From 2812118000dd83c69ffe6fedbd3213d8316fe75a Mon Sep 17 00:00:00 2001 From: Mirko Bez Date: Wed, 3 Apr 2024 11:27:31 +0200 Subject: [PATCH] Add filebeat-* index pattern to rules based on system.auth dataset (#3561) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> (cherry picked from commit 153657029b0bc21b04c96ef574b1a918d03237d6) --- ...edential_access_potential_linux_ssh_bruteforce_external.toml | 2 +- ...edential_access_potential_linux_ssh_bruteforce_internal.toml | 2 +- ...ential_access_potential_successful_linux_ssh_bruteforce.toml | 2 +- rules/linux/persistence_linux_group_creation.toml | 2 +- rules/linux/persistence_linux_user_account_creation.toml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index ac8bfd8a5..ca1511851 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -14,7 +14,7 @@ a short time interval. Adversaries will often brute force login attempts across password, in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["logs-system.auth-*"] +index = ["filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" max_signals = 5 diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 1aa54307d..6640ba404 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -14,7 +14,7 @@ a short time interval. Adversaries will often brute force login attempts across password, in an attempt to gain access to these accounts. """ from = "now-9m" -index = ["logs-system.auth-*"] +index = ["filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" max_signals = 5 diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index c14bbbaf0..ed7a05b56 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -13,7 +13,7 @@ Identifies multiple SSH login failures followed by a successful one from the sam to login into multiple users with a common or known password to gain access to accounts. """ from = "now-9m" -index = ["auditbeat-*", "logs-system.auth-*"] +index = ["auditbeat-*", "filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Potential Successful SSH Brute Force Attack" diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 077c480a7..8bdadc05c 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -29,7 +29,7 @@ description = """ Identifies attempts to create a new group. Attackers may create new groups to establish persistence on a system. """ from = "now-9m" -index = ["logs-system.auth-*"] +index = ["filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Linux Group Creation" diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 5fbcb8806..18b550025 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -29,7 +29,7 @@ description = """ Identifies attempts to create new users. Attackers may add new users to establish persistence on a system. """ from = "now-9m" -index = ["logs-system.auth-*"] +index = ["filebeat-*", "logs-system.auth-*"] language = "eql" license = "Elastic License v2" name = "Linux User Account Creation"