diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index b3f833246..76e9531a4 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ references = [ risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" severity = "high" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index f03de066b..122c6d031 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index 7c51046db..9311bb1be 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ references = [ risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" severity = "high" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] type = "eql" query = ''' diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index a70670387..920423823 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 59b6b5f77..8a06da032 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -57,12 +57,7 @@ references = [ risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" severity = "high" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 5517b1b40..58860e787 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -71,12 +71,7 @@ references = [ risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 559417274..10553afe9 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -69,12 +69,7 @@ references = [ risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 2cd034832..4d461de63 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 566636821..344e04661 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic", "Austin Songer"] @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 81d5cc46a..23b2763a4 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index c9cfc03bf..cb4fb8ff1 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index c89f3ee46..a79da174c 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 74fff7e13..bab6a4656 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ name = "IPSEC NAT Traversal Port Activity" risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" severity = "low" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 1d460d272..080ddea6a 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 4fd9b1e3d..5d3f3fa03 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index afd295d9a..5d980ddde 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index adb6ed821..a90903ee3 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 091203ffc..03c15e746 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 7a43eecdb..0fd6a76c3 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 9cb466a12..8660b2b1c 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 333e363a4..f99192d00 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -424,6 +424,18 @@ class TestRuleTags(BaseRuleTest): if invalid: self.fail(f'Rules with invalid tags:\n{invalid}') + def test_no_duplicate_tags(self): + """Ensure no rules have duplicate tags.""" + invalid = [] + + for rule in self.all_rules: + rule_tags = rule.contents.data.tags + if len(rule_tags) != len(set(rule_tags)): + invalid.append(self.rule_str(rule)) + + if invalid: + self.fail(f'Rules with duplicate tags:\n{invalid}') + class TestRuleTimelines(BaseRuleTest): """Test timelines in rules are valid."""