From 1c10c37468929ca3bb2a4cfd921b0896b4e03e70 Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Wed, 17 Jan 2024 14:14:38 -0500 Subject: [PATCH] [Rule Tuning] Update `timestamp_override` Unit Tests and Fix Rules Missing Field (#3368) * updated timestamp override unit test; fixed rules missing this field * fixed flake error * simplified and consolidated logic * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson * added comments * updated logic; added comments; removed unused variables * removed custom python script * updated dates * removed deprecated rule change * updated dates --------- Co-authored-by: Mika Ayenson --- ...ilege_escalation_sudo_buffer_overflow.toml | 3 +- .../threat_intel_indicator_match_address.toml | 7 +- .../threat_intel_indicator_match_hash.toml | 7 +- ...threat_intel_indicator_match_registry.toml | 5 +- .../threat_intel_indicator_match_url.toml | 7 +- ...ccess_aws_iam_assume_role_brute_force.toml | 3 +- ...cess_root_console_failure_brute_force.toml | 3 +- .../command_and_control_beaconing.toml | 5 +- ...and_control_beaconing_high_confidence.toml | 5 +- ..._365_brute_force_user_account_attempt.toml | 3 +- ...65_potential_password_spraying_attack.toml | 3 +- ...ccess_user_excessive_sso_logon_errors.toml | 3 +- ...mpts_to_brute_force_okta_user_account.toml | 3 +- ...okta_brute_force_or_password_spraying.toml | 3 +- ...ser_password_reset_or_unlock_attempts.toml | 3 +- .../linux/impact_process_kill_threshold.toml | 3 +- ...rsistence_message_of_the_day_creation.toml | 7 +- .../linux/persistence_rc_script_creation.toml | 21 ++-- ...access_potential_macos_ssh_bruteforce.toml | 3 +- ...very_potential_network_sweep_detected.toml | 6 +- ...iscovery_potential_port_scan_detected.toml | 4 +- ...very_potential_syn_port_scan_detected.toml | 4 +- ..._access_endgame_cred_dumping_detected.toml | 3 +- ...access_endgame_cred_dumping_prevented.toml | 3 +- .../endgame_adversary_behavior_detected.toml | 3 +- .../promotions/endgame_malware_detected.toml | 3 +- .../promotions/endgame_malware_prevented.toml | 3 +- .../endgame_ransomware_detected.toml | 3 +- .../endgame_ransomware_prevented.toml | 3 +- .../execution_endgame_exploit_detected.toml | 3 +- .../execution_endgame_exploit_prevented.toml | 3 +- rules/promotions/external_alerts.toml | 2 +- ...on_endgame_cred_manipulation_detected.toml | 3 +- ...n_endgame_cred_manipulation_prevented.toml | 3 +- ...ion_endgame_permission_theft_detected.toml | 3 +- ...on_endgame_permission_theft_prevented.toml | 3 +- ...on_endgame_process_injection_detected.toml | 3 +- ...n_endgame_process_injection_prevented.toml | 3 +- ...impact_stop_process_service_threshold.toml | 3 +- ...n_linux_suspicious_clipboard_activity.toml | 11 ++- .../persistence_udev_rule_creation.toml | 7 +- tests/test_all_rules.py | 97 ++++--------------- 42 files changed, 132 insertions(+), 144 deletions(-) diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 086f187b7..bd3caf403 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -35,6 +35,7 @@ rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8" severity = "high" tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and event.type:start and diff --git a/rules/cross-platform/threat_intel_indicator_match_address.toml b/rules/cross-platform/threat_intel_indicator_match_address.toml index 9a1a5953b..302d89610 100644 --- a/rules/cross-platform/threat_intel_indicator_match_address.toml +++ b/rules/cross-platform/threat_intel_indicator_match_address.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/10/19" +updated_date = "2024/01/17" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -49,7 +49,7 @@ note = """## Triage and Analysis ### Investigating Threat Intel IP Address Indicator Match -Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. @@ -62,7 +62,7 @@ This rule is triggered when an IP address indicator from the Threat Intel Filebe - Gain context about the field that matched the local observation so you can understand the nature of the connection. This information can be found in the `threat.indicator.matched.field` field. - Investigate the IP address, which can be found in the `threat.indicator.matched.atomic` field: - - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Execute a reverse DNS lookup to retrieve hostnames associated with the given IP address. - Assess whether this behavior is prevalent in the environment by looking for similar occurrences across hosts. - Identify the process responsible for the connection, and investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. @@ -121,6 +121,7 @@ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" +timestamp_override = "event.ingested" type = "threat_match" threat_index = ["filebeat-*", "logs-ti_*"] diff --git a/rules/cross-platform/threat_intel_indicator_match_hash.toml b/rules/cross-platform/threat_intel_indicator_match_hash.toml index 7a407d297..3637f507e 100644 --- a/rules/cross-platform/threat_intel_indicator_match_hash.toml +++ b/rules/cross-platform/threat_intel_indicator_match_hash.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/10/19" +updated_date = "2024/01/17" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -49,7 +49,7 @@ note = """## Triage and Analysis ### Investigating Threat Intel Hash Indicator Match -Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. @@ -120,6 +120,7 @@ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" +timestamp_override = "event.ingested" type = "threat_match" threat_index = ["filebeat-*", "logs-ti_*"] @@ -128,7 +129,7 @@ threat_language = "kuery" threat_query = ''' @timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and - (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and + (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:*) and not labels.is_ioc_transform_source:"true" ''' diff --git a/rules/cross-platform/threat_intel_indicator_match_registry.toml b/rules/cross-platform/threat_intel_indicator_match_registry.toml index 6ced44d9d..23147e297 100644 --- a/rules/cross-platform/threat_intel_indicator_match_registry.toml +++ b/rules/cross-platform/threat_intel_indicator_match_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/10/19" +updated_date = "2024/01/17" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -49,7 +49,7 @@ note = """## Triage and Analysis ### Investigating Threat Intel Windows Registry Indicator Match -Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. @@ -115,6 +115,7 @@ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" +timestamp_override = "event.ingested" type = "threat_match" threat_index = ["filebeat-*", "logs-ti_*"] diff --git a/rules/cross-platform/threat_intel_indicator_match_url.toml b/rules/cross-platform/threat_intel_indicator_match_url.toml index 9fbb7f9ea..eea7e2b26 100644 --- a/rules/cross-platform/threat_intel_indicator_match_url.toml +++ b/rules/cross-platform/threat_intel_indicator_match_url.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2023/05/22" maturity = "production" -updated_date = "2023/10/19" +updated_date = "2024/01/17" min_stack_comments = """ Limiting the backport of these rules to the stack version which we are deprecating the Threat Intel Indicator Match general rules. @@ -49,7 +49,7 @@ note = """## Triage and Analysis ### Investigating Threat Intel URL Indicator Match -Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. +Threat Intel indicator match rules allow matching from a local observation, such as an endpoint event that records a file hash with an entry of a file hash stored within the Threat Intel integrations index. Matches are based on threat intelligence data that's been ingested during the last 30 days. Some integrations don't place expiration dates on their threat indicators, so we strongly recommend validating ingested threat indicators and reviewing match results. When reviewing match results, check associated activity to determine whether the event requires additional investigation. @@ -62,7 +62,7 @@ This rule is triggered when a URL indicator from the Threat Intel Filebeat modul - Investigate the URL, which can be found in the `threat.indicator.matched.atomic` field: - Identify the type of malicious activity related to the URL (phishing, malware, etc.). - - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. + - Check the reputation of the IP address in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc. - Execute a WHOIS lookup to retrieve information about the domain registration and contacts to report abuse. - If dealing with a phishing incident: - Contact the user to gain more information around the delivery method, information sent, etc. @@ -124,6 +124,7 @@ severity = "critical" tags = ["OS: Windows", "Data Source: Elastic Endgame", "Rule Type: Indicator Match"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" +timestamp_override = "event.ingested" type = "threat_match" threat_index = ["filebeat-*", "logs-ti_*"] diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index 10f3690f1..b3e6e7226 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -79,6 +79,7 @@ tags = [ "Tactic: Credential Access" ] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:aws.cloudtrail and diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 7b542798a..6b1afc4d2 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "AWS integration breaking changes, bumping version to ^2.0.0" min_stack_version = "8.9.0" -updated_date = "2023/10/24" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -33,6 +33,7 @@ rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" severity = "high" tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:aws.cloudtrail and event.provider:signin.amazonaws.com and event.action:ConsoleLogin and aws.cloudtrail.user_identity.type:Root and event.outcome:failure diff --git a/rules/integrations/beaconing/command_and_control_beaconing.toml b/rules/integrations/beaconing/command_and_control_beaconing.toml index 77f909dab..ad889812e 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing.toml @@ -4,7 +4,7 @@ integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" min_stack_comments = "Beaconing package updates and support" min_stack_version = "8.10.1" -updated_date = "2023/12/12" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity" setup = """ -The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. +The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. ### Network Beaconing Identification Setup The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs. @@ -46,6 +46,7 @@ rule_id = "5397080f-34e5-449b-8e9c-4c8083d7ccc6" severity = "low" tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] type = "query" +timestamp_override = "event.ingested" query = ''' beacon_stats.is_beaconing: true diff --git a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml index f43177776..54fa85862 100644 --- a/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml +++ b/rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml @@ -4,7 +4,7 @@ integration = ["beaconing", "endpoint", "network_traffic"] maturity = "production" min_stack_comments = "Beaconing package updates and support" min_stack_version = "8.10.1" -updated_date = "2023/12/12" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ language = "kuery" license = "Elastic License v2" name = "Statistical Model Detected C2 Beaconing Activity with High Confidence" setup = """ -The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. +The rule requires the Network Beaconing Identification integration assets to be installed, as well as network logs collected by the Elastic Defend or Network Packet Capture integrations. ### Network Beaconing Identification Setup The Network Beaconing Identification integration consists of a statistical framework to identify C2 beaconing activity in network logs. @@ -46,6 +46,7 @@ rule_id = "0ab319ef-92b8-4c7f-989b-5de93c852e93" severity = "low" tags = ["Domain: Network", "Use Case: C2 Beaconing Detection", "Tactic: Command and Control"] type = "query" +timestamp_override = "event.ingested" query = ''' beacon_stats.beaconing_score: 3 diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 46acb624e..af19258bd 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -32,6 +32,7 @@ rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "high" tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:(AzureActiveDirectory or Exchange) and diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 5f06a52a8..cca4ae142 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -32,6 +32,7 @@ rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d" severity = "high" tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index cccd01522..58de8ee11 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/05" [rule] author = ["Elastic", "Austin Songer"] @@ -31,6 +31,7 @@ rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:o365.audit and event.provider:AzureActiveDirectory and event.category:authentication and o365.audit.LogonError:"SsoArtifactInvalidOrExpired" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 0b0642aec..41faf63df 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/01/05" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -65,6 +65,7 @@ rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:okta.system and event.action:user.account.lock diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index ea496f4e9..90a04039a 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -65,6 +65,7 @@ rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:okta.system and event.category:authentication and event.outcome:failure diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 7d6940bf1..4155e2adb 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0" min_stack_version = "8.10.0" -updated_date = "2023/10/24" +updated_date = "2024/01/05" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -65,6 +65,7 @@ rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.dataset:okta.system and diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index e3ad173ea..f32b0bb0e 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/01/17" [rule] author = ["Elastic"] @@ -79,6 +79,7 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:linux and event.type:start and process.name:"pkill" and process.args:"-f" diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 72aa46fd0..d4924d182 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/12/13" +updated_date = "2024/01/05" [transform] [[transform.osquery]] @@ -81,7 +81,7 @@ This rule identifies the creation of new files within the `/etc/update-motd.d/` - Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence and whether they are located in expected locations. - $osquery_3 - Investigate other alerts associated with the user/host during the past 48 hours. -- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. +- Investigate whether the modified scripts call other malicious scripts elsewhere on the file system. - If scripts or executables were dropped, retrieve the files and determine if they are malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: @@ -158,8 +158,9 @@ tags = [ "Data Source: Elastic Defend" ] type = "new_terms" +timestamp_override = "event.ingested" query = ''' -host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and +host.os.type :"linux" and event.action:("creation" or "file_create_event" or "rename" or "file_rename_event") and file.path : (/etc/update-motd.d/* or /usr/lib/update-notifier/*) and not process.name : ( dpkg or dockerd or rpm or executor or dnf or podman or ln ) and not file.extension : ("swp" or "swpx") diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index e5cde1a54..5a7ba8700 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/01/05" [transform] [[transform.osquery]] @@ -29,9 +29,9 @@ description = """ This rule monitors the creation/alteration of the rc.local file by a previously unknown process executable through the use of the new terms rule type. The /etc/rc.local file is used to start custom applications, services, scripts or commands during start-up. The rc.local file has mostly been replaced by Systemd. -However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at -boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the -system. +However, through the "systemd-rc-local-generator", rc.local files can be converted to services that run at +boot. Adversaries may alter rc.local to execute malicious code at start-up, and gain persistence onto the +system. """ from = "now-9m" index = ["logs-endpoint.events.*", "endgame-*"] @@ -42,11 +42,11 @@ note = """## Triage and analysis ### Investigating Potential Persistence Through Run Control Detected -The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. +The `rc.local` file executes custom commands or scripts during system startup on Linux systems. `rc.local` has been deprecated in favor of the use of `systemd services`, and more recent Unix distributions no longer leverage this method of on-boot script execution. -There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. +There might still be users that use `rc.local` in a benign matter, so investigation to see whether the file is malicious is vital. -Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. +Detection alerts from this rule indicate the creation of a new `/etc/rc.local` file. > **Note**: > This investigation guide uses the [Osquery Markdown Plugin](https://www.elastic.co/guide/en/security/master/invest-guide-run-osquery.html) introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide. @@ -66,7 +66,7 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f - If logs are found, it's likely that the contents of the `rc.local` file have been executed. Analyze the logs. In case several syslog log files are available, use a wildcard to search through all of the available logs. - Investigate other alerts associated with the user/host during the past 48 hours. - Validate whether this activity is related to planned patches, updates, network administrator activity, or legitimate software installations. -- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. +- Investigate whether the altered scripts call other malicious scripts elsewhere on the file system. - If scripts or executables were dropped, retrieve the files and determine if they are malicious: - Use a private sandboxed malware analysis system to perform analysis. - Observe and collect information about the following activities: @@ -80,7 +80,7 @@ Detection alerts from this rule indicate the creation of a new `/etc/rc.local` f ### False Positive Analysis - If this activity is related to new benign software installation activity, consider adding exceptions — preferably with a combination of user and command line conditions. -- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. +- If this activity is related to a system administrator who uses `rc.local` for administrative purposes, consider adding exceptions for this specific administrator user account. - Try to understand the context of the execution by thinking about the user, machine, or business purpose. A small number of endpoints, such as servers with unique software, might appear unusual but satisfy a specific business need. ### Response and remediation @@ -143,8 +143,9 @@ tags = [ "Data Source: Elastic Defend" ] type = "new_terms" +timestamp_override = "event.ingested" query = ''' -host.os.type : "linux" and event.category : "file" and +host.os.type : "linux" and event.category : "file" and event.type : ("change" or "file_modify_event" or "creation" or "file_create_event") and file.path : "/etc/rc.local" and not process.name : ( "dockerd" or "docker" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "dpkg" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 5b4424132..dc0792866 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/15" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -49,6 +49,7 @@ For more details on Elastic Defend refer to the [helper guide](https://www.elast severity = "medium" tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:macos and event.type:start and process.name:"sshd-keygen-wrapper" and process.parent.name:launchd diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index 13acbd2c1..856e8943d 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/22" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -30,8 +30,10 @@ tags = ["Domain: Network", "Use Case: Network Security Monitoring" ] type = "threshold" +timestamp_override = "event.ingested" + query = ''' -destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and +destination.port : (21 or 22 or 23 or 25 or 139 or 445 or 3389 or 5985 or 5986) and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 9cea2f75d..fb8c8d856 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/22" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -31,6 +31,8 @@ tags = ["Domain: Network", "Use Case: Network Security Monitoring" ] type = "threshold" +timestamp_override = "event.ingested" + query = ''' destination.port : * and event.action : "network_flow" and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 32c1b0ec8..2ad59638e 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/22" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -31,6 +31,8 @@ tags = ["Domain: Network", "Use Case: Network Security Monitoring" ] type = "threshold" +timestamp_override = "event.ingested" + query = ''' destination.port : * and network.packets <= 2 and source.ip : (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ''' diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 826c5f554..d852586df 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 48fd7956d..b9fa06599 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:cred_theft_event or endgame.event_subtype_full:cred_theft_event) diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 77ae1de81..bb6f24a70 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" tags = ["Data Source: Elastic Endgame"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and (event.action:behavior_protection_event or endgame.event_subtype_full:behavior_protection_event) diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index c1e2de987..f0e30664f 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" tags = ["Data Source: Elastic Endgame"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 7ad01e47a..cf572bfff 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" tags = ["Data Source: Elastic Endgame"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:file_classification_event or endgame.event_subtype_full:file_classification_event) diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 542dd465c..d3fbddb01 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" tags = ["Data Source: Elastic Endgame"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 5cebcd0a3..647d48bfd 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" tags = ["Data Source: Elastic Endgame"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:ransomware_event or endgame.event_subtype_full:ransomware_event) diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 7cfac3f6f..bd0793465 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 23dea46f3..e830ee43d 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event) diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 356e24da0..dc709e803 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index a574aad47..61bd18b6f 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 5d7ac328d..45426c07a 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_manipulation_event or endgame.event_subtype_full:token_manipulation_event) diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index a2710d4c7..aee92083b 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 81adad582..1671ec401 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:token_protection_event or endgame.event_subtype_full:token_protection_event) diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index f43c9db39..0e874f5bf 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:detection and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 36e4e5ceb..cbfacfd1b 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/01/17" promotion = true [rule] @@ -24,6 +24,7 @@ rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" +timestamp_override = "event.ingested" query = ''' event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:kernel_shellcode_event or endgame.event_subtype_full:kernel_shellcode_event) diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 31206e868..e93f192a9 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/19" +updated_date = "2024/01/17" [rule] author = ["Elastic"] @@ -54,6 +54,7 @@ rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] type = "threshold" +timestamp_override = "event.ingested" query = ''' event.category:process and host.os.type:windows and event.type:start and process.name:(net.exe or sc.exe or taskkill.exe) and diff --git a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml index 9d733b357..a6968d7c6 100644 --- a/rules_building_block/collection_linux_suspicious_clipboard_activity.toml +++ b/rules_building_block/collection_linux_suspicious_clipboard_activity.toml @@ -4,14 +4,14 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/07/27" +updated_date = "2024/01/05" [rule] author = ["Elastic"] description = """ -This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group -leader. Adversaries may collect data stored in the clipboard from users copying information within or between -applications. +This rule monitors for the usage of the most common clipboard utilities on unix systems by an uncommon process group +leader. Adversaries may collect data stored in the clipboard from users copying information within or between +applications. """ from = "now-119m" interval = "60m" @@ -24,9 +24,10 @@ rule_id = "884e87cc-c67b-4c90-a4ed-e1e24a940c82" severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Rule Type: BBR", "Data Source: Elastic Defend"] type = "new_terms" +timestamp_override = "event.ingested" building_block_type = "default" query = ''' -event.category:process and host.os.type:"linux" and event.action:"exec" and event.type:"start" and +event.category:process and host.os.type:"linux" and event.action:"exec" and event.type:"start" and process.name:("xclip" or "xsel" or "wl-clipboard" or "clipman" or "copyq") ''' diff --git a/rules_building_block/persistence_udev_rule_creation.toml b/rules_building_block/persistence_udev_rule_creation.toml index 1159c3cc5..9ef5c8a1b 100644 --- a/rules_building_block/persistence_udev_rule_creation.toml +++ b/rules_building_block/persistence_udev_rule_creation.toml @@ -5,7 +5,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/26" +updated_date = "2024/01/05" [rule] author = ["Elastic"] @@ -60,9 +60,10 @@ tags = [ "Rule Type: BBR" ] type = "new_terms" +timestamp_override = "event.ingested" query = ''' -host.os.type:"linux" and event.category:"file" and -event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and +host.os.type:"linux" and event.category:"file" and +event.type:("change" or "file_modify_event" or "creation" or "file_create_event") and file.path:/lib/udev/* and process.executable:* and not ( process.name:("dockerd" or "docker" or "dpkg" or "dnf" or "dnf-automatic" or "yum" or "rpm" or "systemd-hwdb" or "podman" or "buildah") or file.extension : ("swp" or "swpx") diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index b63d393f1..02b7d9fee 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -19,7 +19,6 @@ from semver import Version import kql from detection_rules import attack -from detection_rules.beats import parse_beats_from_index from detection_rules.integrations import (find_latest_compatible_version, load_integrations_manifests, load_integrations_schemas) @@ -955,88 +954,34 @@ class TestRuleTiming(BaseRuleTest): # kql: always require (fallback to @timestamp enabled) # eql: # sequences: never - # min_stack_version < 8.2: only where event.ingested defined (no beats) or add config to update pipeline # min_stack_version >= 8.2: any - fallback to @timestamp enabled https://github.com/elastic/kibana/pull/127989 - - errors = { - 'query': { - 'errors': [], - 'msg': 'should have the `timestamp_override` set to `event.ingested`' - }, - 'eql_sq': { - 'errors': [], - 'msg': 'cannot have the `timestamp_override` set to `event.ingested` because it uses a sequence' - }, - 'lt_82_eql': { - 'errors': [], - 'msg': 'should have the `timestamp_override` set to `event.ingested`' - }, - 'lt_82_eql_beats': { - 'errors': [], - 'msg': ('eql rules include beats indexes. Non-elastic-agent indexes do not add the `event.ingested` ' - 'field and there is no default fallback to @timestamp for EQL rules <8.2, so the override ' - 'should be removed or a config entry included to manually add it in a custom pipeline') - }, - 'gte_82_eql': { - 'errors': [], - 'msg': ('should have the `timestamp_override` set to `event.ingested` - default fallback to ' - '@timestamp was added in 8.2') - } - } - - pipeline_config = ('If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions ' - '<8.2, events will not define `event.ingested` and default fallback for EQL rules ' - 'was not added until 8.2, so you will need to add a custom pipeline to populate ' - '`event.ingested` to @timestamp for this rule to work.') + # if 'event.ingested' is missing, '@timestamp' will be default + errors = [] for rule in self.all_rules: - if rule.contents.data.type not in ('eql', 'query'): - continue - if rule.contents.metadata.get('integration'): - integrations = rule.contents.metadata.get('integration') - if not isinstance(integrations, list): - integrations = [integrations] - machine_learning_packages_lower = [pkg.lower() for pkg in definitions.MACHINE_LEARNING_PACKAGES] - if any(tag in machine_learning_packages_lower for tag in integrations): - continue - if isinstance(rule.contents.data, QueryRuleData) and 'endgame-*' in rule.contents.data.index: - continue + # skip rules that do not leverage queries (i.e. machine learning) + # filters to acceptable query languages in definitions.FilterLanguages + # QueryRuleData should inheritenly ignore machine learning rules + if isinstance(rule.contents.data, QueryRuleData): + rule_language = rule.contents.data.language + rule_integrations = rule.contents.metadata.get('integration') + if isinstance(rule_integrations, str): + rule_integrations = [rule_integrations] + rule_query = rule.contents.data.get('query') + has_event_ingested = rule.contents.data.get('timestamp_override') == 'event.ingested' + rule_str = self.rule_str(rule, trailer=None) - has_event_ingested = rule.contents.data.timestamp_override == 'event.ingested' - indexes = rule.contents.data.get('index', []) - beats_indexes = parse_beats_from_index(indexes) - min_stack_is_less_than_82 = Version.parse(rule.contents.metadata.min_stack_version or '7.13.0', - optional_minor_and_patch=True) < Version.parse("8.2.0") - config = rule.contents.data.get('note') or '' - rule_str = self.rule_str(rule, trailer=None) - - if rule.contents.data.type == 'query': if not has_event_ingested: - errors['query']['errors'].append(rule_str) - # eql rules depends - elif rule.contents.data.type == 'eql': - if rule.contents.data.is_sequence: - if has_event_ingested: - errors['eql_sq']['errors'].append(rule_str) - else: - if min_stack_is_less_than_82: - if not beats_indexes and not has_event_ingested: - errors['lt_82_eql']['errors'].append(rule_str) - elif beats_indexes and has_event_ingested and pipeline_config not in config: - errors['lt_82_eql_beats']['errors'].append(rule_str) + # TODO: determine if we expand this to ES|QL + # ignores any rule that does not use EQL or KQL queries specifically + # this does not avoid rule types where variants of KQL are used (e.g. new terms) + if rule_language not in ('eql', 'kuery') or "sequence" in rule_query: + continue else: - if not has_event_ingested: - errors['gte_82_eql']['errors'].append(rule_str) + errors.append(f'{rule_str} - rule must have `timestamp_override: event.ingested`') - if any([v['errors'] for k, v in errors.items()]): - err_strings = ['errors with `timestamp_override = "event.ingested"`'] - for _, errors_by_type in errors.items(): - type_errors = errors_by_type['errors'] - if not type_errors: - continue - err_strings.append(f'({len(type_errors)}) {errors_by_type["msg"]}') - err_strings.extend([f' - {e}' for e in type_errors]) - self.fail('\n'.join(err_strings)) + if errors: + self.fail('The following rules are invalid:\n' + '\n'.join(errors)) def test_required_lookback(self): """Ensure endpoint rules have the proper lookback time."""