diff --git a/detection_rules/packaging.py b/detection_rules/packaging.py index 6ff2b5297..064c962a4 100644 --- a/detection_rules/packaging.py +++ b/detection_rules/packaging.py @@ -318,6 +318,7 @@ class Package(object): return rule_str def get_markdown_rule_info(r: Rule, sd): + # lookup the rule in the GitHub tag v{major.minor.patch} rules_dir_link = f'https://github.com/elastic/detection-rules/tree/v{self.name}/rules/{sd}/' rule_type = r.contents['language'] if r.type in ('query', 'eql') else r.type return f'`{r.id}` **[{r.name}]({rules_dir_link + os.path.basename(r.path)})** (_{rule_type}_)' diff --git a/rules/ml/ml_linux_anomalous_metadata_process.toml b/rules/ml/ml_linux_anomalous_metadata_process.toml index c72f98113..369bc3197 100644 --- a/rules/ml/ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/ml_linux_anomalous_metadata_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/22" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/22" +updated_date = "2020/10/21" [rule] anomaly_threshold = 50 @@ -21,7 +21,7 @@ from = "now-45m" interval = "15m" license = "Elastic License" machine_learning_job_id = "linux_rare_metadata_process" -name = "Unusual Process Calling the Metadata Service" +name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" diff --git a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml index 3b290cc35..e87b6307f 100644 --- a/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -22,14 +22,14 @@ false_positives = [ server that has no known associated FTP workflow or business requirement is often suspicious. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "FTP (File Transfer Protocol) Activity to the Internet" risk_score = 21 rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml index 6f303e62e..2fed41635 100644 --- a/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml +++ b/rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -21,14 +21,14 @@ false_positives = [ and usually only appears in local traffic using private IPs, which does not match this rule's conditions. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "IRC (Internet Relay Chat) Protocol Activity to the Internet" risk_score = 47 rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 66514235d..a4a126de3 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -20,14 +20,14 @@ false_positives = [ port in the range by coincidence. This is uncommon but such servers can be excluded. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "IPSEC NAT Traversal Port Activity" risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 3dedb4458..c7daa999a 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -17,7 +17,7 @@ false_positives = [ expected behavior. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "SMTP on Port 26/TCP" @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml index bfb2400f6..fdfa2e960 100644 --- a/rules/network/command_and_control_port_8000_activity_to_the_internet.toml +++ b/rules/network/command_and_control_port_8000_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -20,14 +20,14 @@ false_positives = [ this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "TCP Port 8000 Activity to the Internet" risk_score = 21 rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml index 65b1bd7dd..b581ffdd3 100644 --- a/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml +++ b/rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -19,14 +19,14 @@ false_positives = [ be excluded. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "PPTP (Point to Point Tunneling Protocol) Activity" risk_score = 21 rule_id = "d2053495-8fe7-4168-b3df-dad844046be3" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 2115a135f..56f471950 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -23,14 +23,14 @@ false_positives = [ port in the range by coincidence. In this case, such servers can be excluded if desired. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Proxy Port Activity to the Internet" risk_score = 47 rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 560e037a2..851ec5165 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -22,14 +22,14 @@ false_positives = [ not unexpected. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "RDP (Remote Desktop Protocol) from the Internet" risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_smtp_to_the_internet.toml b/rules/network/command_and_control_smtp_to_the_internet.toml index 4ed43a069..806de7984 100644 --- a/rules/network/command_and_control_smtp_to_the_internet.toml +++ b/rules/network/command_and_control_smtp_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -18,14 +18,14 @@ false_positives = [ case, such devices or networks can be excluded from this rule if this is expected behavior. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "SMTP to the Internet" risk_score = 21 rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml index 3ce2c9b73..d8eb9ab15 100644 --- a/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -19,14 +19,14 @@ false_positives = [ database instances are accessed directly across the Internet. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "SQL Traffic to the Internet" risk_score = 47 rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml index 2cd570b07..0198af8f9 100644 --- a/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -22,14 +22,14 @@ false_positives = [ not unexpected. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "SSH (Secure Shell) from the Internet" risk_score = 47 rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml index de3c37b48..dd7b33850 100644 --- a/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml +++ b/rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -21,14 +21,14 @@ false_positives = [ unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "SSH (Secure Shell) to the Internet" risk_score = 21 rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index 5de91a7e0..471fe9b96 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -21,14 +21,14 @@ false_positives = [ server that has no known associated Telnet work-flow or business requirement is often suspicious. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Telnet Port Activity" risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_tor_activity_to_the_internet.toml b/rules/network/command_and_control_tor_activity_to_the_internet.toml index b73c17e5f..e23cf3069 100644 --- a/rules/network/command_and_control_tor_activity_to_the_internet.toml +++ b/rules/network/command_and_control_tor_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -19,14 +19,14 @@ false_positives = [ this case, such servers can be excluded if desired. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Tor Activity to the Internet" risk_score = 47 rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 01298d3a1..455bcd010 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -20,14 +20,14 @@ false_positives = [ that is unfamiliar to server or network owners can be unexpected and suspicious. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "VNC (Virtual Network Computing) from the Internet" risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index dc65fa747..d9147a222 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -20,14 +20,14 @@ false_positives = [ that is unfamiliar to server or network owners can be unexpected and suspicious. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "VNC (Virtual Network Computing) to the Internet" risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml index 16f5ba2f9..34a97fc97 100644 --- a/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml +++ b/rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -21,14 +21,14 @@ false_positives = [ unexpected. Usage that is unfamiliar to server or network owners can be unexpected and suspicious. """, ] -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "RDP (Remote Desktop Protocol) to the Internet" risk_score = 21 rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5" severity = "low" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 79165b8e7..900b44a67 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -12,14 +12,14 @@ system administrators to remotely control a system for maintenance or to use sha directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. """ -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "RPC (Remote Procedure Call) from the Internet" risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" severity = "high" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 55e664eab..e751127ec 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -12,14 +12,14 @@ system administrators to remotely control a system for maintenance or to use sha directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector. """ -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "RPC (Remote Procedure Call) to the Internet" risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 712ff2c27..66bf37e19 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/02" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -12,14 +12,14 @@ the Internet. SMB is commonly used within networks to share files, printers, and systems. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or back-door vector or for data exfiltration. """ -index = ["filebeat-*", "packetbeat-*"] +index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "SMB (Windows File Sharing) Activity to the Internet" risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "high" -tags = ["Elastic", "Network"] +tags = ["Elastic", "Host", "Network"] type = "query" query = ''' diff --git a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml index f1ec2eb5e..a23246f33 100644 --- a/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml +++ b/rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/21" [rule] author = ["Elastic"] description = "Identifies possibly suspicious activity using trusted Windows developer activity." false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Trusted Developer Application Usage" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index b4f9a3d60..b1e31da99 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ The Filter Manager Control Program (fltMC.exe) binary may be abused by adversaries to unload a filter driver and evade defenses. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Potential Evasion via Filter Manager" diff --git a/rules/windows/discovery_process_discovery_via_tasklist_command.toml b/rules/windows/discovery_process_discovery_via_tasklist_command.toml index f2b17c05f..94be69c90 100644 --- a/rules/windows/discovery_process_discovery_via_tasklist_command.toml +++ b/rules/windows/discovery_process_discovery_via_tasklist_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ false_positives = [ tasklist to get information about running processes. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Process Discovery via Tasklist" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 02f9f9982..791ff2d86 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ frameworks. Usage by non-engineers and ordinary users is unusual. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Whoami Process Activity" diff --git a/rules/windows/execution_unusual_dns_service_children.toml b/rules/windows/execution_unusual_dns_service_children.toml index f76c2c00d..4d89a6694 100644 --- a/rules/windows/execution_unusual_dns_service_children.toml +++ b/rules/windows/execution_unusual_dns_service_children.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/16" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ to spawn. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Unusual Child Process of dns.exe" diff --git a/rules/windows/execution_unusual_dns_service_file_writes.toml b/rules/windows/execution_unusual_dns_service_file_writes.toml index 7f06135df..c4e3fd05c 100644 --- a/rules/windows/execution_unusual_dns_service_file_writes.toml +++ b/rules/windows/execution_unusual_dns_service_file_writes.toml @@ -2,7 +2,7 @@ creation_date = "2020/07/16" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/07/16" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Unusual File Modification by dns.exe" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index a136a0a4b..8c875112b 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ to conceal malicious code. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Process Activity via Compiled HTML File" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 64d5a2269..69ff0ab02 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Windows contains accessibility features that may be launched with a key combinat adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Potential Modification of Accessibility Binaries" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index cc266a322..3c6ecc5e5 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.6.0"] maturity = "production" -updated_date = "2020/09/30" +updated_date = "2020/10/21" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ The Application Shim was created to allow for backward compatibility of software changes over time. This Windows functionality has been abused by attackers to stealthily gain persistence and arbitrary code execution in legitimate Windows processes. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Potential Application Shimming via Sdbinst" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index b5a853987..09cdde7ce 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -232,7 +232,7 @@ class TestRuleTags(unittest.TestCase): 'endgame-*': {'all': ['Endpoint']}, 'logs-aws*': {'all': ['AWS']}, 'logs-endpoint.alerts-*': {'all': ['Endpoint']}, - 'logs-endpoint.events.*': {'any': ['Windows', 'macOS', 'Linux']}, + 'logs-endpoint.events.*': {'any': ['Windows', 'macOS', 'Linux', 'Host']}, 'logs-okta*': {'all': ['Okta']}, 'packetbeat-*': {'all': ['Network']}, 'winlogbeat-*': {'all': ['Windows']}