[Rule tuning] Correct tags with associated threat mappings (#1003)

2021-03-08 14:12:29 -09:00
parent 309edf7f4a
commit 0b65678d8c
33 changed files with 104 additions and 62 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-
 risk_score = 47
 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
 severity = "medium"
-tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Execution", "Persistence"]
+tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/27"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ references = [
 risk_score = 47
 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f"
 severity = "medium"
-tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Persistence"]
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office
 risk_score = 47
 rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9"
 severity = "medium"
-tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/13"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
 risk_score = 47
 rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10"
 severity = "medium"
-tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Credential Access"]
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/01/11"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -19,7 +19,7 @@ references = ["https://www.xorrior.com/emond-persistence/"]
 risk_score = 47
 rule_id = "3e3d15c6-1509-479a-b125-21718372157e"
 severity = "medium"
-tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"]
+tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -30,7 +30,7 @@ severity = "critical"
 tags = [
    "Command and Control",
    "Post-Execution",
-    "Threat Detection, Prevention and Hunting",
+    "Threat Detection",
    "Elastic",
    "Network",
 ]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/04"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-ba
 risk_score = 47
 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Exfiltration"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "MsBuild Making Network Connections"
 risk_score = 47
 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "development"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ references = ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espion
 risk_score = 47
 rule_id = "a4ec1382-4557-452b-89ba-e413b22ed4b8"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/03/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Network Connection via MsXsl"
 risk_score = 21
 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Unusual Network Connection via RunDLL32"
 risk_score = 47
 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Unusual Process Network Connection"
 risk_score = 21
 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/15"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ references = [
 risk_score = 47
 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Lateral Movement"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/19"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Suspicious Cmd Execution via WMI"
 risk_score = 47
 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Suspicious PowerShell Engine ImageLoad"
 risk_score = 47
 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Volume Shadow Copy Deletion via VssAdmin"
 risk_score = 73
 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Windows Script Executing PowerShell"
 risk_score = 21
 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/27"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Windows Script Interpreter Executing Process via WMI"
 risk_score = 47
 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/04"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -26,7 +26,7 @@ references = [
 risk_score = 47
 rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/03/04"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic", "Austin Songer"]
@@ -27,7 +27,7 @@ references = [
 risk_score = 47
 rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -22,7 +22,7 @@ references = [
 risk_score = 73
 rule_id = "f81ee52c-297e-46d9-9205-07e66931df26"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Suspicious MS Office Child Process"
 risk_score = 47
 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Suspicious MS Outlook Child Process"
 risk_score = 21
 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/16"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ references = [
 risk_score = 73
 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/07/16"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ references = [
 risk_score = 73
 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/29"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Suspicious Explorer Child Process"
 risk_score = 47
 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Local Service Commands"
 risk_score = 21
 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
 timestamp_override = "event.ingested"
 type = "query"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/16"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ name = "Remotely Started Services via RPC"
 risk_score = 47
 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
 type = "eql"

 query = '''
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/12/18"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -22,7 +22,7 @@ references = [
 risk_score = 73
 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Persistence"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ references = [
 risk_score = 21
 rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022"
 severity = "low"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/13"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "Unusual Service Host Child Process - Childless Service"
 risk_score = 47
 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7"
 severity = "medium"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Privilege Escalation"]
 timestamp_override = "event.ingested"
 type = "eql"

@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "development"
-updated_date = "2021/03/03"
+updated_date = "2021/03/08"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ name = "WPAD Service Exploit"
 risk_score = 73
 rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3"
 severity = "high"
-tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
+tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"]
 type = "eql"

 query = '''
@@ -292,6 +292,48 @@ class TestRuleTags(BaseRuleTest):
            if missing_required_tags or is_missing_any_tags:
                self.fail(error_msg)

+    def test_primary_tactic_as_tag(self):
+        from detection_rules.attack import tactics
+
+        invalid = []
+        tactics = set(tactics)
+
+        for rule in self.rules:
+            rule_tags = rule.contents['tags']
+
+            if 'Continuous Monitoring' in rule_tags or rule.type == 'machine_learning':
+                continue
+
+            threat = rule.contents.get('threat')
+            if threat:
+                missing = []
+                threat_tactic_names = [e['tactic']['name'] for e in threat]
+                primary_tactic = threat_tactic_names[0]
+
+                if 'Threat Detection' not in rule_tags:
+                    missing.append('Threat Detection')
+
+                # missing primary tactic
+                if primary_tactic not in rule.contents['tags']:
+                    missing.append(primary_tactic)
+
+                # listed tactic that is not in threat mapping
+                tag_tactics = set(rule_tags).intersection(tactics)
+                missing_from_threat = list(tag_tactics.difference(threat_tactic_names))
+
+                if missing or missing_from_threat:
+                    err_msg = self.rule_str(rule)
+                    if missing:
+                        err_msg += f'\n    expected: {missing}'
+                    if missing_from_threat:
+                        err_msg += f'\n    unexpected (or missing from threat mapping): {missing_from_threat}'
+
+                    invalid.append(err_msg)
+
+        if invalid:
+            err_msg = '\n'.join(invalid)
+            self.fail(f'Rules with misaligned tags and tactics:\n{err_msg}')
+

 class TestRuleTimelines(BaseRuleTest):
    """Test timelines in rules are valid."""