mon Sep 17 00:00:00 2001 From: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Date: Fri, 14 Mar 2025 21:27:37 +0530 Subject: [PATCH] Deprecate Cloud Defend Rules (#4537) --- .../container_workload_protection.toml | 5 +++-- ...redential_access_aws_creds_search_inside_a_container.toml | 5 +++-- ...ction_sensitive_files_compression_inside_a_container.toml | 5 +++-- ...ensitive_keys_or_passwords_search_inside_a_container.toml | 5 +++-- ...ld_preload_shared_object_modified_inside_a_container.toml | 5 +++-- ..._suspicious_network_tool_launched_inside_a_container.toml | 5 +++-- ...tainer_management_binary_launched_inside_a_container.toml | 5 +++-- ...on_file_made_executable_via_chmod_inside_a_container.toml | 5 +++-- .../execution_interactive_exec_to_container.toml | 5 +++-- ...on_interactive_shell_spawned_from_inside_a_container.toml | 5 +++-- ...ution_netcat_listener_established_inside_a_container.toml | 5 +++-- ...access_ssh_connection_established_inside_a_container.toml | 5 +++-- ...ral_movement_ssh_process_launched_inside_a_container.toml | 5 +++-- ..._ssh_authorized_keys_modification_inside_a_container.toml | 5 +++-- ...ation_debugfs_launched_inside_a_privileged_container.toml | 5 +++-- ...alation_mount_launched_inside_a_privileged_container.toml | 5 +++-- ...container_escape_via_modified_notify_on_release_file.toml | 5 +++-- ...ial_container_escape_via_modified_release_agent_file.toml | 5 +++-- 18 files changed, 54 insertions(+), 36 deletions(-) rename rules/{integrations/cloud_defend => _deprecated}/container_workload_protection.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/credential_access_aws_creds_search_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/credential_access_collection_sensitive_files_compression_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/discovery_suspicious_network_tool_launched_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/execution_container_management_binary_launched_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/execution_file_made_executable_via_chmod_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/execution_interactive_exec_to_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/execution_interactive_shell_spawned_from_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/execution_netcat_listener_established_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/initial_access_ssh_connection_established_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/lateral_movement_ssh_process_launched_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/persistence_ssh_authorized_keys_modification_inside_a_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/privilege_escalation_mount_launched_inside_a_privileged_container.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml (98%) rename rules/{integrations/cloud_defend => _deprecated}/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml (98%) diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/_deprecated/container_workload_protection.toml similarity index 98% rename from rules/integrations/cloud_defend/container_workload_protection.toml rename to rules/_deprecated/container_workload_protection.toml index 9842cd1f1..4134229f4 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/_deprecated/container_workload_protection.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/04/05" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml b/rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml rename to rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml index 962719fc1..21401f34f 100644 --- a/rules/integrations/cloud_defend/credential_access_aws_creds_search_inside_a_container.toml +++ b/rules/_deprecated/credential_access_aws_creds_search_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/06/28" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml rename to rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml index ef3297e28..b1c5b9ccc 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/_deprecated/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/05/12" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml rename to rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 0a1a6b0d7..4f8121dee 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/_deprecated/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/05/12" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml b/rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml rename to rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml index ee2373adf..f916b91ca 100644 --- a/rules/integrations/cloud_defend/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml +++ b/rules/_deprecated/defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/06/06" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml rename to rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml index ad44da93b..435b4ede4 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/_deprecated/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/04/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/_deprecated/execution_container_management_binary_launched_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml rename to rules/_deprecated/execution_container_management_binary_launched_inside_a_container.toml index 094241f2e..f336a5035 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/_deprecated/execution_container_management_binary_launched_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/04/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml rename to rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml index 0488bbf50..685f3d5a9 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/_deprecated/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/04/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/_deprecated/execution_interactive_exec_to_container.toml similarity index 98% rename from rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml rename to rules/_deprecated/execution_interactive_exec_to_container.toml index 4e7a87074..be1efdbb7 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/_deprecated/execution_interactive_exec_to_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/05/12" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml rename to rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml index cccb71f92..366a1ffa4 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/_deprecated/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/04/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml rename to rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml index 1f61a08ea..8f5c50191 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/_deprecated/execution_netcat_listener_established_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/04/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml rename to rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml index 5d303ab5e..230696c82 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/_deprecated/initial_access_ssh_connection_established_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/05/12" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml rename to rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml index d8c3752bb..3210bf3d3 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/_deprecated/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/05/12" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml similarity index 98% rename from rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml rename to rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml index ca4f95312..d2dece5bd 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/_deprecated/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/05/12" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml b/rules/_deprecated/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml similarity index 98% rename from rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml rename to rules/_deprecated/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml index e55a42943..1dbc520ee 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml +++ b/rules/_deprecated/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/10/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml b/rules/_deprecated/privilege_escalation_mount_launched_inside_a_privileged_container.toml similarity index 98% rename from rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml rename to rules/_deprecated/privilege_escalation_mount_launched_inside_a_privileged_container.toml index f63d30243..0d9d15a6d 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_mount_launched_inside_a_privileged_container.toml +++ b/rules/_deprecated/privilege_escalation_mount_launched_inside_a_privileged_container.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/10/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml b/rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml similarity index 98% rename from rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml rename to rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml index cf73f4b22..186c37714 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml +++ b/rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/10/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"] diff --git a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml b/rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml similarity index 98% rename from rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml rename to rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml index 814ae4213..68c586dba 100644 --- a/rules/integrations/cloud_defend/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml +++ b/rules/_deprecated/privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml @@ -1,8 +1,9 @@ [metadata] creation_date = "2023/10/26" integration = ["cloud_defend"] -maturity = "production" -updated_date = "2025/02/06" +deprecation_date = "2025/03/14" +maturity = "deprecated" +updated_date = "2025/03/14" [rule] author = ["Elastic"]