[FR] Add Integration Schema Query Validation (#2470)

2023-02-02 16:22:44 -05:00
parent cd2307ba7d
commit 1784429aa7
54 changed files with 559 additions and 166 deletions
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/09/01"
-integration = ["azure"]
+integration = ["azure", "o365"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ permissions to an application. An adversary may create an Azure-registered appli
 as contact information, email, or documents.
 """
 from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+index = ["filebeat-*", "logs-azure*", "logs-o365*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Possible Consent Grant Attack via Azure-Registered Application"
@@ -79,6 +79,7 @@ tags = [
    "Cloud",
    "Azure",
    "Continuous Monitoring",
+    "Microsoft 365",
    "SecOps",
    "Identity and Access",
    "Investigation Guide",
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2022/09/14"
+integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/28"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2022/09/14"
+integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/11/28"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,9 +1,10 @@
 [metadata]
 creation_date = "2022/09/14"
+integration = ["system"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/27"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2023/01/11"
-integration = ["windows"]
+integration = ["endpoint"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.4.0"
-updated_date = "2023/01/11"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -28,8 +28,8 @@ timestamp_override = "event.ingested"
 type = "eql"

 query = '''
-process where event.action == "start" and process.name : "OUTLOOK.EXE"  and 
- process.Ext.effective_parent.name != null and 
+process where event.action == "start" and process.name : "OUTLOOK.EXE"  and
+ process.Ext.effective_parent.name != null and
 not process.Ext.effective_parent.executable : ("?:\\Program Files\\*", "?:\\Program Files (x86)\\*")
 '''

@@ -56,14 +56,14 @@ reference = "https://attack.mitre.org/tactics/TA0009/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"

-[[rule.threat.technique]] 
-id = "T1559" 
-name = "Inter-Process Communication" 
+[[rule.threat.technique]]
+id = "T1559"
+name = "Inter-Process Communication"
 reference = "https://attack.mitre.org/techniques/T1559/"

-[[rule.threat.technique.subtechnique]] 
+[[rule.threat.technique.subtechnique]]
 id = "T1559.001"
-name = "Component Object Model" 
+name = "Component Object Model"
 reference = "https://attack.mitre.org/techniques/T1559/001/"


@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/29"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/29"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/08/29"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/02/08"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/27"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/01/24"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/11/09"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2022/02/16"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2023/01/03"
+updated_date = "2023/02/01"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/03/01"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/31"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/08/30"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/01/27"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/01/26"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2023/01/27"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/02/22"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/02/16"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/11/12"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic", "Anabella Cristaldi"]
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2020/10/15"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
-updated_date = "2023/01/18"
+updated_date = "2023/02/01"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/14"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/08/30"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/08/29"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2020/02/18"
-integration = ["endpoint", "windows"]
+integration = ["endpoint", "system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/01/31"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/02/22"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/01/27"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/10/18"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/08/29"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/08/29"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/02/24"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2022/08/30"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/08/29"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/01/09"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic", "Skoetting"]
@@ -1,8 +1,8 @@
 [metadata]
 creation_date = "2021/01/04"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "development"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Skoetting"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/08/30"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/11/09"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/11/08"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ note = """## Triage and analysis

 ### Investigating Scheduled Task Execution at Scale via GPO

-Group Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths: 
+Group Policy Objects (GPOs) can be used by attackers to instruct arbitrarily large groups of clients to execute specified commands at startup, logon, shutdown, and logoff. This is done by creating or modifying the `scripts.ini` or `psscripts.ini` files. The scripts are stored in the following paths:
  - `<GPOPath>\\Machine\\Scripts\\`
  - `<GPOPath>\\User\\Scripts\\`

@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/11/08"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/11/08"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/04/27"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2021/12/12"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/05/11"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]
@@ -1,10 +1,10 @@
 [metadata]
 creation_date = "2022/02/07"
-integration = ["windows"]
+integration = ["system", "windows"]
 maturity = "production"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
-updated_date = "2022/12/21"
+updated_date = "2023/02/01"

 [rule]
 author = ["Elastic"]