[New Rule] Endpoint Security Behavior Protection (#1440)

* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 3b338baab0)

.github/paths-labeller.yml

@@ -45,6 +45,8 @@
   - "rules/integrations/crowdstrike/**/*.toml"
 - "Integration: CyberArkPas":
   - "rules/integrations/cyberarkpas/**/*.toml"
+- "Integration: Endpoint":
+  - "rules/integrations/endpoint/**/*.toml"
 - "Integration: GCP":
   - "rules/integrations/gcp/**/*.toml"
 - "Integration: Google Workspace":

rules/README.md

@@ -23,6 +23,7 @@ Integration specific rules are stored in the [`integrations/`](integrations) dir
 | [`aws/`](integrations/aws)                             | Amazon Web Services (AWS)            |
 | [`azure/`](integrations/azure)                         | Microsoft Azure                      |
 | [`cyberarkpas/`](integrations/cyberarkpas)             | Cyber Ark Privileged Access Security |
+| [`endpoint/`](integrations/endpoint)                   | Elastic Endpoint Security            |
 | [`gcp/`](integrations/gcp)                             | Google Cloud Platform (GCP)          |
 | [`google_workspace/`](integrations/google_workspace)   | Google Workspace (formerly GSuite)   |
 | [`o365/`](integrations/o365)                           | Microsoft Office                     |

rules/integrations/endpoint/elastic_endpoint_security.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/08"
 maturity = "production"
-updated_date = "2021/03/04"
+updated_date = "2021/08/25"
+integration = "endpoint"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +26,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-event.kind:alert and event.module:(endpoint and not endgame)
+event.kind:alert and event.module:(endpoint and not endgame) and not event.code: behavior
 '''
 
 

rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml

@@ -0,0 +1,68 @@
+[metadata]
+creation_date = "2021/08/25"
+maturity = "production"
+updated_date = "2021/08/25"
+integration = "endpoint"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert each time an Elastic Endpoint Security alert is received for Behavior Protection alerts.
+Enabling this rule allows you to immediately begin investigating your Endpoint alerts for Behavior Protection.
+"""
+enabled = true
+from = "now-10m"
+index = ["logs-endpoint.alerts-*"]
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 10000
+name = "Endpoint Security Behavior Protection"
+risk_score = 47
+rule_id = "d516af98-19f3-45bb-b590-dd623535b746"
+rule_name_override = "rule.name"
+severity = "medium"
+tags = ["Elastic", "Endpoint Security"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior
+'''
+
+
+[[rule.exceptions_list]]
+id = "endpoint_list"
+list_id = "endpoint_list"
+namespace_type = "agnostic"
+type = "endpoint"
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+value = "21"
+severity = "low"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+value = "47"
+severity = "medium"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+value = "73"
+severity = "high"
+
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+value = "99"
+severity = "critical"
+
+