From 24eea0e1e586ced3eb8ba39b8f660e2d13f49fb1 Mon Sep 17 00:00:00 2001 From: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Date: Tue, 20 Feb 2024 15:18:27 +0100 Subject: [PATCH] [Tuning] Event.dataset removal & Tag Addition (#3451) * [Tuning] Removed event.dataset and added tag * [Tuning] Removed event.dataset and added tag * fixed typo --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit 3484cac7eb8683132f27a5d25a7c2aa492368537) --- ...ntial_successful_linux_ftp_bruteforce.toml | 22 ++++++++----- ...ntial_successful_linux_rdp_bruteforce.toml | 18 +++++++---- ...very_pspy_process_monitoring_detected.toml | 15 ++++++--- ...execution_shell_via_meterpreter_linux.toml | 18 ++++------- ...ution_shell_via_udp_cli_utility_linux.toml | 32 +++++++++++-------- ...stence_kernel_driver_load_by_non_root.toml | 7 ++-- ...ion_suspicious_chown_fowner_elevation.toml | 11 ++++--- ...calation_suspicious_passwd_file_write.toml | 7 ++-- ...ry_kernel_module_enumeration_via_proc.toml | 3 +- .../discovery_linux_modprobe_enumeration.toml | 3 +- .../discovery_linux_sysctl_enumeration.toml | 3 +- ...discovery_suspicious_proc_enumeration.toml | 3 +- .../persistence_kernel_driver_load.toml | 7 ++-- 13 files changed, 87 insertions(+), 62 deletions(-) diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index fcba9634c..2e26ee87f 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -60,16 +60,22 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" query = ''' sequence by host.id, auditd.data.addr, related.user with maxspan=5s - [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and - event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "failure" and - auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10 - [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and - event.action == "authenticated" and auditd.data.terminal == "ftp" and event.outcome == "success" and - auditd.data.addr != null and auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 + [authentication where host.os.type == "linux" and event.action == "authenticated" and + auditd.data.terminal == "ftp" and event.outcome == "failure" and auditd.data.addr != null and + auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] with runs=10 + [authentication where host.os.type == "linux" and event.action == "authenticated" and + auditd.data.terminal == "ftp" and event.outcome == "success" and auditd.data.addr != null and + auditd.data.addr != "0.0.0.0" and auditd.data.addr != "::"] | tail 1 ''' [[rule.threat]] diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index 297d5b761..5abb8856c 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -60,14 +60,20 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] +tags = [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Credential Access" + ] type = "eql" query = ''' sequence by host.id, related.user with maxspan=5s - [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and - event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "failure"] with runs=10 - [authentication where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and - event.action == "authenticated" and auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 + [authentication where host.os.type == "linux" and event.action == "authenticated" and + auditd.data.terminal : "*rdp*" and event.outcome == "failure"] with runs=10 + [authentication where host.os.type == "linux" and event.action == "authenticated" and + auditd.data.terminal : "*rdp*" and event.outcome == "success"] | tail 1 ''' [[rule.threat]] diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index 171641a7f..a45b05c89 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/11/02" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -48,13 +48,18 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "low" -tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] +tags = [ + "Data Source: Auditd Manager", + "Domain: Endpoint", + "OS: Linux", + "Use Case: Threat Detection", + "Tactic: Discovery" + ] type = "eql" query = ''' sequence by process.pid, host.id with maxspan=5s -[ file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and - auditd.data.syscall == "openat" and file.path == "/proc" and auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and - auditd.data.a2 : ("80000", "88000") ] with runs=10 + [file where host.os.type == "linux" and auditd.data.syscall == "openat" and file.path == "/proc" and + auditd.data.a0 : ("ffffffffffffff9c", "ffffff9c") and auditd.data.a2 : ("80000", "88000") ] with runs=10 ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 655c756f5..ee8ffd010 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -61,6 +61,7 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ + "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", @@ -70,16 +71,11 @@ timestamp_override = "event.ingested" type = "eql" query = ''' sample by host.id, process.pid, user.id -[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and - auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] -[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and - auditd.data.a2 == "1b6" and file.path == "/etc/passwd"] -[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and - auditd.data.a2 == "1b6" and file.path == "/proc/net/route"] -[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and - auditd.data.a2 == "1b6" and file.path == "/proc/net/ipv6_route"] -[file where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and auditd.data.syscall == "open" and - auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/machine-id"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/etc/passwd"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/route"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/ipv6_route"] + [file where host.os.type == "linux" and auditd.data.syscall == "open" and auditd.data.a2 == "1b6" and file.path == "/proc/net/if_inet6"] ''' [[rule.threat]] diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 0391990f9..7b2fcad2a 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" min_stack_version = "8.6.0" -updated_date = "2023/11/02" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -62,6 +62,7 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ + "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", @@ -71,19 +72,22 @@ timestamp_override = "event.ingested" type = "eql" query = ''' sample by host.id, process.pid, process.parent.pid -[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and - auditd.data.syscall == "execve" and process.name : ("bash", "dash", "sh", "tcsh", - "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", - "openssl", "awk", "telnet", "lua*", "socat")] -[process where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and - auditd.data.syscall == "socket" and process.name : ("bash", "dash", "sh", "tcsh", "csh", - "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", - "awk", "telnet", "lua*", "socat") and auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")] -[network where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and - auditd.data.syscall == "connect" and process.name : ("bash", "dash", "sh", "tcsh", "csh", - "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", "ruby", "openssl", - "awk", "telnet", "lua*", "socat") and network.direction == "egress" and destination.ip != null and - destination.ip != "127.0.0.1" and destination.ip != "127.0.0.53" and destination.ip != "::1"] + [process where host.os.type == "linux" and auditd.data.syscall == "execve" and process.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", + "ruby", "openssl", "awk", "telnet", "lua*", "socat" + ) + ] + [process where host.os.type == "linux" and auditd.data.syscall == "socket" and process.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", + "ruby", "openssl", "awk", "telnet", "lua*", "socat" + ) and + auditd.data.a0 == "2" and auditd.data.a1 : ("2", "802")] +[network where host.os.type == "linux" and auditd.data.syscall == "connect" and process.name : ( + "bash", "dash", "sh", "tcsh", "csh", "zsh", "ksh", "fish", "perl", "python*", "nc", "ncat", "netcat", "php*", + "ruby", "openssl", "awk", "telnet", "lua*", "socat" + ) and + network.direction == "egress" and destination.ip != null and destination.ip != "127.0.0.1" and + destination.ip != "127.0.0.53" and destination.ip != "::1"] ''' [[rule.threat]] diff --git a/rules/linux/persistence_kernel_driver_load_by_non_root.toml b/rules/linux/persistence_kernel_driver_load_by_non_root.toml index d6687b0ed..7db8b49d0 100644 --- a/rules/linux/persistence_kernel_driver_load_by_non_root.toml +++ b/rules/linux/persistence_kernel_driver_load_by_non_root.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/10" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -50,6 +50,7 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ + "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", @@ -59,8 +60,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -driver where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and -event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" +driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and +auditd.data.syscall in ("init_module", "finit_module") and user.id != "0" ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml index 61f400dda..d25cc2fb1 100644 --- a/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml +++ b/rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "Linux effective and permitted process capability data sources were added in version 8.11.0" min_stack_version = "8.11.0" -updated_date = "2024/01/08" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -49,6 +49,7 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ + "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", @@ -61,14 +62,14 @@ sequence by host.id, process.pid with maxspan=1s [process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.name != null and process.thread.capabilities.effective : ("CAP_CHOWN", "CAP_FOWNER") and process.command_line : ("*sudoers*", "*passwd*", "*shadow*", "*/root/*") and user.id != "0"] - [file where event.dataset == "auditd_manager.auditd" and host.os.type == "linux" and - event.action == "changed-file-ownership-of" and event.type == "change" and event.outcome == "success" and - file.path in ( + [file where host.os.type == "linux" and event.action == "changed-file-ownership-of" and event.type == "change" and + event.outcome == "success" and file.path in ( "/etc/passwd", "/etc/shadow", "/etc/sudoers", "/root/.ssh/*" - ) and user.id != "0"] + ) and user.id != "0" + ] ''' [[rule.threat]] diff --git a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml index 3b722f2fb..370716cb8 100644 --- a/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml +++ b/rules/linux/privilege_escalation_suspicious_passwd_file_write.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/22" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -71,6 +71,7 @@ However, if more advanced configuration is required to detect specific behavior, """ severity = "medium" tags = [ + "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", @@ -82,8 +83,8 @@ query = ''' sequence by host.id, process.parent.pid with maxspan=1m [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.name == "openssl" and process.args == "passwd" and user.id != "0"] - [file where event.dataset == "auditd_manager.auditd" and host.os.type == "linux" and file.path == "/etc/passwd" and - process.parent.pid != 1 and not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"] + [file where host.os.type == "linux" and file.path == "/etc/passwd" and process.parent.pid != 1 and + not auditd.data.a2 == "80000" and event.outcome == "success" and user.id != "0"] ''' [[rule.threat]] diff --git a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml index 1e21c42d0..774e7d174 100644 --- a/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules_building_block/discovery_kernel_module_enumeration_via_proc.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/19" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -47,6 +47,7 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ + "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", diff --git a/rules_building_block/discovery_linux_modprobe_enumeration.toml b/rules_building_block/discovery_linux_modprobe_enumeration.toml index 70cad947d..1fc247dd6 100644 --- a/rules_building_block/discovery_linux_modprobe_enumeration.toml +++ b/rules_building_block/discovery_linux_modprobe_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/12/18" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -46,6 +46,7 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ + "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", diff --git a/rules_building_block/discovery_linux_sysctl_enumeration.toml b/rules_building_block/discovery_linux_sysctl_enumeration.toml index 7b6a27e74..b94ef5091 100644 --- a/rules_building_block/discovery_linux_sysctl_enumeration.toml +++ b/rules_building_block/discovery_linux_sysctl_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/12/18" +updated_date = "2024/12/19" [rule] author = ["Elastic"] @@ -46,6 +46,7 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ + "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", diff --git a/rules_building_block/discovery_suspicious_proc_enumeration.toml b/rules_building_block/discovery_suspicious_proc_enumeration.toml index f6d248832..fa9b087ee 100644 --- a/rules_building_block/discovery_suspicious_proc_enumeration.toml +++ b/rules_building_block/discovery_suspicious_proc_enumeration.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -44,6 +44,7 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ + "Data Source: Auditd Manager", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", diff --git a/rules_building_block/persistence_kernel_driver_load.toml b/rules_building_block/persistence_kernel_driver_load.toml index 923153a86..686e222df 100644 --- a/rules_building_block/persistence_kernel_driver_load.toml +++ b/rules_building_block/persistence_kernel_driver_load.toml @@ -5,7 +5,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/26" +updated_date = "2024/02/19" [rule] author = ["Elastic"] @@ -46,6 +46,7 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen """ severity = "low" tags = [ + "Data Source: Auditd Manager", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", @@ -56,8 +57,8 @@ tags = [ timestamp_override = "event.ingested" type = "eql" query = ''' -driver where host.os.type == "linux" and event.dataset == "auditd_manager.auditd" and -event.action == "loaded-kernel-module" and auditd.data.syscall in ("init_module", "finit_module") +driver where host.os.type == "linux" and event.action == "loaded-kernel-module" and +auditd.data.syscall in ("init_module", "finit_module") ''' [[rule.threat]]