diff --git a/.github/paths-labeller.yml b/.github/paths-labeller.yml index 8beec7407..024c69908 100644 --- a/.github/paths-labeller.yml +++ b/.github/paths-labeller.yml @@ -45,6 +45,8 @@ - "rules/integrations/crowdstrike/**/*.toml" - "Integration: CyberArkPas": - "rules/integrations/cyberarkpas/**/*.toml" +- "Integration: Endpoint": + - "rules/integrations/endpoint/**/*.toml" - "Integration: GCP": - "rules/integrations/gcp/**/*.toml" - "Integration: Google Workspace": diff --git a/rules/README.md b/rules/README.md index 8e68154e1..7f33b2195 100644 --- a/rules/README.md +++ b/rules/README.md @@ -23,6 +23,7 @@ Integration specific rules are stored in the [`integrations/`](integrations) dir | [`aws/`](integrations/aws) | Amazon Web Services (AWS) | | [`azure/`](integrations/azure) | Microsoft Azure | | [`cyberarkpas/`](integrations/cyberarkpas) | Cyber Ark Privileged Access Security | +| [`endpoint/`](integrations/endpoint) | Elastic Endpoint Security | | [`gcp/`](integrations/gcp) | Google Cloud Platform (GCP) | | [`google_workspace/`](integrations/google_workspace) | Google Workspace (formerly GSuite) | | [`o365/`](integrations/o365) | Microsoft Office | diff --git a/rules/promotions/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml similarity index 90% rename from rules/promotions/elastic_endpoint_security.toml rename to rules/integrations/endpoint/elastic_endpoint_security.toml index e1a74dafa..5042a0d65 100644 --- a/rules/promotions/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/08/25" +integration = "endpoint" [rule] author = ["Elastic"] @@ -25,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.kind:alert and event.module:(endpoint and not endgame) +event.kind:alert and event.module:(endpoint and not endgame) and not event.code: behavior ''' diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml new file mode 100644 index 000000000..b3f09ab4b --- /dev/null +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml @@ -0,0 +1,68 @@ +[metadata] +creation_date = "2021/08/25" +maturity = "production" +updated_date = "2021/08/25" +integration = "endpoint" + +[rule] +author = ["Elastic"] +description = """ +Generates a detection alert each time an Elastic Endpoint Security alert is received for Behavior Protection alerts. +Enabling this rule allows you to immediately begin investigating your Endpoint alerts for Behavior Protection. +""" +enabled = true +from = "now-10m" +index = ["logs-endpoint.alerts-*"] +language = "kuery" +license = "Elastic License v2" +max_signals = 10000 +name = "Endpoint Security Behavior Protection" +risk_score = 47 +rule_id = "d516af98-19f3-45bb-b590-dd623535b746" +rule_name_override = "rule.name" +severity = "medium" +tags = ["Elastic", "Endpoint Security"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.kind:alert and event.module:(endpoint and not endgame) and event.code: behavior +''' + + +[[rule.exceptions_list]] +id = "endpoint_list" +list_id = "endpoint_list" +namespace_type = "agnostic" +type = "endpoint" + +[[rule.risk_score_mapping]] +field = "event.risk_score" +operator = "equals" +value = "" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "21" +severity = "low" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "47" +severity = "medium" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "73" +severity = "high" + +[[rule.severity_mapping]] +field = "event.severity" +operator = "equals" +value = "99" +severity = "critical" + +