[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351)

2020-09-30 19:16:04 -05:00
parent d094c76534
commit 2460333595
31 changed files with 68 additions and 30 deletions
@@ -2,7 +2,7 @@
 creation_date = "2020/07/07"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/07/07"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -12,6 +12,7 @@ point of lookup for DNS hostname resolution so if adversaries can modify the end
 to malicious infrastructure. This rule detects modifications to the hosts file on Microsoft Windows, Linux (Ubuntu or
 RHEL) and macOS systems.
 """
+from = "now-9m"
 index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1492/"
 id = "TA0040"
 name = "Impact"
 reference = "https://attack.mitre.org/tactics/TA0040/"
+
@@ -21,7 +21,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
 name = "Mknod Process Activity"
-references = ["https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/"]
+references = [
+    "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/",
+]
 risk_score = 21
 rule_id = "61c31c14-507f-4627-8c31-072556b89a9c"
 severity = "low"
@@ -2,11 +2,12 @@
 creation_date = "2020/08/14"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/14"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets."
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -40,3 +41,4 @@ reference = "https://attack.mitre.org/techniques/T1003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/14"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,7 @@ Adversaries may collect the keychain storage data from a system to acquire crede
 for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords,
 websites, secure notes, certificates, and Kerberos.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -41,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1142/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -2,11 +2,12 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/18"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Detects use of the systemsetup command to enable remote SSH Login."
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,11 +2,12 @@
 creation_date = "2020/09/02"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/02"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Identifies an executable or script file remotely downloaded via a TeamViewer transfer session."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -44,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1145/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/18"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Identifies the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords. An attacker
 with IIS web server access via a web shell can decrypt and dump the IIS AppPool service account password using AppCmd.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -46,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1003/"
 id = "TA0006"
 name = "Credential Access"
 reference = "https://attack.mitre.org/tactics/TA0006/"
+
@@ -2,11 +2,12 @@
 creation_date = "2020/08/31"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/31"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Identifies the password log file from the default Mimikatz memssp module."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,11 +2,12 @@
 creation_date = "2020/08/31"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/31"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious Conhost child process which may be an indication of code injection activity."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/14"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Identifies suspicious psexec activity which is executing from the psexec service that has been renamed, possibly to
 evade detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1070/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -2,7 +2,7 @@
 creation_date = "2020/08/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/24"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 A suspicious Elastic endpoint agent parent process was detected. This may indicate a process hollowing or other form of
 code injection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/09/01"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Identifies a suspicious AutoIt process execution. Malware written as AutoIt scripts tend to rename the AutoIt executable
 to avoid detection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -2,7 +2,7 @@
 creation_date = "2020/08/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/24"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,7 @@ A suspicious WerFault child process was detected, which may indicate an attempt
 such as command line, network connections, file writes and parent process details as well.
 """
 false_positives = ["Custom Windows Error Reporting Debugger"]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,12 +2,13 @@
 creation_date = "2020/08/24"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/24"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious WerFault command line parameter, which may indicate an attempt to run unnoticed."
 false_positives = ["Legit Application Crash with rare Werfault commandline value"]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,7 +2,7 @@
 creation_date = "2020/08/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/21"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Identifies a suspicious managed code hosting process which could indicate code injection or other form of suspicious
 code execution.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -60,3 +60,4 @@ reference = "https://attack.mitre.org/techniques/T1055/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
@@ -2,7 +2,7 @@
 creation_date = "2020/08/19"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/19"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Identifies an unexpected executable file being created or modified by a Windows system critical process, which may
 indicate activity related to remote code execution or other forms of exploitation.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,11 +2,12 @@
 creation_date = "2020/08/19"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/19"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious child process of the Windows virtual system process, which could indicate code injection."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,11 +2,12 @@
 creation_date = "2020/08/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/21"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Identifies a suspicious parent child process relationship with cmd.exe descending from an unusual process."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -38,3 +39,4 @@ reference = "https://attack.mitre.org/techniques/T1059/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -2,11 +2,12 @@
 creation_date = "2020/08/21"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/21"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
 description = "Identifies suspicious .NET code execution. connections."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/17"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be
 indicative of code injection.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/14"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Identifies execution via MSSQL xp_cmdshell stored procedure. Malicious users may attempt to elevate their privileges by
 using xp_cmdshell, which is disabled by default, thus, it's important to review the context of it's use.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,9 +7,9 @@ updated_date = "2020/08/13"
 [rule]
 author = ["Elastic"]
 description = """
-Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for legitimate system
-administration, but can also be abused by an attacker with domain admin permissions to execute a malicious payload remotely on all
-or a subset of the domain joined machines. 
+Detects the creation or modification of a new Group Policy based scheduled task or service. These methods are used for
+legitimate system administration, but can also be abused by an attacker with domain admin permissions to execute a
+malicious payload remotely on all or a subset of the domain joined machines.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
@@ -54,3 +54,4 @@ reference = "https://attack.mitre.org/techniques/T1021/"
 id = "TA0002"
 name = "Execution"
 reference = "https://attack.mitre.org/tactics/TA0002/"
+
@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/17"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Detects the successful hijack of Microsoft Compatibility Appraiser scheduled task to establish persistence with an
 integrity level of system.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -7,8 +7,8 @@ updated_date = "2020/08/17"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity level of
-SYSTEM.
+Identifies potential hijacking of the Microsoft Update Orchestrator Service to establish persistence with an integrity
+level of SYSTEM.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
@@ -42,3 +42,4 @@ reference = "https://attack.mitre.org/techniques/T1050/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/14"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -11,6 +11,7 @@ Detects attempts to exploit privilege escalation vulnerabilities related to the
 information refer to the following CVE's - CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 and verify that the impacted
 system is patched.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -45,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1068/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
@@ -2,7 +2,7 @@
 creation_date = "2020/08/14"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/14"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Detects attempts to exploit privilege escalation vulnerabilities related to the Print Spooler service including
 CVE-2020-1048 and CVE-2020-1337. .
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -42,3 +43,4 @@ reference = "https://attack.mitre.org/techniques/T1068/"
 id = "TA0004"
 name = "Privilege Escalation"
 reference = "https://attack.mitre.org/tactics/TA0004/"
+
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 ecs_version = ["1.6.0"]
 maturity = "production"
-updated_date = "2020/08/18"
+updated_date = "2020/09/30"

 [rule]
 author = ["Elastic"]
@@ -10,6 +10,7 @@ description = """
 Identifies User Account Control (UAC) bypass via hijacking DiskCleanup Scheduled Task. Attackers bypass UAC to
 stealthily execute code with elevated permissions.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"