From 2065af89b193ec4a11129da73eef2faaa6717953 Mon Sep 17 00:00:00 2001 From: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com> Date: Mon, 26 Oct 2020 13:50:45 -0500 Subject: [PATCH] [Rule Tuning] Tag Categorization Updates (#380) * Add new categorization tags * Change updated_date to 2020/10/26 Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100 --- rules/apm/apm_403_response_to_a_post.toml | 4 ++-- rules/apm/apm_405_response_method_not_allowed.toml | 4 ++-- rules/apm/apm_null_user_agent.toml | 4 ++-- rules/apm/apm_sqlmap_user_agent.toml | 4 ++-- .../aws/collection_cloudtrail_logging_created.toml | 4 ++-- ...tial_access_aws_iam_assume_role_brute_force.toml | 4 ++-- ...redential_access_iam_user_addition_to_group.toml | 4 ++-- ...ial_access_root_console_failure_brute_force.toml | 5 +++-- ...ential_access_secretsmanager_getsecretvalue.toml | 4 ++-- .../defense_evasion_cloudtrail_logging_deleted.toml | 4 ++-- ...efense_evasion_cloudtrail_logging_suspended.toml | 4 ++-- .../defense_evasion_cloudwatch_alarm_deletion.toml | 4 ++-- ...efense_evasion_config_service_rule_deletion.toml | 4 ++-- ...ense_evasion_configuration_recorder_stopped.toml | 4 ++-- .../aws/defense_evasion_ec2_flow_log_deletion.toml | 4 ++-- .../defense_evasion_ec2_network_acl_deletion.toml | 4 ++-- ...defense_evasion_guardduty_detector_deletion.toml | 4 ++-- ...se_evasion_s3_bucket_configuration_deletion.toml | 4 ++-- rules/aws/defense_evasion_waf_acl_deletion.toml | 4 ++-- ...nse_evasion_waf_rule_or_rule_group_deletion.toml | 4 ++-- rules/aws/execution_via_system_manager.toml | 4 ++-- .../exfiltration_ec2_snapshot_change_activity.toml | 4 ++-- rules/aws/impact_cloudtrail_logging_updated.toml | 4 ++-- rules/aws/impact_cloudwatch_log_group_deletion.toml | 4 ++-- .../aws/impact_cloudwatch_log_stream_deletion.toml | 4 ++-- rules/aws/impact_ec2_disable_ebs_encryption.toml | 4 ++-- rules/aws/impact_iam_deactivate_mfa_device.toml | 4 ++-- rules/aws/impact_iam_group_deletion.toml | 4 ++-- rules/aws/impact_rds_cluster_deletion.toml | 4 ++-- rules/aws/impact_rds_instance_cluster_stoppage.toml | 4 ++-- rules/aws/initial_access_console_login_root.toml | 4 ++-- rules/aws/initial_access_password_recovery.toml | 4 ++-- rules/aws/persistence_ec2_network_acl_creation.toml | 4 ++-- rules/aws/persistence_iam_group_creation.toml | 4 ++-- rules/aws/persistence_rds_cluster_creation.toml | 4 ++-- ...privilege_escalation_root_login_without_mfa.toml | 4 ++-- ...privilege_escalation_updateassumerolepolicy.toml | 4 ++-- .../collection_update_event_hub_auth_rule.toml | 4 ++-- .../azure/credential_access_key_vault_modified.toml | 4 ++-- ...tial_access_storage_account_key_regenerated.toml | 4 ++-- ..._evasion_azure_diagnostic_settings_deletion.toml | 4 ++-- rules/azure/defense_evasion_event_hub_deletion.toml | 4 ++-- .../defense_evasion_firewall_policy_deletion.toml | 4 ++-- .../defense_evasion_network_watcher_deletion.toml | 4 ++-- .../azure/discovery_blob_container_access_mod.toml | 4 ++-- rules/azure/execution_command_virtual_machine.toml | 4 ++-- .../impact_azure_automation_runbook_deleted.toml | 4 ++-- rules/azure/impact_resource_group_deletion.toml | 4 ++-- ...ant_attack_via_azure_registered_application.toml | 4 ++-- .../initial_access_external_guest_user_invite.toml | 4 ++-- ...ersistence_azure_automation_account_created.toml | 4 ++-- ...zure_automation_runbook_created_or_modified.toml | 4 ++-- ...ersistence_azure_automation_webhook_created.toml | 4 ++-- ...ce_azure_conditional_access_policy_modified.toml | 4 ++-- ...rsistence_azure_pim_user_added_global_admin.toml | 4 ++-- ...rivileged_identity_management_role_modified.toml | 4 ++-- .../persistence_mfa_disabled_for_azure_user.toml | 4 ++-- ...e_user_added_as_owner_for_azure_application.toml | 4 ++-- ..._added_as_owner_for_azure_service_principal.toml | 4 ++-- .../cross-platform/impact_hosts_file_modified.toml | 4 ++-- ...nitial_access_zoom_meeting_with_no_passcode.toml | 13 +++++++++++-- ...ollection_gcp_pub_sub_subscription_creation.toml | 4 ++-- .../gcp/collection_gcp_pub_sub_topic_creation.toml | 4 ++-- ...access_gcp_iam_service_account_key_deletion.toml | 4 ++-- ..._access_gcp_key_created_for_service_account.toml | 5 +++-- .../defense_evasion_gcp_firewall_rule_created.toml | 5 +++-- .../defense_evasion_gcp_firewall_rule_deleted.toml | 5 +++-- .../defense_evasion_gcp_firewall_rule_modified.toml | 5 +++-- ...defense_evasion_gcp_logging_bucket_deletion.toml | 4 ++-- .../defense_evasion_gcp_logging_sink_deletion.toml | 4 ++-- ...e_evasion_gcp_pub_sub_subscription_deletion.toml | 4 ++-- .../defense_evasion_gcp_pub_sub_topic_deletion.toml | 4 ++-- ...n_gcp_storage_bucket_configuration_modified.toml | 5 +++-- ...ion_gcp_storage_bucket_permissions_modified.toml | 5 +++-- .../exfiltration_gcp_logging_sink_modification.toml | 4 ++-- rules/gcp/impact_gcp_iam_role_deletion.toml | 4 ++-- rules/gcp/impact_gcp_service_account_deleted.toml | 5 +++-- rules/gcp/impact_gcp_service_account_disabled.toml | 4 ++-- rules/gcp/impact_gcp_storage_bucket_deleted.toml | 5 +++-- ...t_gcp_virtual_private_cloud_network_deleted.toml | 5 +++-- ...act_gcp_virtual_private_cloud_route_created.toml | 5 +++-- ...act_gcp_virtual_private_cloud_route_deleted.toml | 5 +++-- ...initial_access_gcp_iam_custom_role_creation.toml | 6 ++---- .../persistence_gcp_service_account_created.toml | 5 +++-- rules/linux/credential_access_tcpdump_activity.toml | 4 ++-- ...ion_attempt_to_disable_iptables_or_firewall.toml | 4 ++-- ...e_evasion_attempt_to_disable_syslog_service.toml | 4 ++-- ...e16_or_base32_encoding_or_decoding_activity.toml | 4 ++-- ...vasion_base64_encoding_or_decoding_activity.toml | 4 ++-- ...asion_deletion_of_bash_command_line_history.toml | 4 ++-- .../defense_evasion_disable_selinux_attempt.toml | 4 ++-- .../defense_evasion_file_deletion_via_shred.toml | 4 ++-- .../defense_evasion_file_mod_writable_dir.toml | 4 ++-- ...e_evasion_hex_encoding_or_decoding_activity.toml | 4 ++-- .../linux/defense_evasion_hidden_file_dir_tmp.toml | 4 ++-- .../defense_evasion_kernel_module_removal.toml | 4 ++-- .../linux/discovery_kernel_module_enumeration.toml | 4 ++-- .../discovery_virtual_machine_fingerprinting.toml | 4 ++-- rules/linux/discovery_whoami_commmand.toml | 4 ++-- rules/linux/execution_perl_tty_shell.toml | 4 ++-- rules/linux/execution_python_tty_shell.toml | 4 ++-- ...l_movement_telnet_network_activity_external.toml | 4 ++-- ...l_movement_telnet_network_activity_internal.toml | 4 ++-- rules/linux/linux_hping_activity.toml | 4 ++-- rules/linux/linux_iodine_activity.toml | 4 ++-- rules/linux/linux_mknod_activity.toml | 4 ++-- rules/linux/linux_netcat_network_connection.toml | 4 ++-- rules/linux/linux_nmap_activity.toml | 4 ++-- rules/linux/linux_nping_activity.toml | 4 ++-- .../linux_process_started_in_temp_directory.toml | 4 ++-- rules/linux/linux_socat_activity.toml | 4 ++-- rules/linux/linux_strace_activity.toml | 4 ++-- rules/linux/persistence_kernel_module_activity.toml | 4 ++-- .../persistence_shell_activity_by_web_server.toml | 4 ++-- ...ivilege_escalation_setgid_bit_set_via_chmod.toml | 4 ++-- ...ivilege_escalation_setuid_bit_set_via_chmod.toml | 4 ++-- .../privilege_escalation_sudoers_file_mod.toml | 4 ++-- ...ntial_access_compress_credentials_keychains.toml | 4 ++-- rules/macos/credential_access_kerberosdump_kcc.toml | 4 ++-- .../lateral_movement_remote_ssh_login_enabled.toml | 4 ++-- rules/ml/ml_cloudtrail_error_message_spike.toml | 4 ++-- rules/ml/ml_cloudtrail_rare_error_code.toml | 4 ++-- rules/ml/ml_cloudtrail_rare_method_by_city.toml | 4 ++-- rules/ml/ml_cloudtrail_rare_method_by_country.toml | 4 ++-- rules/ml/ml_cloudtrail_rare_method_by_user.toml | 4 ++-- rules/ml/ml_linux_anomalous_compiler_activity.toml | 4 ++-- .../ml_linux_anomalous_kernel_module_arguments.toml | 4 ++-- rules/ml/ml_linux_anomalous_metadata_process.toml | 4 ++-- rules/ml/ml_linux_anomalous_metadata_user.toml | 9 +++++---- rules/ml/ml_linux_anomalous_network_activity.toml | 4 ++-- .../ml_linux_anomalous_network_port_activity.toml | 4 ++-- rules/ml/ml_linux_anomalous_network_service.toml | 4 ++-- .../ml/ml_linux_anomalous_network_url_activity.toml | 4 ++-- rules/ml/ml_linux_anomalous_process_all_hosts.toml | 4 ++-- rules/ml/ml_linux_anomalous_sudo_activity.toml | 13 ++++++++----- rules/ml/ml_linux_anomalous_user_name.toml | 4 ++-- rules/ml/ml_linux_system_information_discovery.toml | 4 ++-- ...inux_system_network_configuration_discovery.toml | 5 +++-- ...l_linux_system_network_connection_discovery.toml | 4 ++-- rules/ml/ml_linux_system_process_discovery.toml | 4 ++-- rules/ml/ml_linux_system_user_discovery.toml | 4 ++-- rules/ml/ml_packetbeat_dns_tunneling.toml | 4 ++-- rules/ml/ml_packetbeat_rare_dns_question.toml | 4 ++-- rules/ml/ml_packetbeat_rare_server_domain.toml | 4 ++-- rules/ml/ml_packetbeat_rare_urls.toml | 4 ++-- rules/ml/ml_packetbeat_rare_user_agent.toml | 4 ++-- rules/ml/ml_rare_process_by_host_linux.toml | 4 ++-- rules/ml/ml_rare_process_by_host_windows.toml | 4 ++-- rules/ml/ml_suspicious_login_activity.toml | 4 ++-- rules/ml/ml_windows_anomalous_metadata_process.toml | 4 ++-- rules/ml/ml_windows_anomalous_metadata_user.toml | 9 +++++---- rules/ml/ml_windows_anomalous_network_activity.toml | 4 ++-- rules/ml/ml_windows_anomalous_path_activity.toml | 4 ++-- .../ml/ml_windows_anomalous_process_all_hosts.toml | 4 ++-- rules/ml/ml_windows_anomalous_process_creation.toml | 4 ++-- rules/ml/ml_windows_anomalous_script.toml | 4 ++-- rules/ml/ml_windows_anomalous_service.toml | 4 ++-- rules/ml/ml_windows_anomalous_user_name.toml | 4 ++-- rules/ml/ml_windows_rare_user_runas_event.toml | 4 ++-- .../ml_windows_rare_user_type10_remote_login.toml | 4 ++-- .../command_and_control_cobalt_strike_beacon.toml | 5 +++-- ...nd_and_control_dns_directly_to_the_internet.toml | 4 ++-- ...ntrol_download_rar_powershell_from_internet.toml | 7 ++++--- .../command_and_control_fin7_c2_behavior.toml | 4 ++-- ..._transfer_protocol_activity_to_the_internet.toml | 4 ++-- .../command_and_control_halfbaked_beacon.toml | 5 +++-- ...elay_chat_protocol_activity_to_the_internet.toml | 4 ++-- ...and_and_control_nat_traversal_port_activity.toml | 4 ++-- .../command_and_control_port_26_activity.toml | 4 ++-- ..._control_port_8000_activity_to_the_internet.toml | 4 ++-- ..._point_to_point_tunneling_protocol_activity.toml | 4 ++-- ...control_proxy_port_activity_to_the_internet.toml | 4 ++-- ...p_remote_desktop_protocol_from_the_internet.toml | 4 ++-- .../command_and_control_smtp_to_the_internet.toml | 4 ++-- ...ol_sql_server_port_activity_to_the_internet.toml | 4 ++-- ..._control_ssh_secure_shell_from_the_internet.toml | 4 ++-- ...nd_control_ssh_secure_shell_to_the_internet.toml | 4 ++-- .../command_and_control_telnet_port_activity.toml | 4 ++-- ...nd_and_control_tor_activity_to_the_internet.toml | 4 ++-- ...virtual_network_computing_from_the_internet.toml | 4 ++-- ...c_virtual_network_computing_to_the_internet.toml | 4 ++-- ..._post_exploitation_public_ip_reconnaissance.toml | 5 +++-- ...rdp_remote_desktop_protocol_to_the_internet.toml | 4 ++-- ...rpc_remote_procedure_call_from_the_internet.toml | 4 ++-- ...s_rpc_remote_procedure_call_to_the_internet.toml | 4 ++-- ...ndows_file_sharing_activity_to_the_internet.toml | 4 ++-- .../initial_access_unsecure_elasticsearch_node.toml | 9 +++++---- ...dential_access_attempted_bypass_of_okta_mfa.toml | 4 ++-- ...s_attempts_to_brute_force_okta_user_account.toml | 4 ++-- ...ccess_okta_brute_force_or_password_spraying.toml | 4 ++-- ...okta_user_password_reset_or_unlock_attempts.toml | 6 +++--- .../impact_attempt_to_revoke_okta_api_token.toml | 4 ++-- rules/okta/impact_possible_okta_dos_attack.toml | 4 ++-- ...s_suspicious_activity_reported_by_okta_user.toml | 4 ++-- .../okta_attempt_to_deactivate_okta_mfa_rule.toml | 4 ++-- rules/okta/okta_attempt_to_delete_okta_policy.toml | 4 ++-- .../okta/okta_attempt_to_modify_okta_mfa_rule.toml | 4 ++-- .../okta_attempt_to_modify_okta_network_zone.toml | 4 ++-- rules/okta/okta_attempt_to_modify_okta_policy.toml | 4 ++-- ...modify_or_delete_application_sign_on_policy.toml | 4 ++-- .../okta_threat_detected_by_okta_threatinsight.toml | 4 ++-- ...nistrator_privileges_assigned_to_okta_group.toml | 4 ++-- ...ersistence_attempt_to_create_okta_api_token.toml | 4 ++-- ...mpt_to_deactivate_mfa_for_okta_user_account.toml | 4 ++-- ...rsistence_attempt_to_deactivate_okta_policy.toml | 4 ++-- ..._to_reset_mfa_factors_for_okta_user_account.toml | 4 ++-- rules/promotions/elastic_endpoint.toml | 5 +++-- .../endpoint_adversary_behavior_detected.toml | 8 ++++---- .../promotions/endpoint_cred_dumping_detected.toml | 8 ++++---- .../promotions/endpoint_cred_dumping_prevented.toml | 8 ++++---- .../endpoint_cred_manipulation_detected.toml | 8 ++++---- .../endpoint_cred_manipulation_prevented.toml | 8 ++++---- rules/promotions/endpoint_exploit_detected.toml | 8 ++++---- rules/promotions/endpoint_exploit_prevented.toml | 8 ++++---- rules/promotions/endpoint_malware_detected.toml | 8 ++++---- rules/promotions/endpoint_malware_prevented.toml | 8 ++++---- .../endpoint_permission_theft_detected.toml | 8 ++++---- .../endpoint_permission_theft_prevented.toml | 8 ++++---- .../endpoint_process_injection_detected.toml | 8 ++++---- .../endpoint_process_injection_prevented.toml | 8 ++++---- rules/promotions/endpoint_ransomware_detected.toml | 8 ++++---- rules/promotions/endpoint_ransomware_prevented.toml | 8 ++++---- rules/promotions/external_alerts.toml | 4 ++-- ...and_and_control_certutil_network_connection.toml | 4 ++-- ..._control_remote_file_copy_desktopimgdownldr.toml | 4 ++-- ...mmand_and_control_remote_file_copy_mpcmdrun.toml | 4 ++-- ...and_and_control_teamviewer_remote_file_copy.toml | 4 ++-- ...redential_access_credential_dumping_msbuild.toml | 4 ++-- ...ial_access_domain_backup_dpapi_private_keys.toml | 4 ++-- .../credential_access_iis_apppoolsa_pwd_appcmd.toml | 4 ++-- ...ential_access_iis_connectionstrings_dumping.toml | 4 ++-- ...dential_access_mimikatz_memssp_default_logs.toml | 4 ++-- ...he_hidden_file_attribute_with_via_attribexe.toml | 4 ++-- ...defense_evasion_clearing_windows_event_logs.toml | 4 ++-- .../defense_evasion_code_injection_conhost.toml | 4 ++-- rules/windows/defense_evasion_cve_2020_0601.toml | 4 ++-- ...asion_delete_volume_usn_journal_with_fsutil.toml | 4 ++-- ...asion_deleting_backup_catalogs_with_wbadmin.toml | 4 ++-- ...n_disable_windows_firewall_rules_with_netsh.toml | 4 ++-- ...ense_evasion_dotnet_compiler_parent_process.toml | 4 ++-- ...ion_encoding_or_decoding_files_via_certutil.toml | 4 ++-- ...ion_execution_msbuild_started_by_office_app.toml | 4 ++-- ...evasion_execution_msbuild_started_by_script.toml | 4 ++-- ...execution_msbuild_started_by_system_process.toml | 4 ++-- ...e_evasion_execution_msbuild_started_renamed.toml | 4 ++-- ...on_execution_msbuild_started_unusal_process.toml | 4 ++-- ...asion_execution_suspicious_explorer_winword.toml | 4 ++-- ...n_execution_via_trusted_developer_utilities.toml | 4 ++-- .../defense_evasion_iis_httplogging_disabled.toml | 4 ++-- .../windows/defense_evasion_injection_msbuild.toml | 4 ++-- .../windows/defense_evasion_installutil_beacon.toml | 5 +++-- ...on_masquerading_as_elastic_endpoint_process.toml | 9 +++++---- ...defense_evasion_masquerading_renamed_autoit.toml | 4 ++-- ..._masquerading_suspicious_werfault_childproc.toml | 4 ++-- .../defense_evasion_masquerading_werfault.toml | 4 ++-- ...sion_misc_lolbin_connecting_to_the_internet.toml | 4 ++-- ...defense_evasion_modification_of_boot_config.toml | 4 ++-- .../defense_evasion_msbuild_beacon_sequence.toml | 5 +++-- rules/windows/defense_evasion_mshta_beacon.toml | 5 +++-- rules/windows/defense_evasion_msxsl_beacon.toml | 5 +++-- ...sion_network_connection_from_windows_binary.toml | 5 +++-- rules/windows/defense_evasion_reg_beacon.toml | 5 +++-- .../defense_evasion_rundll32_no_arguments.toml | 5 +++-- .../windows/defense_evasion_rundll32_sequence.toml | 5 +++-- ...efense_evasion_sdelete_like_filename_rename.toml | 4 ++-- ...evasion_suspicious_managedcode_host_process.toml | 4 ++-- .../defense_evasion_suspicious_scrobj_load.toml | 5 +++-- .../defense_evasion_suspicious_wmi_script.toml | 6 ++++-- ...fense_evasion_suspicious_zoom_child_process.toml | 4 ++-- ...system_critical_proc_abnormal_file_activity.toml | 4 ++-- ...nse_evasion_unusual_system_vp_child_program.toml | 4 ++-- .../windows/defense_evasion_via_filter_manager.toml | 4 ++-- ...on_volume_shadow_copy_deletion_via_vssadmin.toml | 4 ++-- ...vasion_volume_shadow_copy_deletion_via_wmic.toml | 4 ++-- .../discovery_net_command_system_account.toml | 4 ++-- ...very_process_discovery_via_tasklist_command.toml | 4 ++-- .../windows/discovery_whoami_command_activity.toml | 4 ++-- ...n_command_prompt_connecting_to_the_internet.toml | 4 ++-- ...ecution_command_shell_started_by_powershell.toml | 4 ++-- .../execution_command_shell_started_by_svchost.toml | 4 ++-- ...on_command_shell_started_by_unusual_process.toml | 4 ++-- .../execution_downloaded_shortcut_files.toml | 5 +++-- rules/windows/execution_downloaded_url_file.toml | 5 +++-- ...ecutable_program_connecting_to_the_internet.toml | 4 ++-- rules/windows/execution_local_service_commands.toml | 4 ++-- rules/windows/execution_ms_office_written_file.toml | 5 +++-- ...xecution_msbuild_making_network_connections.toml | 4 ++-- .../execution_mshta_making_network_connections.toml | 4 ++-- rules/windows/execution_msxsl_network.toml | 4 ++-- rules/windows/execution_pdf_written_file.toml | 5 +++-- .../execution_psexec_lateral_movement_command.toml | 4 ++-- ...r_server_program_connecting_to_the_internet.toml | 4 ++-- .../execution_script_executing_powershell.toml | 4 ++-- ...xecution_suspicious_ms_office_child_process.toml | 4 ++-- ...ecution_suspicious_ms_outlook_child_process.toml | 4 ++-- rules/windows/execution_suspicious_pdf_reader.toml | 4 ++-- rules/windows/execution_suspicious_psexesvc.toml | 4 ++-- .../execution_unusual_dns_service_children.toml | 4 ++-- .../execution_unusual_dns_service_file_writes.toml | 4 ++-- ...ion_unusual_network_connection_via_rundll32.toml | 4 ++-- ...xecution_unusual_process_network_connection.toml | 4 ++-- rules/windows/execution_via_compiled_html_file.toml | 4 ++-- .../windows/execution_via_hidden_shell_conhost.toml | 4 ++-- rules/windows/execution_via_net_com_assemblies.toml | 4 ++-- ...tion_via_xp_cmdshell_mssql_stored_procedure.toml | 4 ++-- rules/windows/execution_wpad_exploitation.toml | 5 +++-- rules/windows/lateral_movement_cmd_service.toml | 5 +++-- ...ral_movement_direct_outbound_smb_connection.toml | 4 ++-- .../lateral_movement_dns_server_overflow.toml | 4 ++-- .../persistence_adobe_hijack_persistence.toml | 4 ++-- rules/windows/persistence_app_compat_shim.toml | 5 +++-- .../persistence_gpo_schtask_service_creation.toml | 4 ++-- .../persistence_local_scheduled_task_commands.toml | 4 ++-- ..._priv_escalation_via_accessibility_features.toml | 4 ++-- .../persistence_system_shells_via_services.toml | 4 ++-- .../windows/persistence_user_account_creation.toml | 4 ++-- .../persistence_via_application_shimming.toml | 4 ++-- ...ia_telemetrycontroller_scheduledtask_hijack.toml | 4 ++-- ...ence_via_update_orchestrator_service_hijack.toml | 4 ++-- ...lation_printspooler_service_suspicious_file.toml | 4 ++-- ...escalation_printspooler_suspicious_spl_file.toml | 4 ++-- ...ge_escalation_uac_bypass_diskcleanup_hijack.toml | 4 ++-- ...rivilege_escalation_uac_bypass_event_viewer.toml | 4 ++-- rules/windows/privilege_escalation_uac_sdclt.toml | 5 +++-- ...escalation_unusual_parentchild_relationship.toml | 4 ++-- tests/test_all_rules.py | 8 ++++---- 326 files changed, 751 insertions(+), 699 deletions(-) diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index bcd0e1fa1..e51f4032c 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_403"] risk_score = 47 rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e" severity = "medium" -tags = ["APM", "Elastic"] +tags = ["Elastic", "APM"] type = "query" query = ''' diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 83241d286..7e055040d 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_405"] risk_score = 47 rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef" severity = "medium" -tags = ["APM", "Elastic"] +tags = ["Elastic", "APM"] type = "query" query = ''' diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml index ed99a4b6c..7b55ae47e 100644 --- a/rules/apm/apm_null_user_agent.toml +++ b/rules/apm/apm_null_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://en.wikipedia.org/wiki/User_agent"] risk_score = 47 rule_id = "43303fd4-4839-4e48-b2b2-803ab060758d" severity = "medium" -tags = ["APM", "Elastic"] +tags = ["Elastic", "APM"] type = "query" query = ''' diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index 960093c69..16205700a 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["http://sqlmap.org/"] risk_score = 47 rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820" severity = "medium" -tags = ["APM", "Elastic"] +tags = ["Elastic", "APM"] type = "query" query = ''' diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index 7da5d96a7..723485048 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml index 9caeec987..72d5ebd94 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "threshold" query = ''' diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index e51a30a5d..1d5f8ec21 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserTo risk_score = 21 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/aws/credential_access_root_console_failure_brute_force.toml b/rules/aws/credential_access_root_console_failure_brute_force.toml index d773dc160..4ad76f238 100644 --- a/rules/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/aws/credential_access_root_console_failure_brute_force.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" severity = "high" -tags = ["AWS", "Continuous Monitoring", "Elastic", "Identity and Access", "SecOps"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "threshold" query = ''' @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] field = "cloud.account.id" value = 10 + diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index 34ddfcf64..814bb0401 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Nick Jones", "Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622" severity = "high" -tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index d783c3d41..358d56a06 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 27942f01b..fb04a602a 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 47 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 94c3bf9c9..d76df6b53 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index af1e402b0..000082c5f 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index 8a6df25b7..20e85f426 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435" severity = "high" -tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index 5a5e47489..e8990a48b 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/15" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 73 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872" severity = "high" -tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index 13d63264e..333e73312 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index c092a0d67..ffd170e97 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 73 rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef" severity = "high" -tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 72c987846..82e1247f1 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 21 rule_id = "227dc608-e558-43d9-b521-150772250bae" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index d40e36ed1..1e4a07792 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"] type = "query" query = ''' diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index c0991f44e..dd768e359 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/09" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"] type = "query" query = ''' diff --git a/rules/aws/execution_via_system_manager.toml b/rules/aws/execution_via_system_manager.toml index c400afc4f..e1cccc3f5 100644 --- a/rules/aws/execution_via_system_manager.toml +++ b/rules/aws/execution_via_system_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm- risk_score = 21 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index 2e5a9956e..bbb108a31 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] type = "query" query = ''' diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index 0bc0e0e33..433c1207e 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/10" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index da99d8a9e..de0597b73 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 57fd213fd..1b814ce62 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Logging", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index d4b0471fa..2a783c3aa 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Data Protection", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Data Protection"] type = "query" query = ''' diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index 7b7bf4f65..a7c1ddabc 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/26" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 1d7ec06d5..098e17426 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 21 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index 816d570e0..cc252748e 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] type = "query" query = ''' diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index bd1904c17..72bafae0c 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d" severity = "medium" -tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] type = "query" query = ''' diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index 8c3579f08..f64970a37 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/11" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" severity = "high" -tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 4a13623bd..b065ab4c9 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-c risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index 4735d369b..12ec23bd7 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Network", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Network Security"] type = "query" query = ''' diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index c5519741c..1db34ba38 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/06/05" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 21 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index 1ee2631d6..cf05e235a 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 21 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Asset Visibility", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] type = "query" query = ''' diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index 6e8adc47e..bae9de6b9 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc" severity = "high" -tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index c68f3e432..4987a3fdd 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in- risk_score = 21 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd" severity = "low" -tags = ["AWS", "Elastic", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/azure/collection_update_event_hub_auth_rule.toml b/rules/azure/collection_update_event_hub_auth_rule.toml index 7f11988f5..0d436d540 100644 --- a/rules/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/azure/collection_update_event_hub_auth_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-acces risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" severity = "medium" -tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/azure/credential_access_key_vault_modified.toml b/rules/azure/credential_access_key_vault_modified.toml index 81e075212..3aac30ac0 100644 --- a/rules/azure/credential_access_key_vault_modified.toml +++ b/rules/azure/credential_access_key_vault_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec" severity = "medium" -tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Data Protection"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Data Protection"] type = "query" query = ''' diff --git a/rules/azure/credential_access_storage_account_key_regenerated.toml b/rules/azure/credential_access_storage_account_key_regenerated.toml index 6e3c7a477..a9ae6fee0 100644 --- a/rules/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/azure/credential_access_storage_account_key_regenerated.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 21 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908" severity = "low" -tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Identity and Access"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index c99bd1ade..fa1e347a3 100644 --- a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/dia risk_score = 47 rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de" severity = "medium" -tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Monitoring"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/azure/defense_evasion_event_hub_deletion.toml b/rules/azure/defense_evasion_event_hub_deletion.toml index 82df7895e..21a4a12d4 100644 --- a/rules/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/azure/defense_evasion_event_hub_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "e0f36de1-0342-453d-95a9-a068b257b053" severity = "medium" -tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/azure/defense_evasion_firewall_policy_deletion.toml b/rules/azure/defense_evasion_firewall_policy_deletion.toml index 70abac1d5..7f469864f 100644 --- a/rules/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/azure/defense_evasion_firewall_policy_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-ov risk_score = 21 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" severity = "low" -tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Network"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"] type = "query" query = ''' diff --git a/rules/azure/defense_evasion_network_watcher_deletion.toml b/rules/azure/defense_evasion_network_watcher_deletion.toml index 14d77cca6..b3a80888c 100644 --- a/rules/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/azure/defense_evasion_network_watcher_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-wa risk_score = 47 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" severity = "medium" -tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Network"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"] type = "query" query = ''' diff --git a/rules/azure/discovery_blob_container_access_mod.toml b/rules/azure/discovery_blob_container_access_mod.toml index fa929d5d7..31a172ba8 100644 --- a/rules/azure/discovery_blob_container_access_mod.toml +++ b/rules/azure/discovery_blob_container_access_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-re risk_score = 21 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45" severity = "low" -tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Asset Visibility"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Asset Visibility"] type = "query" query = ''' diff --git a/rules/azure/execution_command_virtual_machine.toml b/rules/azure/execution_command_virtual_machine.toml index a3320dc8f..392d4290f 100644 --- a/rules/azure/execution_command_virtual_machine.toml +++ b/rules/azure/execution_command_virtual_machine.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "60884af6-f553-4a6c-af13-300047455491" severity = "medium" -tags = ["Azure", "Elastic", "SecOps", "Continuous Monitoring", "Logging"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/azure/impact_azure_automation_runbook_deleted.toml b/rules/azure/impact_azure_automation_runbook_deleted.toml index be44a3833..7de8a3055 100644 --- a/rules/azure/impact_azure_automation_runbook_deleted.toml +++ b/rules/azure/impact_azure_automation_runbook_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7" severity = "low" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' diff --git a/rules/azure/impact_resource_group_deletion.toml b/rules/azure/impact_resource_group_deletion.toml index 8480ca197..c5aa59692 100644 --- a/rules/azure/impact_resource_group_deletion.toml +++ b/rules/azure/impact_resource_group_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f" severity = "medium" -tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Logging"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index faecb718a..009278838 100644 --- a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/01" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/azure/initial_access_external_guest_user_invite.toml b/rules/azure/initial_access_external_guest_user_invite.toml index 0f48e486d..fa2fc04c6 100644 --- a/rules/azure/initial_access_external_guest_user_invite.toml +++ b/rules/azure/initial_access_external_guest_user_invite.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/ risk_score = 21 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e" severity = "low" -tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Identity and Access"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/azure/persistence_azure_automation_account_created.toml b/rules/azure/persistence_azure_automation_account_created.toml index b8ae77cbc..c83795dc6 100644 --- a/rules/azure/persistence_azure_automation_account_created.toml +++ b/rules/azure/persistence_azure_automation_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 21 rule_id = "df26fd74-1baa-4479-b42e-48da84642330" severity = "low" -tags = ["Azure", "Continuous Monitoring", "Elastic", "Identity and Access", "SecOps"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml index f5f0568c4..882ce0e02 100644 --- a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f" severity = "low" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' diff --git a/rules/azure/persistence_azure_automation_webhook_created.toml b/rules/azure/persistence_azure_automation_webhook_created.toml index 6bb547c51..5f118dc2e 100644 --- a/rules/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/azure/persistence_azure_automation_webhook_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 21 rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62" severity = "low" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] to = "now-25m" type = "query" diff --git a/rules/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/azure/persistence_azure_conditional_access_policy_modified.toml index 1697088ae..6f7368304 100644 --- a/rules/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/azure/persistence_azure_conditional_access_policy_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/01" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://docs.microsoft.com/en-us/azure/active-directory/condition risk_score = 47 rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" severity = "medium" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' diff --git a/rules/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/azure/persistence_azure_pim_user_added_global_admin.toml index 9fc61b637..ebb44d60c 100644 --- a/rules/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/azure/persistence_azure_pim_user_added_global_admin.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/24" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 73 rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8" severity = "high" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml index c399d5dcf..51fa8edd8 100644 --- a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/azure/persistence_mfa_disabled_for_azure_user.toml index 65791b662..118b97eaf 100644 --- a/rules/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/azure/persistence_mfa_disabled_for_azure_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ note = "The Azure Filebeat module must be enabled to use this rule." risk_score = 47 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml index 3b75c2768..1e33eb42c 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ note = "The Azure Filebeat module must be enabled to use this rule." risk_score = 21 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86" severity = "low" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 256dac39e..89330b839 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f" severity = "low" -tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index a0421c6f4..1eda59dbc 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/07" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat risk_score = 47 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c" severity = "medium" -tags = ["Elastic", "Linux", "Windows", "macOS"] +tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact"] type = "query" query = ''' diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 53bd8dec3..af0b5739b 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/14" ecs_version = ["1.6.0"] maturity = "development" query_schema_validation = false -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,15 @@ references = [ risk_score = 47 rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba" severity = "medium" -tags = ["Elastic", "SecOps", "Continuous Monitoring", "Configuration Audit"] +tags = [ + "Elastic", + "Application", + "Communication", + "Zoom", + "Continuous Monitoring", + "SecOps", + "Configuration Audit", +] type = "query" query = ''' @@ -47,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml index b740ca79c..7ba128e27 100644 --- a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml index 2e18a7bb0..f165acff9 100644 --- a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/pubsub/docs/admin"] risk_score = 21 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/gcp/credential_access_gcp_iam_service_account_key_deletion.toml b/rules/gcp/credential_access_gcp_iam_service_account_key_deletion.toml index 798ef460a..d8c147c37 100644 --- a/rules/gcp/credential_access_gcp_iam_service_account_key_deletion.toml +++ b/rules/gcp/credential_access_gcp_iam_service_account_key_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 21 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/gcp/credential_access_gcp_key_created_for_service_account.toml b/rules/gcp/credential_access_gcp_key_created_for_service_account.toml index 08663565e..f415cbd34 100644 --- a/rules/gcp/credential_access_gcp_key_created_for_service_account.toml +++ b/rules/gcp/credential_access_gcp_key_created_for_service_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 21 rule_id = "0e5acaae-6a64-4bbc-adb8-27649c03f7e1" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' @@ -52,3 +52,4 @@ reference = "https://attack.mitre.org/techniques/T1098/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml index 77748e8ca..f068e89f9 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/vpc/docs/firewalls"] risk_score = 21 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' @@ -47,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index ddec32cc5..2a155e348 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://cloud.google.com/vpc/docs/firewalls"] risk_score = 47 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' @@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 2a4c0033d..977fcbad5 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://cloud.google.com/vpc/docs/firewalls"] risk_score = 47 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' @@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index fe6306420..7a1aa2e5c 100644 --- a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.go risk_score = 47 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml index b2026a18c..44fcb110c 100644 --- a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/logging/docs/export"] risk_score = 47 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index a308fe1a5..e2415c960 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/23" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index d62b7d6ef..a960f15a4 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 7bc0c407a..5583cfb0c 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,9 +25,10 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' event.dataset:googlecloud.audit and event.action:storage.buckets.update and event.outcome:success ''' + diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 58cb2e392..23dbf4bc3 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' @@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1222/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml index 1b1cf786c..6ace9e856 100644 --- a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Logging"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Log Auditing"] type = "query" query = ''' diff --git a/rules/gcp/impact_gcp_iam_role_deletion.toml b/rules/gcp/impact_gcp_iam_role_deletion.toml index aef0ea2fb..0e6611a55 100644 --- a/rules/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/gcp/impact_gcp_iam_role_deletion.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-roles"] risk_score = 21 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/gcp/impact_gcp_service_account_deleted.toml b/rules/gcp/impact_gcp_service_account_deleted.toml index f247bbb86..4620b5c78 100644 --- a/rules/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/gcp/impact_gcp_service_account_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' @@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1531/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/gcp/impact_gcp_service_account_disabled.toml b/rules/gcp/impact_gcp_service_account_disabled.toml index 4dddae497..6c41dce48 100644 --- a/rules/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/gcp/impact_gcp_service_account_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/gcp/impact_gcp_storage_bucket_deleted.toml index 033c9794e..89ae16066 100644 --- a/rules/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/gcp/impact_gcp_storage_bucket_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' @@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1485/" id = "TA0040" name = "Impact" reference = "https://attack.mitre.org/tactics/TA0040/" + diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml index 2ea8a952a..66d8a0c90 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,9 +27,10 @@ references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' event.dataset:googlecloud.audit and event.action:v*.compute.networks.delete and event.outcome:success ''' + diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml index e6c898282..2b7c748f1 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,9 +27,10 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 21 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' event.dataset:googlecloud.audit and event.action:(v*.compute.routes.insert or beta.compute.routes.insert) ''' + diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml index 7b01f7eb6..3b2ef24d4 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,9 +27,10 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 47 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Configuration Audit"] type = "query" query = ''' event.dataset:googlecloud.audit and event.action:v*.compute.routes.delete and event.outcome:success ''' + diff --git a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml index 36bcc8470..100aeb3a5 100644 --- a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" severity = "medium" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' @@ -47,8 +47,6 @@ reference = "https://attack.mitre.org/techniques/T1078/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" - - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] diff --git a/rules/gcp/persistence_gcp_service_account_created.toml b/rules/gcp/persistence_gcp_service_account_created.toml index 91a7fa37c..6fb18bfda 100644 --- a/rules/gcp/persistence_gcp_service_account_created.toml +++ b/rules/gcp/persistence_gcp_service_account_created.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 21 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623" severity = "low" -tags = ["Elastic", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Cloud", "GCP", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' @@ -49,3 +49,4 @@ reference = "https://attack.mitre.org/techniques/T1136/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index 76dd228f3..9ba0c5ea0 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ name = "Network Sniffing via Tcpdump" risk_score = 21 rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index b9702f571..05cb0e855 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Attempt to Disable IPTables or Firewall" risk_score = 47 rule_id = "125417b8-d3df-479f-8418-12d7e034fee3" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 6c6dc9250..4089156b0 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Attempt to Disable Syslog Service" risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index be0146fd0..189679d6a 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index bd64df513..eae5a4f06 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Base64 Encoding/Decoding Activity" risk_score = 21 rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index 309fd304d..212456b89 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Deletion of Bash Command Line History" risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index f640c02df..be9047c80 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Potential Disabling of SELinux" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index be00e3948..45e455124 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 90699c88a..8a23c4565 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ name = "File Permission Modification in Writable Directory" risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index 44a4b348d..952416f2e 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Hex Encoding/Decoding Activity" risk_score = 21 rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 143911149..a25e8e8f2 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ name = "Creation of Hidden Files and Directories" risk_score = 47 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index ab662af6c..460a81f34 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 73 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" severity = "high" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 46aaa773a..fabe9f49e 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ name = "Enumeration of Kernel Modules" risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] type = "query" query = ''' diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 9bfeba953..278d665ee 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ name = "Virtual Machine Fingerprinting" risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" severity = "high" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] type = "query" query = ''' diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index 0587912fb..28baa3257 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ name = "User Discovery via Whoami" risk_score = 21 rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] type = "query" query = ''' diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index b867f0771..28e89e310 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Interactive Terminal Spawned via Perl" risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" severity = "high" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 858f0be1a..532e8227d 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" severity = "high" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index a8ca67f70..f922a39fa 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ name = "Connection to External Network via Telnet" risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"] type = "query" query = ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 3caa809bc..eaabdb2e1 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ name = "Connection to Internal Network via Telnet" risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"] type = "query" query = ''' diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index f3b510d5d..e34048452 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 73 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" severity = "high" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index 62a23b1d7..dff43a24c 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://code.kryo.se/iodine/"] risk_score = 73 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2" severity = "high" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index c557682dd..4362ce5c6 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/09" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 21 rule_id = "61c31c14-507f-4627-8c31-072556b89a9c" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index 45f954019..01232126c 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index a232a8ba7..e4f6dd10b 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 21 rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index 739bd631e..aa181aec7 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index 48e5b6940..99fd57b03 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Unusual Process Execution - Temp" risk_score = 47 rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index a1543f2df..dba48404f 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://blog.ropnop.com/upgrading-simple-shells-to-fully-interact risk_score = 47 rule_id = "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index ba5096dd0..61b05cd15 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://en.wikipedia.org/wiki/Strace"] risk_score = 21 rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection"] type = "query" query = ''' diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index ee5dc35f2..e4bc0941b 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 3b1e6a8f2..27ebc571e 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://pentestlab.blog/tag/web-shell/"] risk_score = 47 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" severity = "medium" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml index b979c6247..a5fe2f27e 100644 --- a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Setgid Bit Set via chmod" risk_score = 21 rule_id = "3a86e085-094c-412d-97ff-2439731e59cb" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] type = "query" query = ''' diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml index 4c8dd2a9d..7b3b49b00 100644 --- a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Setuid Bit Set via chmod" risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] type = "query" query = ''' diff --git a/rules/linux/privilege_escalation_sudoers_file_mod.toml b/rules/linux/privilege_escalation_sudoers_file_mod.toml index f8ef3f43d..07b647f1f 100644 --- a/rules/linux/privilege_escalation_sudoers_file_mod.toml +++ b/rules/linux/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Sudoers File Modification" risk_score = 21 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "low" -tags = ["Elastic", "Linux"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] type = "query" query = ''' diff --git a/rules/macos/credential_access_compress_credentials_keychains.toml b/rules/macos/credential_access_compress_credentials_keychains.toml index 1d68d9a0d..d01db6e3e 100644 --- a/rules/macos/credential_access_compress_credentials_keychains.toml +++ b/rules/macos/credential_access_compress_credentials_keychains.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = ["https://objective-see.com/blog/blog_0x25.html"] risk_score = 73 rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8" severity = "high" -tags = ["Elastic", "macOS"] +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] type = "query" query = ''' diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index 67e263e1c..007a525e8 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = [ risk_score = 73 rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe" severity = "high" -tags = ["Elastic", "macOS"] +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] type = "query" query = ''' diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 6d9be34c7..65188a5f0 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = [ risk_score = 47 rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc" severity = "medium" -tags = ["Elastic", "macOS"] +tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"] type = "query" query = ''' diff --git a/rules/ml/ml_cloudtrail_error_message_spike.toml b/rules/ml/ml_cloudtrail_error_message_spike.toml index 890d61d9f..1a6485ab0 100644 --- a/rules/ml/ml_cloudtrail_error_message_spike.toml +++ b/rules/ml/ml_cloudtrail_error_message_spike.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/13" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -33,6 +33,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670" severity = "low" -tags = ["AWS", "Elastic", "ML"] +tags = ["Elastic", "Cloud", "AWS", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_cloudtrail_rare_error_code.toml b/rules/ml/ml_cloudtrail_rare_error_code.toml index 05b5eb18d..702032b6e 100644 --- a/rules/ml/ml_cloudtrail_rare_error_code.toml +++ b/rules/ml/ml_cloudtrail_rare_error_code.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/13" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -33,6 +33,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff" severity = "low" -tags = ["AWS", "Elastic", "ML"] +tags = ["Elastic", "Cloud", "AWS", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_cloudtrail_rare_method_by_city.toml b/rules/ml/ml_cloudtrail_rare_method_by_city.toml index 1997998e0..069d628ee 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_city.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/13" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -35,6 +35,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = ["AWS", "Elastic", "ML"] +tags = ["Elastic", "Cloud", "AWS", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_cloudtrail_rare_method_by_country.toml b/rules/ml/ml_cloudtrail_rare_method_by_country.toml index aa79f7c87..54c94f856 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_country.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/13" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -35,6 +35,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = ["AWS", "Elastic", "ML"] +tags = ["Elastic", "Cloud", "AWS", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_cloudtrail_rare_method_by_user.toml b/rules/ml/ml_cloudtrail_rare_method_by_user.toml index bdb0e3d55..ca99637f8 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/13" +updated_date = "2020/10/26" [rule] anomaly_threshold = 75 @@ -34,6 +34,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = ["AWS", "Elastic", "ML"] +tags = ["Elastic", "Cloud", "AWS", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_compiler_activity.toml b/rules/ml/ml_linux_anomalous_compiler_activity.toml index 35f29511f..12ff49d54 100644 --- a/rules/ml/ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/ml_linux_anomalous_compiler_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -26,6 +26,6 @@ name = "Anomalous Linux Compiler Activity" risk_score = 21 rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml index eac1f4995..c8cbc0374 100644 --- a/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml +++ b/rules/ml/ml_linux_anomalous_kernel_module_arguments.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] anomaly_threshold = 25 @@ -26,7 +26,7 @@ references = ["references"] risk_score = 21 rule_id = "37b0816d-af40-40b4-885f-bb162b3c88a9" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/ml_linux_anomalous_metadata_process.toml b/rules/ml/ml_linux_anomalous_metadata_process.toml index 369bc3197..9714641f4 100644 --- a/rules/ml/ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/ml_linux_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -25,6 +25,6 @@ name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_metadata_user.toml b/rules/ml/ml_linux_anomalous_metadata_user.toml index a53d0f6fe..bc6d9f157 100644 --- a/rules/ml/ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/ml_linux_anomalous_metadata_user.toml @@ -2,14 +2,14 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to -harvest credentials or user data scripts containing secrets. +Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be +targeted in order to harvest credentials or user data scripts containing secrets. """ false_positives = [ """ @@ -25,5 +25,6 @@ name = "Unusual Linux User Calling the Metadata Service" risk_score = 21 rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" + diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index fe06163d8..14950e919 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -30,6 +30,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index d451a63ca..f650b4a0a 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -22,6 +22,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml index a0e4d88dc..3a09c9e1a 100644 --- a/rules/ml/ml_linux_anomalous_network_service.toml +++ b/rules/ml/ml_linux_anomalous_network_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -21,6 +21,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-596e-bc35-f5707f820c4b" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml index b6b9fe606..2b08c4e4b 100644 --- a/rules/ml/ml_linux_anomalous_network_url_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_url_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -29,6 +29,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc35-f5707f820c4c" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml index 2ae34d698..3db29bda6 100644 --- a/rules/ml/ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_linux_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -32,6 +32,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_sudo_activity.toml b/rules/ml/ml_linux_anomalous_sudo_activity.toml index ea1f49694..83c3d3527 100644 --- a/rules/ml/ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/ml_linux_anomalous_sudo_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/28" +updated_date = "2020/10/26" [rule] anomaly_threshold = 75 @@ -25,27 +25,30 @@ name = "Unusual Sudo Activity" risk_score = 21 rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml index 2e4a4682e..0a3f6195d 100644 --- a/rules/ml/ml_linux_anomalous_user_name.toml +++ b/rules/ml/ml_linux_anomalous_user_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -37,6 +37,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_linux_system_information_discovery.toml b/rules/ml/ml_linux_system_information_discovery.toml index e794d3dd1..ae4d64a8e 100644 --- a/rules/ml/ml_linux_system_information_discovery.toml +++ b/rules/ml/ml_linux_system_information_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] anomaly_threshold = 75 @@ -27,7 +27,7 @@ name = "Unusual Linux System Information Discovery Activity" risk_score = 21 rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/ml_linux_system_network_configuration_discovery.toml b/rules/ml/ml_linux_system_network_configuration_discovery.toml index 4930ea302..d32a1c479 100644 --- a/rules/ml/ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/ml_linux_system_network_configuration_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] anomaly_threshold = 25 @@ -27,7 +27,7 @@ name = "Unusual Linux System Network Configuration Discovery" risk_score = 21 rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" @@ -41,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1016/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/ml/ml_linux_system_network_connection_discovery.toml b/rules/ml/ml_linux_system_network_connection_discovery.toml index b3c7c76d7..5687c308e 100644 --- a/rules/ml/ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/ml_linux_system_network_connection_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] anomaly_threshold = 25 @@ -27,7 +27,7 @@ name = "Unusual Linux Network Connection Discovery" risk_score = 21 rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/ml_linux_system_process_discovery.toml b/rules/ml/ml_linux_system_process_discovery.toml index 5d2d8bb0a..baf8d14f3 100644 --- a/rules/ml/ml_linux_system_process_discovery.toml +++ b/rules/ml/ml_linux_system_process_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -27,7 +27,7 @@ name = "Unusual Linux Process Discovery Activity" risk_score = 21 rule_id = "5c983105-4681-46c3-9890-0c66d05e776b" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/ml_linux_system_user_discovery.toml b/rules/ml/ml_linux_system_user_discovery.toml index 485d8b41f..93624af73 100644 --- a/rules/ml/ml_linux_system_user_discovery.toml +++ b/rules/ml/ml_linux_system_user_discovery.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] anomaly_threshold = 75 @@ -27,7 +27,7 @@ name = "Unusual Linux System Owner or User Discovery Activity" risk_score = 21 rule_id = "59756272-1998-4b8c-be14-e287035c4d10" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/ml_packetbeat_dns_tunneling.toml b/rules/ml/ml_packetbeat_dns_tunneling.toml index 4ef4c943f..e316512ad 100644 --- a/rules/ml/ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/ml_packetbeat_dns_tunneling.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -28,6 +28,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" severity = "low" -tags = ["Elastic", "ML", "Packetbeat"] +tags = ["Elastic", "Network", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_dns_question.toml b/rules/ml/ml_packetbeat_rare_dns_question.toml index 4d6c7cb0d..613bbfc63 100644 --- a/rules/ml/ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/ml_packetbeat_rare_dns_question.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -31,6 +31,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" severity = "low" -tags = ["Elastic", "ML", "Packetbeat"] +tags = ["Elastic", "Network", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index d43b74667..459b4663f 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -31,6 +31,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" -tags = ["Elastic", "ML", "Packetbeat"] +tags = ["Elastic", "Network", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_urls.toml b/rules/ml/ml_packetbeat_rare_urls.toml index 964c86ad2..ac6118c46 100644 --- a/rules/ml/ml_packetbeat_rare_urls.toml +++ b/rules/ml/ml_packetbeat_rare_urls.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -34,6 +34,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" -tags = ["Elastic", "ML", "Packetbeat"] +tags = ["Elastic", "Network", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_user_agent.toml b/rules/ml/ml_packetbeat_rare_user_agent.toml index b7a63fca3..e5108516f 100644 --- a/rules/ml/ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/ml_packetbeat_rare_user_agent.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -32,6 +32,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" -tags = ["Elastic", "ML", "Packetbeat"] +tags = ["Elastic", "Network", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml index 5539b4d8a..1dfab8b74 100644 --- a/rules/ml/ml_rare_process_by_host_linux.toml +++ b/rules/ml/ml_rare_process_by_host_linux.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -32,6 +32,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index 2fc7078a8..a64ed5bf0 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -35,6 +35,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_suspicious_login_activity.toml b/rules/ml/ml_suspicious_login_activity.toml index 8980a77d4..a07ede8ee 100644 --- a/rules/ml/ml_suspicious_login_activity.toml +++ b/rules/ml/ml_suspicious_login_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -23,6 +23,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" severity = "low" -tags = ["Elastic", "Linux", "ML"] +tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_metadata_process.toml b/rules/ml/ml_windows_anomalous_metadata_process.toml index 9f6aa5974..8f38f0b97 100644 --- a/rules/ml/ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/ml_windows_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -25,6 +25,6 @@ name = "Unusual Windows Process Calling the Metadata Service" risk_score = 21 rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_metadata_user.toml b/rules/ml/ml_windows_anomalous_metadata_user.toml index 07f0ba577..d6912ca67 100644 --- a/rules/ml/ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/ml_windows_anomalous_metadata_user.toml @@ -2,14 +2,14 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/26" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be targeted in order to -harvest credentials or user data scripts containing secrets. +Looks for anomalous access to the cloud platform metadata service by an unusual user. The metadata service may be +targeted in order to harvest credentials or user data scripts containing secrets. """ false_positives = [ """ @@ -25,5 +25,6 @@ name = "Unusual Windows User Calling the Metadata Service" risk_score = 21 rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" + diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 3601eba0e..ed49668e0 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -33,6 +33,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_path_activity.toml b/rules/ml/ml_windows_anomalous_path_activity.toml index abda3df7a..deecd3f40 100644 --- a/rules/ml/ml_windows_anomalous_path_activity.toml +++ b/rules/ml/ml_windows_anomalous_path_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -29,6 +29,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml index e60d2aeef..d1b251994 100644 --- a/rules/ml/ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_windows_anomalous_process_all_hosts.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -35,6 +35,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_process_creation.toml b/rules/ml/ml_windows_anomalous_process_creation.toml index febcb1641..16181c51b 100644 --- a/rules/ml/ml_windows_anomalous_process_creation.toml +++ b/rules/ml/ml_windows_anomalous_process_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -30,6 +30,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_script.toml b/rules/ml/ml_windows_anomalous_script.toml index 479612d16..9697b861a 100644 --- a/rules/ml/ml_windows_anomalous_script.toml +++ b/rules/ml/ml_windows_anomalous_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -26,6 +26,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_service.toml b/rules/ml/ml_windows_anomalous_service.toml index ff77ae8e9..f11eaca9b 100644 --- a/rules/ml/ml_windows_anomalous_service.toml +++ b/rules/ml/ml_windows_anomalous_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -27,6 +27,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml index aff7da868..0dd98fe89 100644 --- a/rules/ml/ml_windows_anomalous_user_name.toml +++ b/rules/ml/ml_windows_anomalous_user_name.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -38,6 +38,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_rare_user_runas_event.toml b/rules/ml/ml_windows_rare_user_runas_event.toml index c3dc8c9b3..e0f8b0a4d 100644 --- a/rules/ml/ml_windows_rare_user_runas_event.toml +++ b/rules/ml/ml_windows_rare_user_runas_event.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -27,6 +27,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml index 54314f69b..edd481729 100644 --- a/rules/ml/ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] anomaly_threshold = 50 @@ -31,6 +31,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" -tags = ["Elastic", "ML", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML"] type = "machine_learning" diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index e0c111252..3eb249f28 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/06" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c" severity = "high" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' @@ -54,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1483/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_dns_directly_to_the_internet.toml b/rules/network/command_and_control_dns_directly_to_the_internet.toml index 75feeed62..0613fe29b 100644 --- a/rules/network/command_and_control_dns_directly_to_the_internet.toml +++ b/rules/network/command_and_control_dns_directly_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 47 rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index c7fb8ac3a..d4d325a4b 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/07" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' @@ -42,7 +42,7 @@ event.category:(network OR network_traffic) AND network.protocol:http AND url.pa framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1105" -name = " Ingress Tool Transfer " +name = "Ingress Tool Transfer" reference = "https://attack.mitre.org/techniques/T1105/" @@ -50,3 +50,4 @@ reference = "https://attack.mitre.org/techniques/T1105/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index f05596f14..021be4b78 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/07" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3" severity = "high" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml index e87b6307f..c4c4cd31b 100644 --- a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ name = "FTP (File Transfer Protocol) Activity to the Internet" risk_score = 21 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43" severity = "low" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 525293465..e9eee45d5 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/06" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/06" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "2e580225-2a58-48ef-938b-572933be06fe" severity = "high" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' @@ -55,3 +55,4 @@ reference = "https://attack.mitre.org/techniques/T1483/" id = "TA0011" name = "Command and Control" reference = "https://attack.mitre.org/tactics/TA0011/" + diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml index 2fed41635..fe167b7b3 100644 --- a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ name = "IRC (Internet Relay Chat) Protocol Activity to the Internet" risk_score = 47 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa" severity = "medium" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index a4a126de3..9896bd62b 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ name = "IPSEC NAT Traversal Port Activity" risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" severity = "low" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index c7daa999a..d11ad0b92 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml index fdfa2e960..201be85e8 100644 --- a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ name = "TCP Port 8000 Activity to the Internet" risk_score = 21 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf" severity = "low" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml index b581ffdd3..259a6e3ff 100644 --- a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ name = "PPTP (Point to Point Tunneling Protocol) Activity" risk_score = 21 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3" severity = "low" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 56f471950..4736038be 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ name = "Proxy Port Activity to the Internet" risk_score = 47 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3" severity = "medium" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 851ec5165..fbdd459bd 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ name = "RDP (Remote Desktop Protocol) from the Internet" risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml index 806de7984..410aa10fd 100644 --- a/rules/network/command_and_control_smtp_to_the_internet.toml +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ name = "SMTP to the Internet" risk_score = 21 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4" severity = "low" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml index d8eb9ab15..9fada6c0e 100644 --- a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ name = "SQL Traffic to the Internet" risk_score = 47 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd" severity = "medium" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml index 0198af8f9..8ce96d4ca 100644 --- a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ name = "SSH (Secure Shell) from the Internet" risk_score = 47 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17" severity = "medium" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml index dd7b33850..fcdb8ed01 100644 --- a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ name = "SSH (Secure Shell) to the Internet" risk_score = 21 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4" severity = "low" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index 471fe9b96..cdb62f8c1 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ name = "Telnet Port Activity" risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml index e23cf3069..48ab6049b 100644 --- a/rules/network/command_and_control_tor_activity_to_the_internet.toml +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ name = "Tor Activity to the Internet" risk_score = 47 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540" severity = "medium" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 455bcd010..ade01435d 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ name = "VNC (Virtual Network Computing) from the Internet" risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index d9147a222..d7ec53387 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ name = "VNC (Virtual Network Computing) to the Internet" risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml index fc35ac27c..cbb9d91b6 100644 --- a/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml +++ b/rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/04" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/04" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Network", "Threat Detection", "Discovery"] type = "query" query = ''' @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1016/" id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" + diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml index 34a97fc97..59d54e3cd 100644 --- a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ name = "RDP (Remote Desktop Protocol) to the Internet" risk_score = 21 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5" severity = "low" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"] type = "query" query = ''' diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 900b44a67..a1810002a 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "RPC (Remote Procedure Call) from the Internet" risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" severity = "high" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"] type = "query" query = ''' diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index e751127ec..ff7001335 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "RPC (Remote Procedure Call) to the Internet" risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"] type = "query" query = ''' diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 66bf37e19..87ac27121 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "SMB (Windows File Sharing) Activity to the Internet" risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "high" -tags = ["Elastic", "Host", "Network"] +tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"] type = "query" query = ''' diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 3a236c259..547935ba2 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -2,13 +2,13 @@ creation_date = "2020/08/11" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/11" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack -authentication, and are accepting inbound network connections over the default Elasticsearch port. +Identifies Elasticsearch nodes that do not have Transport Layer Security (TLS), and/or lack authentication, and are +accepting inbound network connections over the default Elasticsearch port. """ false_positives = [ """ @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Network", "Threat Detection", "Initial Access"] type = "query" query = ''' @@ -48,3 +48,4 @@ reference = "https://attack.mitre.org/techniques/T1190/" id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 60a43c6d6..ee2500013 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = [ risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" severity = "high" -tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 6dd58d88c..cbf415f35 100644 --- a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" severity = "medium" -tags = ["Elastic", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "threshold" query = ''' diff --git a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml index fa850a4a7..9ccc03f10 100644 --- a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" severity = "medium" -tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "threshold" query = ''' diff --git a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 53cbf547a..4d2b4ab17 100644 --- a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -31,11 +31,11 @@ references = [ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" -tags = ["Elastic", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "threshold" query = ''' - event.dataset:okta.system and +event.dataset:okta.system and event.action:(system.email.account_unlock.sent_message or system.email.password_reset.sent_message or system.sms.send_account_unlock_message or system.sms.send_password_reset_message or system.voice.send_account_unlock_call or system.voice.send_password_reset_call or diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml index a4ec7c78d..a0ece548e 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml index c902b9881..9f1bae1ca 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68" severity = "medium" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index d16913348..88910f1f2 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588" severity = "medium" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml index e4cbe6e05..70a438c74 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_mfa_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml index 7b8cc0432..bd6886992 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/28" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml index 70123a11b..c96852292 100644 --- a/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml +++ b/rules/okta/okta_attempt_to_modify_okta_mfa_rule.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml index 451beddcc..3ec00a4f0 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" severity = "medium" -tags = ["Elastic", "Okta", "SecOps", "Network", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security"] type = "query" query = ''' diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml index a72c6270d..952759653 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 6d050b085..cdd8511b5 100644 --- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/01" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" severity = "medium" -tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml index d8f4ca16d..e40e8d570 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" severity = "medium" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 3392babcf..88decc731 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "b8075894-0b62-46e5-977c-31275da34419" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml index f11c2e5ba..68dfcc859 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 786c82b06..3d88fd685 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/20" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml index d8ee083ea..f3fd61764 100644 --- a/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml +++ b/rules/okta/persistence_attempt_to_deactivate_okta_policy.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] type = "query" query = ''' diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index c151d5fff..73e96aa55 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/15" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" severity = "low" -tags = ["Elastic", "Okta", "SecOps", "Identity and Access", "Continuous Monitoring"] +tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] type = "query" query = ''' diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index 43671e9d8..ee00f0e67 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/08" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/08" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ risk_score = 47 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" severity = "medium" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] timestamp_override = "event.ingested" type = "query" @@ -65,3 +65,4 @@ operator = "equals" value = "99" severity = "critical" + diff --git a/rules/promotions/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml index 554c5643f..a29dd194b 100644 --- a/rules/promotions/endpoint_adversary_behavior_detected.toml +++ b/rules/promotions/endpoint_adversary_behavior_detected.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module -column or the link in the rule.reference column for additional information. +Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Adversary Behavior - Detected - Endpoint Security" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml index 849f484dc..1ed7f9b1b 100644 --- a/rules/promotions/endpoint_cred_dumping_detected.toml +++ b/rules/promotions/endpoint_cred_dumping_detected.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module -column or the link in the rule.reference column for additional information. +Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Credential Dumping - Detected - Endpoint Security" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml index ac9e57329..21063735b 100644 --- a/rules/promotions/endpoint_cred_dumping_prevented.toml +++ b/rules/promotions/endpoint_cred_dumping_prevented.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module -column or the link in the rule.reference column for additional information. +Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Credential Dumping - Prevented - Endpoint Security" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml index 32f644210..dcc743a38 100644 --- a/rules/promotions/endpoint_cred_manipulation_detected.toml +++ b/rules/promotions/endpoint_cred_manipulation_detected.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module -column or the link in the rule.reference column for additional information. +Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Credential Manipulation - Detected - Endpoint Security" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml index 4e503130e..2339b1255 100644 --- a/rules/promotions/endpoint_cred_manipulation_prevented.toml +++ b/rules/promotions/endpoint_cred_manipulation_prevented.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the -event.module column or the link in the rule.reference column for additional information. +Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Credential Manipulation - Prevented - Endpoint Security" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml index 0e015f4fb..acd7f5707 100644 --- a/rules/promotions/endpoint_exploit_detected.toml +++ b/rules/promotions/endpoint_exploit_detected.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or -the link in the rule.reference column for additional information. +Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Exploit - Detected - Endpoint Security" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml index e47421eac..0fe022ebc 100644 --- a/rules/promotions/endpoint_exploit_prevented.toml +++ b/rules/promotions/endpoint_exploit_prevented.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or -the link in the rule.reference column for additional information. +Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Exploit - Prevented - Endpoint Security" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml index 9ba7e095f..baff21372 100644 --- a/rules/promotions/endpoint_malware_detected.toml +++ b/rules/promotions/endpoint_malware_detected.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the -link in the rule.reference column for additional information. +Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Malware - Detected - Endpoint Security" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml index 78f76d5d2..a6302e98b 100644 --- a/rules/promotions/endpoint_malware_prevented.toml +++ b/rules/promotions/endpoint_malware_prevented.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the -link in the rule.reference column for additional information. +Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Malware - Prevented - Endpoint Security" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml index 69d8d9d59..47312e777 100644 --- a/rules/promotions/endpoint_permission_theft_detected.toml +++ b/rules/promotions/endpoint_permission_theft_detected.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column -or the link in the rule.reference column for additional information. +Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Permission Theft - Detected - Endpoint Security" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml index c76c61c6d..c2e85dc04 100644 --- a/rules/promotions/endpoint_permission_theft_prevented.toml +++ b/rules/promotions/endpoint_permission_theft_prevented.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module -column or the link in the rule.reference column for additional information. +Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Permission Theft - Prevented - Endpoint Security" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml index 937c846d6..12e4414b5 100644 --- a/rules/promotions/endpoint_process_injection_detected.toml +++ b/rules/promotions/endpoint_process_injection_detected.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module -column or the link in the rule.reference column for additional information. +Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in +the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Process Injection - Detected - Endpoint Security" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml index 7e2b1a10d..916bd5795 100644 --- a/rules/promotions/endpoint_process_injection_prevented.toml +++ b/rules/promotions/endpoint_process_injection_prevented.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module -column or the link in the rule.reference column for additional information. +Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link +in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Process Injection - Prevented - Endpoint Security" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml index f1d3efff1..217f281d4 100644 --- a/rules/promotions/endpoint_ransomware_detected.toml +++ b/rules/promotions/endpoint_ransomware_detected.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or -the link in the rule.reference column for additional information. +Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Ransomware - Detected - Endpoint Security" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml index 7ccef9907..005badd58 100644 --- a/rules/promotions/endpoint_ransomware_prevented.toml +++ b/rules/promotions/endpoint_ransomware_prevented.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/02/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or -the link in the rule.reference column for additional information. +Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the +rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] @@ -19,7 +19,7 @@ name = "Ransomware - Prevented - Endpoint Security" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" -tags = ["Elastic", "Endpoint"] +tags = ["Elastic", "Endpoint Security"] type = "query" query = ''' diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 355f4d2e8..f62fde01f 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/08" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/08" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ risk_score = 47 rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" rule_name_override = "message" severity = "medium" -tags = ["Elastic", "Windows", "APM", "Network", "macOS", "Linux"] +tags = ["Elastic", "Network", "Windows", "APM", "macOS", "Linux"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index b5cc103ab..8f041cd17 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Network Connection via Certutil" risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 08a12960b..34fef4d19 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://labs.sentinelone.com/living-off-windows-land-a-new-native risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 20fb08a8e..2d808b5bb 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = [ risk_score = 47 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index fe1559bd5..c08e5e1c5 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ references = ["https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.ht risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] type = "query" query = ''' diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 178c6f11e..55e7a6659 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Microsoft Build Engine Loading Windows Credential Libraries" risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] type = "query" query = ''' diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index cd92ddf23..a907f2aaa 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/13" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] type = "query" query = ''' diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index e61dca4a1..9789018b4 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of- risk_score = 73 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] type = "query" query = ''' diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 5f319bb2c..09d937554 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] type = "query" query = ''' diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 3653d2e88..a7bf07fc1 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "Mimikatz Memssp Log File Detected" risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 1ace7f49b..b177cde38 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "Adding Hidden File Attribute via Attrib" risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 721c2a781..c6c813fb7 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Clearing Windows Event Logs" risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml index 3af98dcdc..700e8207b 100644 --- a/rules/windows/defense_evasion_code_injection_conhost.toml +++ b/rules/windows/defense_evasion_code_injection_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/31" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = [ risk_score = 73 rule_id = "28896382-7d4f-4d50-9b72-67091901fd26" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 94d248e6c..20ba923fe 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/19" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" risk_score = 21 rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 408fdbb20..5e06f8f8a 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Delete Volume USN Journal with Fsutil" risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index cdd94251a..9d7f623b7 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Deleting Backup Catalogs with Wbadmin" risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index e1606f880..be511b266 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Disable Windows Firewall Rules via Netsh" risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 96c223d85..73cd40bca 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "Suspicious .NET Code Compilation" risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index 12ab8c956..fe8d9a9b3 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Encoding or Decoding Files via CertUtil" risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 729d127e1..54f96922e 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index a58ba6b86..3d556736d 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Microsoft Build Engine Started by a Script Process" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 426d5c5f9..d0f02e76c 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Microsoft Build Engine Started by a System Process" risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index 7d02df3c7..1e6347e40 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Microsoft Build Engine Using an Alternate Name" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 6d907bde0..2dadf7a1b 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 51453db17..7b1dbdd65 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Potential DLL SideLoading via Trusted Microsoft Programs" risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index a23246f33..605df5aed 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "Trusted Developer Application Usage" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 65a6f3556..6021fad3c 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/14" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "IIS HTTP Logging Disabled" risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index 25f0e4bb3..228e2cf4a 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/03/25" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 474df330d..42569e87c 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "InstallUtil Process Making Network Connections" risk_score = 21 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1118/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 9f312141e..87c35c1ac 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -2,13 +2,13 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] description = """ -A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of -code injection. +A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code +injection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] @@ -18,7 +18,7 @@ name = "Suspicious Endpoint Security Parent Process" risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index dd1492f35..f5d4cb5be 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/01" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Renamed AutoIt Scripts Interpreter" risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index ce6c6c729..b68ff66f7 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 893536086..951fdb67e 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/24" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = [ risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 58188227d..77c83b46a 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Network Connection via Signed Binary" risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index 50a299ba5..c288a6450 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Modification of Boot Configuration" risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 89235e51c..b17cc5311 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "MsBuild Network Connection Sequence" risk_score = 21 rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -41,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1127/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 3f489db5b..13d097b21 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Mshta Making Network Connections" risk_score = 21 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -44,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1170/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 80e27bcde..baec09084 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "MsXsl Making Network Connections" risk_score = 21 rule_id = "870d1753-1078-403e-92d4-735f142edcca" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -40,3 +40,4 @@ reference = "https://attack.mitre.org/techniques/T1220/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index e09822805..108caeddc 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Unusual Network Activity from a Windows System Binary" risk_score = 21 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -82,3 +82,4 @@ reference = "https://attack.mitre.org/techniques/T1127/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_reg_beacon.toml b/rules/windows/defense_evasion_reg_beacon.toml index c4fa0ea4c..0d6b9891b 100644 --- a/rules/windows/defense_evasion_reg_beacon.toml +++ b/rules/windows/defense_evasion_reg_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Registration Tool Making Network Connections" risk_score = 21 rule_id = "6d3456a5-4a42-49d1-aaf2-7b1fd475b2c6" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -45,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1121/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index a99a2242a..4f68bb815 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Unusual Child Processes of RunDLL32" risk_score = 21 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -47,3 +47,4 @@ reference = "https://attack.mitre.org/techniques/T1085/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_rundll32_sequence.toml b/rules/windows/defense_evasion_rundll32_sequence.toml index e8ca63a35..17834c682 100644 --- a/rules/windows/defense_evasion_rundll32_sequence.toml +++ b/rules/windows/defense_evasion_rundll32_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Unusual Network Connection Sequence via RunDLL32" risk_score = 21 rule_id = "2b347f66-6739-4ae3-bd94-195036dde8b3" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -45,3 +45,4 @@ reference = "https://attack.mitre.org/techniques/T1085/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 65675bef0..a8e73980f 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/18" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ note = "Verify process details such as command line and hash to confirm this act risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 2463d6f42..ee1f4e90f 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-c risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index ded9eeaa4..cb882a14b 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Windows Suspicious Script Object Execution" risk_score = 21 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -52,3 +52,4 @@ reference = "https://attack.mitre.org/techniques/T1064/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 7fe768f00..7614adb71 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Suspicious WMIC XSL Script Execution" risk_score = 21 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "eql" query = ''' @@ -38,7 +38,9 @@ id = "T1220" name = "XSL Script Processing" reference = "https://attack.mitre.org/techniques/T1220/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 84c47635c..d929a4735 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Suspicious Zoom Child Process" risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 105a04702..acaebdb52 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Unusual Executable File Creation by a System Critical Process" risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 8fc242b32..1dda469f2 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/19" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "Unusual Child Process from a System Virtual Process" risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index b1e31da99..4870c7722 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Potential Evasion via Filter Manager" risk_score = 21 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml index 47eaa271e..a054acc8b 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Volume Shadow Copy Deletion via VssAdmin" risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index faa97c024..0b5548ff9 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Volume Shadow Copy Deletion via WMIC" risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] type = "query" query = ''' diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 98cc4455c..7a84a4187 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/12" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Net command via SYSTEM account" risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] type = "query" query = ''' diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml index 94be69c90..9f3256327 100644 --- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Process Discovery via Tasklist" risk_score = 21 rule_id = "cc16f774-59f9-462d-8b98-d27ccd4519ec" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] type = "query" query = ''' diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 791ff2d86..66747769f 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ name = "Whoami Process Activity" risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] type = "query" query = ''' diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 678f5bd9b..c8a955b44 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ name = "Command Prompt Network Connection" risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index f4326ae22..2225d2235 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "PowerShell spawning Cmd" risk_score = 21 rule_id = "0f616aee-8161-4120-857e-742366f5eeb3" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 01cfd5567..edde884a8 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "Svchost spawning Cmd" risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index d6a45b19d..4539439e4 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/21" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "Unusual Parent Process for cmd.exe" risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index bff12abdd..476d79e3e 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "development" query_schema_validation = false -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' @@ -57,3 +57,4 @@ reference = "https://attack.mitre.org/techniques/T1204/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index 6772af2f2..011f0d96f 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "development" query_schema_validation = false -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Downloaded URL Files" risk_score = 21 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' @@ -61,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1064/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index a903eb70f..b8dfdd9cb 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Network Connection via Compiled HTML File" risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_local_service_commands.toml b/rules/windows/execution_local_service_commands.toml index 3fb3f90ad..4be9a6e54 100644 --- a/rules/windows/execution_local_service_commands.toml +++ b/rules/windows/execution_local_service_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Local Service Commands" risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index d3d22ea40..862a218ea 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Execution of File Written or Modified by Microsoft Office" risk_score = 21 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' @@ -59,3 +59,4 @@ reference = "https://attack.mitre.org/techniques/T1193/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml index 3f5c9288f..19ab781ca 100644 --- a/rules/windows/execution_msbuild_making_network_connections.toml +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "MsBuild Making Network Connections" risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml index 974082341..4a01dc643 100644 --- a/rules/windows/execution_mshta_making_network_connections.toml +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espion risk_score = 47 rule_id = "a4ec1382-4557-452b-89ba-e413b22ed4b8" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml index c74889caf..f2fbf655c 100644 --- a/rules/windows/execution_msxsl_network.toml +++ b/rules/windows/execution_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Network Connection via MsXsl" risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 24f52db90..4b1e72027 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Execution of File Written or Modified by PDF Reader" risk_score = 21 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' @@ -61,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1193/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 48f196a00..8dbc0fe85 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ name = "PsExec Network Connection" risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 66a546024..a5431d58c 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/12" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ name = "Network Connection via Registration Utility" risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml index 4cfef855c..d2d690057 100644 --- a/rules/windows/execution_script_executing_powershell.toml +++ b/rules/windows/execution_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Windows Script Executing PowerShell" risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml index a348bf964..47eb98b26 100644 --- a/rules/windows/execution_suspicious_ms_office_child_process.toml +++ b/rules/windows/execution_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Suspicious MS Office Child Process" risk_score = 21 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml index f5d90dd65..504d862f9 100644 --- a/rules/windows/execution_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/execution_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Suspicious MS Outlook Child Process" risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 98c63fabf..4c51e6a1a 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Suspicious PDF Reader Child Process" risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index c49f8e27b..4431e548e 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Suspicious Process Execution via Renamed PsExec Executable" risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_unusual_dns_service_children.toml b/rules/windows/execution_unusual_dns_service_children.toml index 4d89a6694..95de08add 100644 --- a/rules/windows/execution_unusual_dns_service_children.toml +++ b/rules/windows/execution_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_unusual_dns_service_file_writes.toml b/rules/windows/execution_unusual_dns_service_file_writes.toml index c4e3fd05c..1745366c3 100644 --- a/rules/windows/execution_unusual_dns_service_file_writes.toml +++ b/rules/windows/execution_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index ada1790ae..40607d1d0 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Unusual Network Connection via RunDLL32" risk_score = 21 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml index c63191ef5..c123b0455 100644 --- a/rules/windows/execution_unusual_process_network_connection.toml +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Unusual Process Network Connection" risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 8c875112b..ea7c55033 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ name = "Process Activity via Compiled HTML File" risk_score = 21 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 7809cf368..26c6c4d2e 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = [ risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index 71979f871..a2a9422c8 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Execution via Regsvcs/Regasm" risk_score = 21 rule_id = "47f09343-8d1f-4bb5-8bb0-00c9d18f5010" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 4a8b6a760..572ed4e14 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Execution via MSSQL xp_cmdshell Stored Procedure" risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "query" query = ''' diff --git a/rules/windows/execution_wpad_exploitation.toml b/rules/windows/execution_wpad_exploitation.toml index b55333f88..d68e56a7b 100644 --- a/rules/windows/execution_wpad_exploitation.toml +++ b/rules/windows/execution_wpad_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "WPAD Service Exploit" risk_score = 21 rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] type = "eql" query = ''' @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 29bc76d5b..407cfff66 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] type = "eql" query = ''' @@ -58,3 +58,4 @@ reference = "https://attack.mitre.org/techniques/T1035/" id = "TA0008" name = "Lateral Movement" reference = "https://attack.mitre.org/tactics/TA0008/" + diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 70de1a68c..b81678385 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Direct Outbound SMB Connection" risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] type = "query" query = ''' diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index 7590fe1c8..4372405b9 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/16" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "11013227-0301-4a8c-b150-4db924484475" severity = "medium" -tags = ["Elastic", "Network", "Windows"] +tags = ["Elastic", "Network", "Threat Detection", "Lateral Movement"] type = "query" query = ''' diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 1daa6b374..7636ef70a 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ name = "Adobe Hijack Persistence" risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index 974cfc2eb..4c4317c2f 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Installation of Custom Shim Databases" risk_score = 21 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "eql" query = ''' @@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1138/" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 0616815c3..66e222c45 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/13" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/13" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Creation or Modification of a new GPO Scheduled Task or Service" risk_score = 21 rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index bdd63befc..9670fa4f7 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ name = "Local Scheduled Task Commands" risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 69ff0ab02..2f1152fac 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Potential Modification of Accessibility Binaries" risk_score = 21 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 743533a49..fe9ad970a 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "System Shells via Services" risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 159df5af5..e9be4c4ba 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "User Account Creation" risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 3c6ecc5e5..f0c13ad0a 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/10/21" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Potential Application Shimming via Sdbinst" risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index b3917f659..0e8df23ec 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = [ risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 197dc56bd..dfdc6b700 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/17" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index a310345ad..d3a0561c2 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 74 rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 86e89b952..612872a46 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-a risk_score = 74 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 098592884..80d2ff9a6 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 59659e31b..77ccea3e8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Bypass UAC via Event Viewer" risk_score = 21 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" severity = "low" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] type = "query" query = ''' diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index e23e8a71e..427e7dae1 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/02" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Bypass UAC via Sdclt" risk_score = 21 rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900" severity = "high" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] type = "eql" query = ''' @@ -51,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1088/" id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index c299320d9..d19dc7672 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/08/03" +updated_date = "2020/10/26" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Unusual Parent-Child Relationship" risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" severity = "medium" -tags = ["Elastic", "Windows"] +tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] type = "query" query = ''' diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 09cdde7ce..d9d94bcb8 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -201,8 +201,8 @@ class TestRuleTags(unittest.TestCase): expected_tags = [ 'APM', 'AWS', 'Asset Visibility', 'Azure', 'Configuration Audit', 'Continuous Monitoring', - 'Data Protection', 'Elastic', 'Endpoint', 'GCP', 'Identity and Access', 'Linux', 'Logging', 'ML', 'macOS', - 'Monitoring', 'Network', 'Okta', 'Packetbeat', 'Post-Execution', 'SecOps', 'Windows' + 'Data Protection', 'Elastic', 'Endpoint Security', 'GCP', 'Identity and Access', 'Linux', 'Logging', 'ML', + 'macOS', 'Monitoring', 'Network', 'Okta', 'Packetbeat', 'Post-Execution', 'SecOps', 'Windows' ] expected_case = {normalize(t): t for t in expected_tags} @@ -229,9 +229,9 @@ class TestRuleTags(unittest.TestCase): required_tags_map = { 'apm-*-transaction*': {'all': ['APM']}, 'auditbeat-*': {'any': ['Windows', 'macOS', 'Linux']}, - 'endgame-*': {'all': ['Endpoint']}, + 'endgame-*': {'all': ['Endpoint Security']}, 'logs-aws*': {'all': ['AWS']}, - 'logs-endpoint.alerts-*': {'all': ['Endpoint']}, + 'logs-endpoint.alerts-*': {'all': ['Endpoint Security']}, 'logs-endpoint.events.*': {'any': ['Windows', 'macOS', 'Linux', 'Host']}, 'logs-okta*': {'all': ['Okta']}, 'packetbeat-*': {'all': ['Network']},