diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index 085c46957..4cb1d4041 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 4c4a71226..1af9fe468 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_null_user_agent.toml b/rules/apm/apm_null_user_agent.toml index 0519fedd6..820e21e29 100644 --- a/rules/apm/apm_null_user_agent.toml +++ b/rules/apm/apm_null_user_agent.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index c37e7d68f..b580bdcfc 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index e990120df..424246a78 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 7f39cc445..0b50b84fd 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/02/28" -min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" -min_stack_version = "7.15.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index 0a0955aaa..f3b5ba6f7 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/02/16" -min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" -min_stack_version = "7.15.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 283004af0..9f049370e 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 5f332e4cf..0bb02a8a5 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/04" maturity = "production" -updated_date = "2022/05/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index 7ec822922..d53dbd7d3 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/23" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -37,10 +39,10 @@ process where or /* service or systemctl used to stop Elastic Agent on Linux */ (event.type == "end" and - (process.name : ("systemctl", "service") and + (process.name : ("systemctl", "service") and process.args : "elastic-agent" and - process.args : "stop") - or + process.args : "stop") + or /* Unload Elastic Agent extension on MacOS */ (process.name : "kextunload" and process.args : "com.apple.iokit.EndpointSecurity" and diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index cf14cceb8..1922928ea 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 25f36fbd3..36f70ceb9 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/20" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 79ad53903..b2d70bc98 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/29" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index 84533a03f..efb705d17 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index 525da55ce..153f7aebd 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/13" maturity = "development" -updated_date = "2022/03/31" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index 91da6fabb..fc60a1e27 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2022/07/06" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 32913f597..11963546d 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index b663d70da..3db4bdf1c 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/12/10" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 1f28d5739..b75979ae5 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index dbf0d0fb1..70ea4c373 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index d42f57413..7f6fd6d01 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2021/03/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -31,19 +33,19 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.type:change and - (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and +event.category:file and event.type:change and + (file.name:pam_*.so or file.path:(/etc/pam.d/* or /private/etc/pam.d/*)) and process.executable: - (* and - not + (* and + not ( - /bin/yum or - "/usr/sbin/pam-auth-update" or - /usr/libexec/packagekitd or - /usr/bin/dpkg or - /usr/bin/vim or - /usr/libexec/xpcproxy or - /usr/bin/bsdtar or + /bin/yum or + "/usr/sbin/pam-auth-update" or + /usr/libexec/packagekitd or + /usr/bin/dpkg or + /usr/bin/vim or + /usr/libexec/xpcproxy or + /usr/bin/bsdtar or /usr/local/bin/brew or /usr/bin/rsync or /usr/bin/yum or diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index cec0ff93d..400716f83 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2021/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index c0df66799..234ed6bc6 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2022/05/04" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -22,18 +24,18 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:file and event.type:(change or creation) and - file.name:("authorized_keys" or "authorized_keys2") and +event.category:file and event.type:(change or creation) and + file.name:("authorized_keys" or "authorized_keys2") and not process.executable: - (/Library/Developer/CommandLineTools/usr/bin/git or - /usr/local/Cellar/maven/*/libexec/bin/mvn or - /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or - /usr/bin/vim or - /usr/local/Cellar/coreutils/*/bin/gcat or + (/Library/Developer/CommandLineTools/usr/bin/git or + /usr/local/Cellar/maven/*/libexec/bin/mvn or + /Library/Java/JavaVirtualMachines/jdk*.jdk/Contents/Home/bin/java or + /usr/bin/vim or + /usr/local/Cellar/coreutils/*/bin/gcat or /usr/bin/bsdtar or - /usr/bin/nautilus or + /usr/bin/nautilus or /usr/bin/scp or - /usr/bin/touch or + /usr/bin/touch or /var/lib/docker/* or /usr/bin/google_guest_agent) ''' diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index e0df3d8aa..5e4bc2344 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/26" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 428b72f1e..a0d341570 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/03/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 5a67e5a68..cdc057354 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/02/03" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index ede884934..492f3bf90 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/13" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml index ed24a7bc3..bdb9f68ad 100644 --- a/rules/cross-platform/threat_intel_filebeat8x.toml +++ b/rules/cross-platform/threat_intel_filebeat8x.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/11/24" maturity = "production" -updated_date = "2022/02/16" -min_stack_comments = "Threat index is ECS 1.11 compliant (8.0)." -min_stack_version = "8.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/cross-platform/threat_intel_fleet_integrations.toml index 5b88f36a1..62a454fd2 100644 --- a/rules/cross-platform/threat_intel_fleet_integrations.toml +++ b/rules/cross-platform/threat_intel_fleet_integrations.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/04/21" maturity = "production" -updated_date = "2022/02/16" -min_stack_comments = "Threat intel module fields were updated from `threatintel.*` to `threat.*` in ECS 1.11 (7.16)." -min_stack_version = "8.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index d59e0a722..9d44f4936 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index a65ec7316..ab371f746 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index dca7e8b49..e21b5aa39 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 4110331a4..7a1242432 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml index 50ad221fd..0909584ac 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 41bacd7e4..6c46192a5 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 59bfe53ea..d5c661d43 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index e9bc81ed4..bca7a1f23 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 0f38bfd56..54ca2642e 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/26" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 39aac78b1..06c0bdecf 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/16" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 56aa312c1..ebec002e4 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 4d17f64ea..8c248169a 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 608c8a850..aeb3c3cbf 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2021/10/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 5a7dd4837..4feea28b9 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2021/10/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index c025a1455..0fb8a88fe 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 0836f85b6..c2560f914 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/27" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index deac79fe2..4021725f1 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index e3d58bd4f..65a937528 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/09" maturity = "production" -updated_date = "2022/03/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 6f40150d5..343d36d62 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 876ec8bf8..160a28de5 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/24" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index a991c5f57..eb78385c1 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/04/22" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 22c78f4bc..03d2a63a9 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index f55e0e5d9..a6d2c03a7 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/29" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index c3c174508..896202291 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/17" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 8784d4261..a3c0fbab6 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 2af9ef080..022869765 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/18" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index e5eee33b4..db266753b 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 8c5d534e7..22fbf2e80 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 9e650a1e7..b514727fb 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/27" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 3a74b4354..16bdb004c 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index d799a20c7..3d48563df 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 481df4dfd..9cd434743 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index 90fd97a39..ce6ad602d 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/04/07" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index 390904788..acc28ba1e 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index 1c2690d6c..5e6b34c58 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/11" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 2b276c1ab..b6971a8ef 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index 1ebe340da..c6b55a7b5 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index e4cb8e8ea..843f56f3a 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 8e9904cec..edae35ac6 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index a1a1cff48..b14a6c9b8 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -42,7 +44,7 @@ of the source IP address. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index cf997be4a..cd6f007fe 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -42,7 +44,7 @@ of the source IP address. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 35988790a..2b6e681ab 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2022/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -41,7 +43,7 @@ user. #### Possible investigation steps - Identify the user account involved and the action performed. Verify whether it should perform this kind of action. - - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the + - Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key ID in the `aws.cloudtrail.user_identity.access_key_id` field, which can help identify the precise user context. - The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index eb988ea16..51ed2a7bf 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index a16ed0dad..5182aae26 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2022/04/07" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index d20094ff6..98658f842 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 94ae3cfac..3c8dde9c5 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 374d94fc6..8000c16a7 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index 65617ffae..dcc819da6 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index dc9834979..817550e62 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/04/12" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index de34c8b9c..072f305a8 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/10" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 597ea914d..d0a6ae236 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/10" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index 086300809..7ef1506a3 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2021/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index c0b70f34a..d175dac1f 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 57ffe2827..41128fdc6 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml index b4baff8da..78416677b 100644 --- a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/22" maturity = "production" -updated_date = "2021/09/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 1d1be7716..d5a63bc0e 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] @@ -40,7 +42,7 @@ your first IAM user. Then securely lock away the root user credentials and use t service management tasks. Amazon provides a [list of the tasks that require root user](https://docs.aws.amazon.com/general/latest/gr/root-vs-iam.html#aws_tasks-that-require-root). This rule looks for attempts to log in to AWS as the root user without using multi-factor authentication (MFA), meaning -the account is not secured properly. +the account is not secured properly. #### Possible investigation steps diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 360a6f533..f1a82be81 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2021/10/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index afa2cfedd..991f7e7f9 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2021/10/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 82b339e27..5af2f6963 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "aws" [rule] diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index 533d7a9aa..0af85cdf4 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 39af8aec7..fb721a6ae 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/12" maturity = "production" -updated_date = "2021/10/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index 6b4fb1714..1c96a5a39 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 8c4c4820f..3cc97f76e 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index f6a2068e9..03225e9d2 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index d09c3e51f..450ac76db 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -33,7 +35,7 @@ type = "query" query = ''' event.dataset:azure.activitylogs and - azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and + azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index 52912a862..35aa843c5 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/22" maturity = "production" -updated_date = "2021/09/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 69f3b560c..ec9f32538 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 4fba20ea4..dc8f526a5 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 763c1d368..e77f6f12f 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index fff5ce515..fdac3a5ed 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index a4711ef0c..697745bbc 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/01" maturity = "production" -updated_date = "2021/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index b4ead5ba3..cfb6b36fb 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/24" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index bbbe2ce81..722f5c498 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index cd5ea2371..6155a4e66 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/27" maturity = "production" -updated_date = "2022/02/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index a38057a25..0853719ab 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index 1289b596f..bc66dce79 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index 25fa04cb3..621673416 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 507e10868..54c4bc106 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/24" maturity = "production" -updated_date = "2021/06/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 545b3d503..61c0ea073 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index f62a12949..6aafda577 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/12" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index eec7eee27..73b0337a5 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -28,7 +30,7 @@ This rule identifies events produced by Microsoft Identity Protection with high #### Possible investigation steps - Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). -- Identify the user account involved and validate whether the suspicious activity is normal for that user. +- Identify the user account involved and validate whether the suspicious activity is normal for that user. - Consider the source IP address and geolocation for the involved user account. Do they look normal? - Consider the device used to sign in. Is it registered and compliant? - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 350583d23..b0c857da2 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/18" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -27,7 +29,7 @@ or `atRisk`. #### Possible investigation steps - Identify the Risk Detection that triggered the event. A list with descriptions can be found [here](https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection). -- Identify the user account involved and validate whether the suspicious activity is normal for that user. +- Identify the user account involved and validate whether the suspicious activity is normal for that user. - Consider the source IP address and geolocation for the involved user account. Do they look normal? - Consider the device used to sign in. Is it registered and compliant? - Investigate other alerts associated with the user account during the past 48 hours. diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index f8a0f1717..45570d545 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index a23b24d8a..1dba35f8c 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -70,7 +72,7 @@ your IT teams to minimize the impact on business operations during these actions - Investigate the potential for data compromise from the user's email and file sharing services. Activate your Data Loss incident response playbook. - Disable the permission for a user to set consent permission on their behalf. - - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. + - Enable the [Admin consent request](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow) feature. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index d90deeca4..ccb6f215c 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index 837197b0d..6d5432f8b 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index a9c2aa29c..ab1b462ec 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index 603ddb258..d73b74ca7 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index 2a321bae5..44e1b37df 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/02/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index 868e5ec47..765d376c0 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/06" integration = "azure" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index d2ffbe795..a8cde4386 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/24" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 3fc79445b..26a550880 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/07/19" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] @@ -23,10 +25,10 @@ note = """## Triage and analysis Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles -such as Global Administrator and Application Administrator. +such as Global Administrator and Application Administrator. This rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough -access to modify role assignment settings. +access to modify role assignment settings. #### Possible investigation steps diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index aab929854..2215b7dc0 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 0392badda..1bc83ba44 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 367d4626b..a5e487464 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index 22a288179..84ad211f3 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/18" maturity = "production" -updated_date = "2021/11/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "azure" [rule] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 7d460b4b1..d23b692c3 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "cyberarkpas" -min_stack_comments = "The integration was not introduced until 7.14" -min_stack_version = "7.14.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 81c4a24c9..d3a0c3c72 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2021/06/23" maturity = "production" -updated_date = "2021/07/20" +updated_date = "2022/08/24" integration = "cyberarkpas" -min_stack_comments = "The integration was not introduced until 7.14" -min_stack_version = '7.14.0' +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index f4b6bd08f..571cd3b06 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/10/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "endpoint" [rule] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index f0013f13a..32844d95e 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index ff837ff85..b12ea3ed0 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 30f92a924..0371330ef 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index bf6db7372..215831662 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index ff7252261..01ae45b1e 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/21" integration = "gcp" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index a51020e37..f5bbbc966 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 70fc658a0..fe47c6837 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index ff35c6f6f..dc967d1fb 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 4c2a2a55c..a894b06a9 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index b9a7fbdcf..ef5493456 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 89f6be253..a5596d192 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 5db8145a7..bad67cccc 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 283c1694f..111707924 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 4c37eace7..49dbccff3 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -2,7 +2,9 @@ creation_date = "2020/09/22" integration = "gcp" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 152c0713a..0c170a6f6 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index f98d8bdd6..ba5c68510 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 9234a204d..b921cf62d 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 51a3b4136..e1e8303c2 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 92d22e0f5..99a854e27 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index 3659d02c7..9a85cfc2e 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 131af16bd..6f1428961 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 085fa6c50..fb9f0292f 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 18a6408d6..1f97926ba 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml index 7a9209e16..60a5320b6 100644 --- a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml +++ b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "gcp" [rule] diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index af832c6a7..412c1d6e7 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 68c60e5fc..debea77a2 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index c0b08b820..229c3776c 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/22" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index ccf0924e5..881064508 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 08ad8a896..03e1c2ee0 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index f67fa93e8..56e081b89 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index d9b207a64..588ba08ab 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml index 724d3e6b1..d4117a6fa 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index ea0abb112..68c591d02 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/01/13" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index d512898f0..45655935a 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -1,10 +1,10 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/07/17" +updated_date = "2022/08/24" integration = "google_workspace" -min_stack_comments = "Google Workspace schema deprecated gsuite fields in 8.0" -min_stack_version = "8.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 7302029d3..092ef1d83 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -2,9 +2,9 @@ creation_date = "2022/06/30" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/06/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -41,8 +41,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.verb:"create" -and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") +kubernetes.audit.verb:"create" +and kubernetes.audit.objectRef.resource:("selfsubjectaccessreviews" or "selfsubjectrulesreviews") and kubernetes.audit.user.username:(system\:serviceaccount\:* or system\:node\:*) or kubernetes.audit.impersonatedUser.username:(system\:serviceaccount\:* or system\:node\:*) ''' diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index 0f3258290..31e8714df 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -2,9 +2,9 @@ creation_date = "2022/05/17" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" +kubernetes.audit.objectRef.resource:"pods" and kubernetes.audit.objectRef.subresource:"exec" ''' diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index 376166b88..e6d6ce886 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index c75d52ff3..486452743 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index 6a524b580..3b4443f52 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index dfafe09a0..70455db95 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml index 30c880f5b..33fc1c822 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/11" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -42,8 +42,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -kubernetes.audit.objectRef.resource:"pods" - and kubernetes.audit.verb:("create" or "update" or "patch") +kubernetes.audit.objectRef.resource:"pods" + and kubernetes.audit.verb:("create" or "update" or "patch") and kubernetes.audit.requestObject.spec.volumes.hostPath.path:("/" or "/proc" or "/root" or "/var" or "/var/run/docker.sock" or "/var/run/crio/crio.sock" or "/var/run/cri-dockerd.sock" or "/var/lib/kubelet" or "/var/lib/kubelet/pki" or "/var/lib/docker/overlay2" or "/etc" or "/etc/kubernetes" or "/etc/kubernetes/manifests" or "/home/admin") ''' diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 8db4db42a..8451dd09b 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -2,9 +2,9 @@ creation_date = "2022/07/05" integration = "kubernetes" maturity = "production" -min_stack_comments = "Necessary audit log fields not available prior to 8.2" -min_stack_version = "8.2" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 98a096dd1..647d91027 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/29" maturity = "production" -updated_date = "2022/08/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index e8f9c357d..8af7f094a 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2022/05/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index cb87e6635..fd6fd1742 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/01" maturity = "production" -updated_date = "2022/05/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 61d2041dc..0fb774db5 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2021/12/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index d152bc53a..13a919074 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 1bd643578..45654f7fa 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 1b839998c..18b0a97dd 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index c186b8e6f..075c90003 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index df9ab1439..adafec017 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/13" integration = "o365" maturity = "production" -updated_date = "2022/02/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 2b270b5ca..97d63de0b 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index e04ff860a..a15a7b4e7 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml index c3e5d09d6..4e4ca912f 100644 --- a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/15" maturity = "development" -updated_date = "2021/10/13" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 613963e93..7daae5155 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/15" maturity = "production" -updated_date = "2021/10/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 9c92c20dc..0e9588b01 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/15" maturity = "production" -updated_date = "2021/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 3727a0bb1..6dc020aac 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 669e137ca..47dc36c97 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 5d38fb7af..803497dc7 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml index 7a1d2a093..8c65fa571 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/15" maturity = "development" -updated_date = "2021/10/05" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 9e1591341..7fa3cce75 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/15" maturity = "production" -updated_date = "2021/10/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 7b739f01c..461c24dbd 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/12" integration = "o365" maturity = "production" -updated_date = "2022/01/12" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 4239655f3..ed795805e 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/10" integration = "o365" maturity = "production" -updated_date = "2022/01/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index 505427744..3fe750c4d 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/10" integration = "o365" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 23622c3b9..edd8dada3 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index d121404ab..cf56129ab 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/07/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 5619369f8..6b7572018 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 1a0fab679..acc9716ae 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -2,7 +2,9 @@ creation_date = "2022/01/06" integration = "o365" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index d32b719d3..836040712 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2022/07/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index 67bc2197d..bba76cffc 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 10918a90f..954b92e4f 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index d42815e8a..884723ebc 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/17" maturity = "production" -updated_date = "2021/10/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "o365" [rule] diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index c03e8a921..db75e5ba6 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 8d3669b2f..90aa3dc19 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index bbdb7edf8..2c8321700 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/05" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index c183eadf5..a07fcb683 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 01701df4b..de88ffbe2 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/03/22" maturity = "production" -updated_date = "2022/03/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 772352d22..ddab4460c 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 92f98af6f..4df86f540 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index bb447116d..171bf646b 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 761968342..d2f8fae7f 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 4d7986613..bc6f8ab4d 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 336df740b..8cb518195 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 858f566b2..4553719ba 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 445d1cdd2..3fba102b2 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index e4aed3711..37e6f8283 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 982e8458a..6156e8d08 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index d02dcb724..444e8e42e 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index a3ea6d1df..35d8d8d82 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 108afdab4..2c316553c 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index b2f655ef8..e9ffbb65d 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 4ceb6a981..950fc727c 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 3d8a299b1..03103d0b2 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/14" maturity = "production" -updated_date = "2021/10/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 1d46e5fee..0ba6ac995 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml index 4931d2f79..d941e1b94 100644 --- a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 0e0743422..1c259181d 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 2d04368f2..1109d2395 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index c24a7c895..88040f181 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 4d46e0381..b6f58c794 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 82a72dfe7..c908c955a 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 3fb4239a8..e0db1ed9c 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/01" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" integration = "okta" [rule] diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index 9f479d7df..c5cba2446 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/16" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -42,7 +44,7 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=1m -[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and +[network where event.type == "start" and event.action == "connection_attempted" and user.id == "0" and not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] [process where event.action == "session_id_change" and user.id == "0" and not process.executable : ("/bin/ssh", "/sbin/ssh", "/usr/lib/systemd/systemd", "/usr/sbin/sshd")] diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index fdfbd6972..41db3e9ff 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index d38d0b831..fc157d19c 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/04/12" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 974b60247..87f8ddc93 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/22" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 736afdeec..0a216aca1 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2022/07/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 6fbe0d379..2aeed57af 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index b5e5cf34a..25ab699b9 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/17" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 797dff731..ccfd5d84a 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/22" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index e712df9eb..e6a718fb2 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/22" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 13c7192ca..c8e00083e 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index fd9012555..2f48d1792 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/21" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index ea799dd3e..5dee1682f 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/04/29" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index e6937f26f..3598708e4 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/20" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -27,7 +29,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" +file where event.action : "creation" and file.extension == "so" and file.name : ".*.so" ''' diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index da385d91c..05d864296 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/24" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index a5eef7011..0599cdb0b 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 732997b8e..8aa75879f 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 6e9d79e96..747da06d2 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/06/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index cf84f45e1..e125a0a56 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 044841ca2..f5cc6c5e0 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 1d4b67ba4..39380dca1 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/11" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_linux_netcat_network_connection.toml b/rules/linux/execution_linux_netcat_network_connection.toml index 65097f952..b38217508 100644 --- a/rules/linux/execution_linux_netcat_network_connection.toml +++ b/rules/linux/execution_linux_netcat_network_connection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 9ec608508..0206e728f 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/16" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 91eb38b51..8a11f126d 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/11" maturity = "production" -updated_date = "2022/05/12" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 0fe504fdf..916fea94f 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/10" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,8 +36,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - event.action == "exec" and user.name == "root" and +process where event.type == "start" and + event.action == "exec" and user.name == "root" and process.executable : ( "/dev/shm/*", "/run/shm/*", diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 63d8087ed..3ea9831b2 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/04/15" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and event.type:(start or process_started) and process.name:python* and process.args:("import pty; pty.spawn(\"/bin/sh\")" or "import pty; pty.spawn(\"/bin/dash\")" or diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index e4dc0cf2c..d3e3c6788 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/06" maturity = "production" -updated_date = "2022/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index b7900e821..0feaaf4ea 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/11" maturity = "production" -updated_date = "2022/07/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index b4b8f0a7a..68e0e40ed 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/27" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index d833f3626..6f07b0de7 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index e0915c924..cb493e9f0 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/23" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 42efdaa34..09aa6fe73 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/22" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -24,8 +26,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type == "start" and - (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or +process where event.type == "start" and + (process.executable : "/usr/sbin/chkconfig" and process.args : "--add") or (process.args : "*chkconfig" and process.args : "--add") ''' diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 15ecd152a..028107174 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/21" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index fef7f9af4..da5c28b53 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/12" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 0dfeb99ed..230705365 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/22" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -54,7 +56,7 @@ reference = "https://attack.mitre.org/techniques/T1574/" [[rule.threat.technique.subtechnique]] id = "T1574.006" name = "Dynamic Linker Hijacking" -reference = "https://attack.mitre.org/techniques/T1574/006/" +reference = "https://attack.mitre.org/techniques/T1574/006/" [[rule.threat.technique]] id = "T1543" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index ba99631fb..149b2ab2c 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -1,12 +1,14 @@ [metadata] creation_date = "2022/07/11" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] description = """ -Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. +Detects the use of the insmod binary to load a Linux kernel object file. Threat actors can use this binary, given they have root privileges, to load a rootkit on a system providing them with complete control and the ability to hide from security products. Manually loading a kernel module in this manner should not be at all common and can indicate suspcious or malicious behavior. """ from = "now-9m" index = ["logs-*"] diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 23da8be43..4dcabef11 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/06" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 6052c4d2d..fce762812 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 0dfe418b0..bc2877b9b 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 3c097c6f1..5de7817de 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/26" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index 393a90ec6..66d17e006 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index c3fc0ce38..bab45c5cb 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index a70a2b68d..92c407862 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index a44761bef..e7ecc76a4 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index a07953022..3b8cb920f 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 0e5f6b7d0..d43dbdd2b 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/06" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 1793757b7..8460830c2 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/05" maturity = "production" -updated_date = "2021/03/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_potential_ssh_bruteforce.toml b/rules/macos/credential_access_potential_ssh_bruteforce.toml index c1dac3600..987844478 100644 --- a/rules/macos/credential_access_potential_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_ssh_bruteforce.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index bc2ee9eb7..fa6adab10 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 9e54cf24e..5c88932e6 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2022/03/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 9d1d262aa..ac74b9f84 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/15" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -25,7 +27,7 @@ type = "query" query = ''' event.category:process and event.type:(start or process_started) and - process.name:defaults and + process.name:defaults and process.args:(write and "-bool" and (com.apple.SoftwareUpdate or /Library/Preferences/com.apple.SoftwareUpdate.plist) and not (TRUE or true)) ''' diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 92d1bf9c0..e3ae4dd6b 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index b5de04075..24fa92038 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,7 +28,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:(start or process_started) and +event.category:process and event.type:(start or process_started) and process.args:(spctl and "--master-disable") ''' diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index 00a38318d..569e56157 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2022/07/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index 52ec9d8ba..7934ef6c5 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index be7c89412..1a283b58c 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 6c160808b..b745b7d49 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/11" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index 268fe3771..4d208175c 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/14" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 1bbc4c24e..27bd40bb7 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index 45a66834f..0617a5318 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index e4ec41277..64598d357 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2022/21/07" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 040026757..fc629b1d0 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/12" maturity = "production" -updated_date = "2022/07/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index cbff61140..0ca015722 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index f8e2a26f4..f4ac8cd90 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/08/12" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 7bf3ccc4a..5fab7a995 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -1,13 +1,15 @@ [metadata] creation_date = "2021/02/23" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] description = """ -Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). -Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. +Detects the execution of a MacOS installer package with an abnormal child process (e.g bash) followed immediately by a network connection via a suspicious process (e.g curl). +Threat actors will build and distribute malicious MacOS installer packages, which have a .pkg extension, many times imitating valid software in order to persuade and infect their victims often using the package files (e.g pre/post install scripts etc.) to download additional tools or malicious software. If this rule fires it should indicate the installation of a malicious or suspicious package. """ false_positives = [ @@ -34,8 +36,8 @@ type = "eql" query = ''' sequence by host.id, user.id with maxspan=30s -[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] -[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] +[process where event.type == "start" and event.action == "exec" and process.parent.name : ("installer", "package_script_service") and process.name : ("bash", "sh", "zsh", "python", "osascript", "tclsh*")] +[network where event.type == "start" and process.name : ("curl", "osascript", "wget", "python")] ''' [[rule.threat]] diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index 4636116f4..8bed1e85a 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 64d39eea8..9d98ed40b 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/07/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index 676757576..fcf05ceb1 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/06/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index d2fbc37c0..6a624b12b 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/03/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -28,24 +30,24 @@ process where event.type in ("start", "process_started") and process.parent.name:("Microsoft Word", "Microsoft PowerPoint", "Microsoft Excel") and process.name: ( - "bash", - "dash", - "sh", - "tcsh", - "csh", - "zsh", - "ksh", - "fish", - "python*", - "perl*", - "php*", + "bash", + "dash", + "sh", + "tcsh", + "csh", + "zsh", + "ksh", + "fish", + "python*", + "perl*", + "php*", "osascript", - "pwsh", - "curl", - "wget", - "cp", - "mv", - "base64", + "pwsh", + "curl", + "wget", + "cp", + "mv", + "base64", "launchctl" ) and /* noisy false positives related to product version discovery and office errors reporting */ diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index dcc836e81..503439edc 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/12" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,7 +25,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and event.type:start and +event.category:process and event.type:start and process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab)))) ''' diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index 34691b1a2..6c38458ae 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/25" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index bc970d231..ab28fd91f 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 69f97ef01..df6136f0f 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/25" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 31cc60b97..3a593cb80 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index f67eea227..8134e47db 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,7 +28,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=1m - [file where event.type != "deletion" and + [file where event.type != "deletion" and file.path : ("/System/Library/LaunchAgents/*", "/Library/LaunchAgents/*", "/Users/*/Library/LaunchAgents/*") ] [process where event.type in ("start", "process_started") and process.name == "launchctl" and process.args == "load"] diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 01451501a..497a15c41 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 41a6f1d51..9438a6313 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 35a10afd8..dd18874a9 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index 4387eeb91..e9bbfc947 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/04/25" maturity = "production" -updated_date = "2022/04/25" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,7 +28,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type != "deletion" and process.name != null and +file where event.type != "deletion" and process.name != null and file.path : "/private/var/at/tabs/*" and not process.executable == "/usr/bin/crontab" ''' diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index fce77f91f..f534a1397 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 49714ab2c..75832127a 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/13" maturity = "production" -updated_date = "2022/07/25" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index e46352a3c..62a1136e6 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2021/08/25" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -27,8 +29,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category : file and event.action : modification and - file.path : /Users/*/Library/Preferences/com.apple.dock.plist and +event.category : file and event.action : modification and + file.path : /Users/*/Library/Preferences/com.apple.dock.plist and not process.name : (xpcproxy or cfprefsd or plutil or jamf or PlistBuddy or InstallerRemotePluginService) ''' diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 48fcbcafd..65dc9008d 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2022/05/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 1246a62c0..fde1d0b5a 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/11" maturity = "production" -updated_date = "2021/03/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index f760c40ac..48fee93aa 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/04" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 0de21067d..9e731724f 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index 967ae50d8..6e9215e78 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2022/08/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -24,6 +26,7 @@ risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" severity = "medium" tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 3e5bfd31f..3a6f83760 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 38b4b1d16..791796d56 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 31e1f9d45..ad3afc983 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index 1b1b59ae5..4525ed5a6 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/07/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 70f528ef7..5fbac202a 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 99009173a..7941b93cd 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 995245bb5..edcbaabc1 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index eac455d9f..64fe1a33c 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index 75a41d02c..4a5f09ff1 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index 537ec8cdc..8e2c38d17 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/27" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 5fe38cdc1..042ba1e17 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index f734d500b..d4013e65c 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/07/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index 0f5514d0b..d4d570f67 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/05" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 759156414..6e01d7d74 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 0def13bb6..0ed8ae130 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index 1b86ce26e..9dc4d369e 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 3887f8ce0..1465e4974 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 58f246dd2..536118465 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 764dfe226..49e4b61c2 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 3faf81a15..2414cfe07 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 5424191af..8fb0d2ea7 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 216b8c5ec..9576661e2 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/17" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index edce166ce..7f024209c 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/17" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index 79e9b9ddb..d9e2c5d60 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 620a546d3..2dc000a2b 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 47c7da06e..9982d2852 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index eb7bc7b27..dd92ad046 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index db5319f19..21021f95f 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/07/20" +updated_date = "2022/08/24" [rule] anomaly_threshold = 25 diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index a57b94166..5d518840f 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index add207132..31efb14ce 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 70f1708f4..b6d8ac10b 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index b627f8d31..589f986e4 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 503a63f70..d7d8cc71c 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 1e92cca5d..bdd5ae206 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 557e77713..102d6bdb5 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "ML job introduced in 7.14" -min_stack_version = "7.14.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] anomaly_threshold = 75 diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index 8c4fdc43a..ccb7eb449 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index c24b0177f..1af67351a 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index c3dfcec90..5d1801bea 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index ea7f00a4f..ec4f84ddb 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -1,18 +1,20 @@ [metadata] creation_date = "2021/04/05" maturity = "production" -updated_date = "2021/06/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic that was +A machine learning job detected an unusually large spike in network traffic that was denied by network access control lists (ACLs) or firewall rules. Such a burst of denied traffic is usually caused by -either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. -Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), -or engage in data exfiltration, may produce a burst of failed connections. This could also -be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service +either 1) a mis-configured application or firewall or 2) suspicious or malicious activity. +Unsuccessful attempts at network transit, in order to connect to command-and-control (C2), +or engage in data exfiltration, may produce a burst of failed connections. This could also +be due to unusually large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 38cb5ab7f..39a4fc12e 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -1,21 +1,23 @@ [metadata] creation_date = "2021/04/05" maturity = "production" -updated_date = "2021/08/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, -if not caused by a surge in business activity, can be due to suspicious or malicious activity. -Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually -large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may +A machine learning job detected an unusually large spike in network traffic. Such a burst of traffic, +if not caused by a surge in business activity, can be due to suspicious or malicious activity. +Large-scale data exfiltration may produce a burst of network traffic; this could also be due to unusually +large amounts of reconnaissance or enumeration traffic. Denial-of-service attacks or traffic floods may also produce such a surge in traffic. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic, + Business workflows that occur very occasionally, and involve an unusual surge in network traffic, can trigger this alert. A new business workflow or a surge in business activity may trigger this alert. A misconfigured network application or firewall may trigger this alert. """, diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 1718ac485..1740f13f7 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index 13f4ec42d..216d2f90c 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 3ff8f3b65..27e76f3ce 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 50 diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index 59c7a9ebb..a6e07c810 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/04/05" maturity = "production" -updated_date = "2021/06/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 @@ -9,20 +11,20 @@ author = ["Elastic"] description = """ A machine learning job detected a rare destination country name in the network logs. This can be due to initial access, persistence, command-and-control, or exfiltration activity. -For example, when a user clicks on a link in a phishing email or opens a malicious document, -a request may be sent to download and run a payload from a server in a country which does not -normally appear in network traffic or business work-flows. Malware instances and persistence -mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, -which may be an unusual destination country for the source network. +For example, when a user clicks on a link in a phishing email or opens a malicious document, +a request may be sent to download and run a payload from a server in a country which does not +normally appear in network traffic or business work-flows. Malware instances and persistence +mechanisms may communicate with command-and-control (C2) infrastructure in their country of origin, +which may be an unusual destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve a business relationship with an + Business workflows that occur very occasionally, and involve a business relationship with an organization in a country that does not routinely appear in network events, can trigger this alert. - A new business workflow with an organization in a country with which no workflows previously - existed may trigger this alert - although the model will learn that the new destination country - is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many - countries for brief periods may trigger this alert. + A new business workflow with an organization in a country with which no workflows previously + existed may trigger this alert - although the model will learn that the new destination country + is no longer anomalous as the activity becomes ongoing. Business travelers who roam to many + countries for brief periods may trigger this alert. """, ] from = "now-30m" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 02b2266bb..711353d5b 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -1,25 +1,27 @@ [metadata] creation_date = "2021/04/05" maturity = "production" -updated_date = "2021/06/15" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job detected an unusually large spike in network activity to one -destination country in the network logs. This could be due to unusually large amounts -of reconnaissance or enumeration traffic. Data exfiltration activity may also produce -such a surge in traffic to a destination country which does not normally appear in network -traffic or business work-flows. Malware instances and persistence mechanisms may communicate -with command-and-control (C2) infrastructure in their country of origin, which may be an +A machine learning job detected an unusually large spike in network activity to one +destination country in the network logs. This could be due to unusually large amounts +of reconnaissance or enumeration traffic. Data exfiltration activity may also produce +such a surge in traffic to a destination country which does not normally appear in network +traffic or business work-flows. Malware instances and persistence mechanisms may communicate +with command-and-control (C2) infrastructure in their country of origin, which may be an unusual destination country for the source network. """ false_positives = [ """ - Business workflows that occur very occasionally, and involve an unusual surge in network traffic - to one destination country, can trigger this alert. A new business workflow or a surge in business - activity in a particular country may trigger this alert. Business travelers who roam to many + Business workflows that occur very occasionally, and involve an unusual surge in network traffic + to one destination country, can trigger this alert. A new business workflow or a surge in business + activity in a particular country may trigger this alert. Business travelers who roam to many countries for brief periods may trigger this alert if they engage in volumetric network activity. """, ] diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 7d25b013d..430ebdb09 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/05/12" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index 3d3087f81..2063a8e5a 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 752dd900c..292ac6cf2 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 7fc189fed..eb58bda47 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 202bb0857..43a5dc8cf 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index e5cf3ff16..386a6c5c4 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index d6604ba29..ecc75619b 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 567ab2817..fa5dbfd52 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index b46168224..374ee419f 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index dcde9607e..a4a7c0f16 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index c3be167ee..e2344b5c9 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/07/18" -min_stack_comments = "Supports latest version of ML job introduced in 8.3.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" [rule] diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 0cf487f03..64a54d756 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 78c58aa67..d98a18edd 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/05" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index bf64d4062..416a4a71e 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/12/06" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 21726926b..1b31af2f2 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 74f56e483..e46f22010 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index a6e23998f..037247bec 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index da93ea481..984bc2171 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 7041c7995..e2efb9f8c 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_telnet_port_activity.toml b/rules/network/command_and_control_telnet_port_activity.toml index 57317c937..2e080d1e7 100644 --- a/rules/network/command_and_control_telnet_port_activity.toml +++ b/rules/network/command_and_control_telnet_port_activity.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 25c22a1f8..a0a6679f4 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 4e2af0def..2e3e15c6b 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index e7404a012..9ae1e20ed 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index b03ebd5c0..ceeb34496 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 9eaceac7e..698c01a64 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 90ecee9d6..3c28a5b88 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/11" maturity = "production" -updated_date = "2021/05/10" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 075da944f..747224dd4 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 50844f50a..61eee0e03 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 5b68b4260..e46a2cbed 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 486f13b68..7c8cc341b 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 2741cf214..04caa2494 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index c5f22e242..bd31657eb 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 14052bfaa..e5c66a406 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/12/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 609960550..8162f2555 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 54df45458..a40897845 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 79043d890..bcdf8db18 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/08" maturity = "production" -updated_date = "2021/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index c13730199..117302715 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 3c3e950eb..baeb525c2 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index b95c7f9b5..d52db07d9 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index baf4814ad..f9f7b9d5b 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 6ac709f63..8714ffa7c 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index dee0eb2ff..d7fe5b42c 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 303a206f1..a729bc577 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index d97c9cd9b..4d55390af 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index c61454c42..b19087a91 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index ea98f15c1..48dcda0d4 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 5ca39206e..332442357 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 88ab60d76..61cc02e66 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index c83f8df02..2a839ec2a 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/05/16" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index e7f3516c8..369eed0c1 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 8979e423b..92f0fdd4a 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index c6af56a51..1cf2dca8d 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/28" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 5550fce14..5da8e1bbf 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index 144464a55..e591807e2 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index 387e42187..8b16c283c 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index bf99ab3ba..861897938 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index a725d5e9c..15ad517a7 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -75,9 +77,9 @@ type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=30s [network where process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and network.protocol == "dns" and - not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and + not dns.question.name : ("localhost", "*.microsoft.com", "*.azureedge.net", "*.powershellgallery.com", "*.windowsupdate.com", "metadata.google.internal") and not user.domain : "NT AUTHORITY"] - [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and + [file where process.name : "powershell.exe" and event.type == "creation" and file.extension : ("exe", "dll", "ps1", "bat") and not file.name : "__PSScriptPolicy*.ps1"] ''' diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 31a7c0202..234ae3a66 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 2f38f261c..563ba79bd 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 92d7cd735..1d2b34619 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 249e2ddce..3c06f200d 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ Directory `Ntds.dit` file. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Examine the command line to identify what information was targeted. diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 4859ea0c8..7001aa2c8 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 35c56fb4b..e2e39e1be 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,7 +36,7 @@ credential access activities. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Examine the command line to identify the `.csproj` file location. diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 99628ad60..160e38071 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/08" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index a3bbfb742..ef2e66200 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/24" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 4992858da..3f1e8cc76 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 40dd670c3..f9c480186 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 224df3d85..a6cb9e462 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index eba67d253..ef75e47a9 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 335896d91..b5cebe2b6 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/07/29" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 15f675f06..78e3413da 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/06/29" maturity = "production" -updated_date = "2022/06/29" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index d91fdb45b..9a393f8d0 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/08/02" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 7d2f763e0..a18d56b33 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/16" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index f4ddafe66..d690d19c8 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index edde3a347..c09be8af0 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/07" maturity = "production" -updated_date = "2022/05/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 0b5fd0bf9..ed0d60b37 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/07/29" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 4af9eb1e3..be0652459 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2022/02/16" maturity = "production" -min_stack_comments = "File header bytes field populated until 7.15." -min_stack_version = "7.15.0" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 3536aa91d..be6289fe7 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/18" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index fbc289771..57d4cabde 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/05" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 52aeb5f57..ff6c3ce5f 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/24" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 6222ee588..db728f799 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/27" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index d47a34ea9..4c8c0e89d 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/04/30" maturity = "production" -updated_date = "2022/04/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,15 +25,16 @@ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +timestamp_override = "event.ingested" type = "eql" query = ''' process where event.type in ("start", "process_started") and process.name : "rundll32.exe" and - + /* Rundll32 WbeDav Client */ - process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and - + process.args : ("?:\\Windows\\System32\\davclnt.dll,DavSetCookie", "?:\\Windows\\SysWOW64\\davclnt.dll,DavSetCookie") and + /* Access to named pipe via http */ process.args : ("http*/print/pipe/*", "http*/pipe/spoolss", "http*/pipe/srvsvc") ''' diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 431ad2d7a..5c15e0e4e 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2022/03/01" maturity = "production" -min_stack_comments = "The field `file.Ext.header_bytes` was not introduced until 7.15" -min_stack_version = "7.15.0" -updated_date = "2022/07/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 1f317a28b..6a214a848 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 498a1ca0a..927a52eb0 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/27" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index eb8ba1019..0910b1d49 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/26" maturity = "production" -updated_date = "2022/04/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index b7294aac8..12878bacd 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/22" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 2d94e68d0..463542ea0 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/17" -updated_date = "2022/03/31" +updated_date = "2022/08/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index bc9c9a1c3..ebc49b167 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/07" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index e07435001..50b5f1f2d 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/10/14" -updated_date = "2022/02/28" +updated_date = "2022/08/24" maturity = "production" -min_stack_version = "7.14.0" -min_stack_comments = "Cardinality field not added to threshold rule type until 7.14." +min_stack_version = "8.3.0" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" [rule] diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index eadb2b474..5fbd1b854 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/16" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -41,7 +43,7 @@ modifications, and processes created. ### False positive analysis - If this activity is expected and noisy in your environment, benign true positives (B-TPs) can be added as exceptions -if necessary. +if necessary. ### Response and remediation diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 9d9ec54cc..e972bee0a 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/12/25" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index 89b1c2be6..5fc0013f1 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/27" -updated_date = "2022/03/31" +updated_date = "2022/08/24" maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index 8dffa5da1..53a70ea98 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 2cde9436b..465568984 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/06/01" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index e3de73a4d..717630160 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/22" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index f38758723..dd40f7079 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/08" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 248c209fd..6ac497691 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Anabella Cristaldi"] diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 2a022aee2..e29aa582a 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/02/01" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 07d15a1c7..4e02f3e13 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/19" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 19cfe4d4e..f70bdb662 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index e9e6d2edf..adac067f4 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/20" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 1b9d1c547..f30f1c8e3 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 41011adf8..20a402446 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/31" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index dc98a8dc7..20bb4568f 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 9dd37de19..051dae54b 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index b23c86bc7..9b16158eb 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/06" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 560f2d795..24a7c4173 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/22" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 588a78273..ba879e035 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index ba0d52245..d474f8116 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 0592b61ba..b2c7b958f 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 35df953dc..01c9f1386 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/09/08" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index d1d7ec960..61535ca73 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2022/07/20" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index bac0405d7..531eb5b0b 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -40,7 +42,7 @@ execution of malicious documents. - Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures. -- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file +- Investigate abnormal behaviors observed by the subject process, such as network connections, registry or file modifications, and any spawned child processes. - Investigate other alerts associated with the user/host during the past 48 hours. - Retrieve MS Office documents received and opened by the user that could cause this behavior. Common locations include, @@ -75,7 +77,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index a62d75041..0806d9a0c 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 8752c8e19..f184d0ae9 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index b14688c4b..9989869bf 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index b096c92c1..d53352154 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index 955a53ea7..4a8300d01 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 387b75639..861f269e8 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/07" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Dennis Perto"] diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index 0d0d67ae1..61979ad96 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index add66ec4c..e935731ae 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index fd85c2119..329ccf66d 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index c31f119af..71f1ad181 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/04/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index f5864bd39..190bd5a74 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 828cfdc91..f4dfd3c8e 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index f62ca5f74..c9a234b7f 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 0828749b9..834bc5921 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index c33ccef3d..c918c010e 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index e7161d089..04b181254 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 25b898ad3..f068cd776 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/24" maturity = "production" -updated_date = "2021/10/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 5d7a7ba29..78b3a3696 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/18" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index e8504e288..9a6486dc1 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 31ee40955..65d4dcbaa 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/12" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index c10dcf45a..6359cd910 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 1b6bc53ba..db78aef29 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/09/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index fc2a853d3..56d1aaa2b 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index f6109ebb4..26fa968a2 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 9e5ecf447..a22b0b9d9 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index f85daba07..81212aff7 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index 48f5b6e00..ffeacb3e9 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2021/07/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -42,7 +44,7 @@ sequence by host.id, user.id with maxspan=5m ] by process.pid [process where event.type == "start" and process.parent.Ext.real.pid > 0 and /* process.parent.Ext.real.pid is only populated if the parent process pid doesn't match */ - + not (process.name : "msedge.exe" and process.parent.name : "sihost.exe") ] by process.parent.Ext.real.pid ''' diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 238e72e3a..13858de69 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index b486d12cf..ffb36c804 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/19" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 97779af30..0d5184141 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/14" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 28f8d5a50..40e8e9e85 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 481f5dfae..e18dd020f 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Austin Songer"] diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 616887007..58f8fc802 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -24,7 +26,7 @@ type = "eql" query = ''' sequence by host.id with maxspan=5s - [process where event.type == "end" and + [process where event.type == "end" and process.code_signature.trusted == false and not process.executable : ("C:\\Windows\\SoftwareDistribution\\*.exe", "C:\\Windows\\WinSxS\\*.exe") ] by process.executable diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 2827666da..0e49f385f 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/31" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -26,6 +28,7 @@ risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" severity = "high" tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 24ea0ce45..78fb8df71 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index 8b069e3c1..9410f0173 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 26ba3a776..f19450462 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index 74952e3a1..d438ea117 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 2b4a23fcc..5c264a229 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 628e5d7b1..c0ebb515d 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index ea95c5ac1..5b5cddc7f 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/28" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index c885b93f2..fc277c2c9 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,7 +25,7 @@ type = "eql" query = ''' sequence by process.entity_id with maxspan=5m - [process where event.type == "start" and + [process where event.type == "start" and process.name : ("wscript.exe", "cscript.exe", "mshta.exe", "wmic.exe", "regsvr32.exe", "svchost.exe", "dllhost.exe", "cmstp.exe")] [file where event.type != "deletion" and file.name : ("wscript.exe.log", diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index b5132a60e..3ce9febd7 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/11" maturity = "production" -updated_date = "2022/07/30" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index 11d4b4be0..d7f0ff9e3 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/24" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index 4edc902ad..a9b022ce8 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index 978d4c730..925f683e2 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2022/07/18" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index b66064a65..fa88e3a57 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 347a288c9..2e5e03b0b 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index ad7083482..6c9ed6771 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 714cab64f..004e22e66 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 89516e87e..1aadd0b37 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 5b1a36a54..c0e02b91e 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/05/28" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index 63ec1b1c9..9cbfa12f8 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 73cec9c2c..45d36bda3 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index b61d1ab8b..e8da6bc58 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 840911786..1268e86f2 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 5680002eb..3e47ac99f 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/03/02" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 5166b5dad..a9a040432 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 9db5ed801..efbd0638a 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index f29e17be0..c01dc0af7 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/03/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 1cb97983a..74340e2bf 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/31" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 20bc4c12c..de79b18a1 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 9d82dda66..aea0e9576 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 4c0feb423..bf84837c3 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 8af6b60bb..dccba0518 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/04" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index fef327af8..d822c7b5d 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/15" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index 1030003c6..df268f126 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/06/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index 3365e23a0..2ddcef7e3 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/04/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 1a3ee7046..14b5eb745 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 02fbad45b..73c4486b7 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 842b7e305..59fa893d9 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 5f123a7ab..f34b52b1d 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index d521f15c7..e127caf03 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2021/05/26" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index 014993e39..8563addf9 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/03" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 39e4ec455..59849446d 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/21" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index dd406eaeb..a9db9e87d 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 819406f15..7409b4e05 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2021/09/23" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index ae04debda..89ee324fc 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" maturity = "development" query_schema_validation = false -updated_date = "2022/08/17" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index a4194430c..85d57219d 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index f8370250d..88fd4fa7e 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index e4cc47013..b4102eb23 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 12a8bab11..cdea617da 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -65,7 +67,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 14e53e6cb..75e4a0377 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -19,7 +21,7 @@ note = """## Triage and analysis ### Investigating Execution of File Written or Modified by PDF Reader -PDF is a common file type used in corporate environments and most machines have software to +PDF is a common file type used in corporate environments and most machines have software to handle these files. This creates a vector where attackers can exploit the engines and technology behind this class of software for initial access or privilege escalation. @@ -64,7 +66,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index b20181093..0106950c7 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index c40773fa2..5ce13c0f8 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/15" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 7ec0e1808..d697c1689 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 1f586ed2b..47e7f9988 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index eea8d7e2d..5adbd0ecd 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 0e1e196ba..eb0103d8a 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 1ccfb17e6..b884ac562 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 8f6361259..8f6e3d5c1 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 2fb99c696..6e8447109 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/30" maturity = "production" -updated_date = "2022/05/21" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index c543dd0a1..2b0da73e8 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 277f4556a..a5b85e49d 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 9f5aa5861..e03e57ce4 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index b3b3a3dde..aaff7b9e9 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index c10dc9be6..edfb98051 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 07f355d36..cc68269a1 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/01" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 78c8dd66c..bc4f2dbae 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 08bd6c265..d5ec92094 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/16" maturity = "production" -updated_date = "2022/07/29" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 7ed6ca4d4..f43540649 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/03" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index a049d324d..bb92b2428 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 5aa7db9cf..7c676d94e 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/19" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 9f6e33d60..88ac96c3c 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index 89d55f8ae..34fa1477c 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/07/03" maturity = "production" -updated_date = "2022/07/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index 8ad0c47c2..ffa8551cc 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index 636783ea4..6c5c5f281 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/27" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index b97252ffa..c100567b4 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 170467c5b..6068ea9c0 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/04" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 1fb11a8ec..dc6994c27 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/08" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 8af826f09..917415c95 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -64,7 +66,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 397e53e29..b5a2b80ba 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -61,7 +63,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index ad9b101a0..0568e1416 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -30,7 +32,7 @@ versions 2003 to 2019 and can be triggered by a malicious DNS response. Because privileges (SYSTEM), an attacker that successfully exploits it is granted Domain Administrator rights. This can effectively compromise the entire corporate infrastructure. -This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a +This rule looks for unusual children of the `dns.exe` process, which can indicate the exploitation of the SIGRed or a similar remote code execution vulnerability in the DNS server. #### Possible investigation steps diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 634aef780..02884a3ac 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 9f6293858..f315225db 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/29" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index 5610adb23..3b3e05b4a 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index 8b898b011..d8488e1d8 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index b8c2de134..2a3e1cd8f 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/01/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 7abcd80c5..214a92111 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2022/01/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index cffda358a..986d05289 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/22" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 39a9850fe..dae96e801 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index f2b1052df..162b8f4b1 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2022/04/06" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -34,7 +36,7 @@ also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vu the source of the incoming traffic and determine if this activity has been observed previously within an environment. - Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts. - Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as -Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. +Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. - Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning. - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment. @@ -57,7 +59,7 @@ determine the source of the activity and potentially allowlist the source host. - Initiate the incident response process based on the outcome of the triage. - Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) -a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied. +a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied. - Maintain backups of your critical systems to aid in quick recovery. - Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities. - If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior. diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index e71d29e94..e8f51e328 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/04/12" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 7f643135f..440f51dc0 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/10" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 275db0008..c443b7b1f 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index af7208993..d2a93a2f2 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index 9a45277bf..285d54702 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/01/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 8ec58a746..8373b7e8f 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2022/01/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -32,10 +34,10 @@ sequence by host.id with maxspan = 2s /* Excluding Common FPs Nessus and SCCM */ [process where event.type in ("start", "process_started") and process.parent.name : "WmiPrvSE.exe" and - not process.args : ("C:\\windows\\temp\\nessus_*.txt", - "C:\\windows\\TEMP\\nessus_*.TMP", - "C:\\Windows\\CCM\\SystemTemp\\*", - "C:\\Windows\\CCMCache\\*", + not process.args : ("C:\\windows\\temp\\nessus_*.txt", + "C:\\windows\\TEMP\\nessus_*.TMP", + "C:\\Windows\\CCM\\SystemTemp\\*", + "C:\\Windows\\CCMCache\\*", "C:\\CCM\\Cache\\*") ] ''' diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index 27cb52548..8aebea11f 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index dc983f744..7ca58f872 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/24" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 8aa1a6fe3..c98bd25bc 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/25" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 93a7d6ca7..873f5fdfa 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/11" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -28,18 +30,18 @@ query = ''' /* Incoming RDP followed by a new RunMRU string value set to cmd, powershell, taskmgr or tsclient, followed by process execution within 1m */ sequence by host.id with maxspan=1m - [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and + [network where event.type == "start" and process.name : "svchost.exe" and destination.port == 3389 and network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.ip != "127.0.0.1" and source.ip != "::1" ] - [registry where process.name : "explorer.exe" and + [registry where process.name : "explorer.exe" and registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU\\*") and registry.data.strings : ("cmd.exe*", "powershell.exe*", "taskmgr*", "\\\\tsclient\\*.exe\\*") ] - + [process where event.type in ("start", "process_started") and - (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and + (process.parent.name : ("cmd.exe", "powershell.exe", "taskmgr.exe") or process.args : ("\\\\tsclient\\*.exe")) and not process.name : "conhost.exe" ] ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 33ce418da..7b3d39f6a 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index fde56d87d..073ea9e06 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/16" maturity = "production" -updated_date = "2022/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,12 +25,12 @@ type = "eql" query = ''' sequence with maxspan=1s [network where process.name : "services.exe" and - network.direction : ("incoming", "ingress") and network.transport == "tcp" and + network.direction : ("incoming", "ingress") and network.transport == "tcp" and source.port >= 49152 and destination.port >= 49152 and source.ip != "127.0.0.1" and source.ip != "::1" ] by host.id, process.entity_id - [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and - not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and + [process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and + not (process.name : "svchost.exe" and process.args : "tiledatamodelsvc") and not (process.name : "msiexec.exe" and process.args : "/V") and not process.executable : ("?:\\Windows\\ADCR_Agent\\adcrsvc.exe", diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 24fb688d0..7772d0ac9 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2022/04/06" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -49,7 +51,7 @@ further understand the source of the activity and determine the intent based on - Remove scheduled task and any other related artifacts. - Review privileged account management and user account management settings. Consider implementing group policy object (GPO) policies to further restrict activity, or configuring settings that only allow administrators to create remote scheduled tasks. -""" +""" risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" diff --git a/rules/windows/lateral_movement_service_control_spawned_script_int.toml b/rules/windows/lateral_movement_service_control_spawned_script_int.toml index 2926e729f..1cd9e4563 100644 --- a/rules/windows/lateral_movement_service_control_spawned_script_int.toml +++ b/rules/windows/lateral_movement_service_control_spawned_script_int.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index c83e5f1c0..cdec153a0 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 1515fcef4..98c55b9c5 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index e69db3dea..fe2cbf838 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/31" maturity = "production" -updated_date = "2022/04/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index afeb0fdc6..8f8ede5f3 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index b2a649d7d..87e6ea6e8 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/09/02" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 3d848d399..bd333a6fa 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index b2c73e2ac..10bda16b9 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index b3b0f594d..0a552d3a9 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/22" maturity = "production" -updated_date = "2022/05/23" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index 3825fa432..8f364e80d 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 359ee3b40..b322eb391 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/08/17" -min_stack_comments = "EQL regex syntax introduced in 7.12" -min_stack_version = "7.12.0" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -28,9 +28,9 @@ type = "eql" query = ''' registry where length(registry.data.strings) > 0 and - registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", - "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", - "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", + registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*.exe\\Debugger", + "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*\\Debugger", + "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess", "HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\SilentProcessExit\\*\\MonitorProcess") and /* add FPs here */ not registry.data.strings regex~ ("""C:\\Program Files( \(x86\))?\\ThinKiosk\\thinkiosk\.exe""", """.*\\PSAppDeployToolkit\\.*""") diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 33756adcc..72fc0f118 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 4ec2dfca6..cb007feef 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 560c30f21..44117c477 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 3abb7cd7c..a167b9765 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/04/04" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index c18d24c6f..e691e45ab 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 1133fb27c..b05a57b69 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/16" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index 059c908b7..d8b6f1cbd 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 7711fd215..7e53b4f10 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/01/27" maturity = "production" -updated_date = "2022/04/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index 1db8061ae..25dcc9f80 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/15" maturity = "production" -updated_date = "2022/07/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 0a055ef4c..2d708937b 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index 9dcc445b9..a88cd84cc 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ registry where "HKLM\\SYSTEM\\ControlSet*\\Control\\BootVerificationProgram\\ImagePath", "HKLM\\SYSTEM\\Setup\\CmdLine", "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript") and - + not registry.data.strings : ("C:\\Windows\\system32\\userinit.exe", "cmd.exe", "C:\\Program Files (x86)\\*.exe", "C:\\Program Files\\*.exe") and not (process.name : "rundll32.exe" and registry.path : "*\\Software\\Microsoft\\Internet Explorer\\Extensions\\*\\Script") and diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index f09f1290c..bf91a0ed6 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/18" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index 28051d02a..4b720ed93 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" -min_stack_comments = "Comprehensive timeline templates only available in 8.2+" -min_stack_version = "8.2" +updated_date = "2022/08/24" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" [rule] @@ -30,16 +30,16 @@ query = ''' registry where registry.data.strings != null and registry.path : ( /* Machine Hive */ - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", - "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", /* Users Hive */ - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\*", "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*" ) and /* add common legitimate changes without being too restrictive as this is one of the most abused AESPs */ diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 69a428737..7f1ef22d7 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 3d49f5d77..fc12dcdcb 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/24" maturity = "production" -updated_date = "2022/06/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 06ecd712b..9a42da61f 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index a36c9a584..e0b15ff8d 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index 80e81892e..b6ebd0323 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2022/08/17" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -71,7 +73,7 @@ malware components. - Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -""" +""" risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" @@ -82,15 +84,15 @@ query = ''' sequence by host.id, process.entity_id with maxspan=5s [process where event.type in ("start", "process_started") and process.code_signature.trusted == false and /* suspicious paths can be added here */ - process.executable : ("C:\\Users\\*.exe", - "C:\\ProgramData\\*.exe", - "C:\\Windows\\Temp\\*.exe", - "C:\\Windows\\Tasks\\*.exe", - "C:\\Intel\\*.exe", + process.executable : ("C:\\Users\\*.exe", + "C:\\ProgramData\\*.exe", + "C:\\Windows\\Temp\\*.exe", + "C:\\Windows\\Tasks\\*.exe", + "C:\\Intel\\*.exe", "C:\\PerfLogs\\*.exe") ] [file where event.type != "deletion" and user.domain != "NT AUTHORITY" and - file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") ] ''' diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 4ca25716e..93a1c1e75 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 53ce2d3d0..c8b7ff074 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 18f8d8db4..d0f23ab06 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 757184991..10e4e202a 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2022/08/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 9315c24f1..3867e7951 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index f92ac6ca9..9f6c2aa4b 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 09aa535f6..acf6d3330 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/19" maturity = "production" -updated_date = "2022/02/28" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index a4d154837..120788fff 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/09" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic", "Skoetting"] diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index ea713ca4d..fe1d13385 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 96c0218b4..6dd409978 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "development" -updated_date = "2022/04/13" +updated_date = "2022/08/24" [rule] author = ["Skoetting"] diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 355869f27..ada05a00f 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 84f48f3f8..fd414d53d 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/12/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 60d217ff9..fe1983570 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/15" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 6ae200217..115c37e1b 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index 6fc02c637..5ac2cdb8a 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index dc0524bd6..e12d50884 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2022/08/03" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index e4549f5bd..bda788a0d 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/12/04" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index 69663f8c9..e17ef2cd6 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where +registry where registry.data.strings != null and process.name : "WmiPrvSe.exe" and registry.path : ( "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\*", @@ -37,18 +39,18 @@ registry where "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\*", "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ServiceDLL", "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\ImagePath", - "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", - "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", - "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", + "HKEY_USERS\\*\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\\*", + "HKEY_USERS\\*\\Environment\\UserInitMprLogonScript", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Shell", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logoff\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Logon\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Shutdown\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\Scripts\\Startup\\Script", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Ctf\\LangBarAddin\\*\\FilePath", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Exec", + "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Internet Explorer\\Extensions\\*\\Script", "HKEY_USERS\\*\\SOFTWARE\\Microsoft\\Command Processor\\Autorun" ) ''' diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index f35db5c32..77f61da2f 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/08/24" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index cf600e0a3..f487637af 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/20" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index afbc05d74..5ae6566ba 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index b56a7fcaf..59d740fa1 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/03/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 82f314a47..3e7651f6d 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/11/08" maturity = "production" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index faeb8989e..d4f0f1803 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/11/25" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/05/09" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index b2fbedc4d..f944d9ee6 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/04/27" maturity = "production" -updated_date = "2022/04/27" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 0d33aa979..1f98312c7 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 8ef1ebecc..cf7755f29 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/23" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 1d47d7423..bc8be58ee 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/01/07" maturity = "production" -updated_date = "2022/08/02" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index bbc327c47..9b97e46ab 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index 2a7365899..3f477aa0f 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index b444af272..316b360f0 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 4952c61bd..3e0f3bc2d 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/07/06" maturity = "production" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index af56fb238..7989ea55e 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 791707ea0..383a55656 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/26" maturity = "production" -updated_date = "2022/02/14" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -23,7 +25,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and +registry where registry.path : ("HKEY_USERS\\*\\Environment\\windir", "HKEY_USERS\\*\\Environment\\systemroot") and not registry.data.strings : ("C:\\windows", "%SystemRoot%") ''' diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 8d32b4342..d3048f7ec 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/12/12" maturity = "production" -updated_date = "2022/04/13" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index e773941b6..84142a0d9 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/05/11" maturity = "production" -updated_date = "2022/05/11" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 70a509e6e..8e9308778 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index e02bb7e96..43f649f51 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/11/03" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index d1dfe81db..6c472be60 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index ee62820a9..90515eff7 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 3dc01cfe0..5db14e805 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/27" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index e2bec86f9..301fdcbbf 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/03/17" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -18,9 +20,9 @@ note = """## Triage and analysis ### Investigating Bypass UAC via Event Viewer -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 7ebe8c35e..a017669d4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/26" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -18,9 +20,9 @@ note = """## Triage and analysis ### Investigating UAC Bypass Attempt via Windows Directory Masquerading -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 68ea244d1..7a1832eac 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/14" maturity = "production" -updated_date = "2022/07/22" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] @@ -18,9 +20,9 @@ note = """## Triage and analysis ### Investigating UAC Bypass via Windows Firewall Snap-In Hijack -Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) +Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as low to high integrity levels) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. -UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the +UAC can deny an operation under high-integrity enforcement, or allow the user to perform the action if they are in the local administrators group and enter an administrator password when prompted. For more information about the UAC and how it works, check the [official Microsoft docs page](https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works). diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index bc9b37269..a872c120c 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/08/03" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index ee4a4b19f..d6c7b8bcf 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/02/18" maturity = "production" -updated_date = "2022/07/05" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 5d80bc710..dede16941 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -1,9 +1,9 @@ [metadata] creation_date = "2021/07/06" maturity = "production" -min_stack_comments = "EQL optional fields syntax was not introduced until 7.16" -min_stack_version = "7.16.0" -updated_date = "2022/04/20" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index b2bfcc6f0..5d37f4728 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2020/10/13" maturity = "production" -updated_date = "2022/08/01" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 03e0c4740..8791d7dc9 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2021/10/13" maturity = "production" -updated_date = "2022/03/31" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 4f186739d..1c06a4cad 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -1,7 +1,9 @@ [metadata] creation_date = "2022/02/07" maturity = "production" -updated_date = "2022/02/07" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2022/08/24" [rule] author = ["Elastic"] diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 6d1ee32d2..cdbcb473a 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/02" maturity = "development" -updated_date = "2021/10/13" +updated_date = "2022/08/24" [rule] author = ["Elastic"]