diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index f3a188702..e1dd12302 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -62,6 +62,8 @@ references = [ "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", + "https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", + "https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" ] risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index 3db4bdf1c..a192037bc 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -3,7 +3,7 @@ creation_date = "2021/12/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -20,6 +20,8 @@ references = [ "https://www.lunasec.io/docs/blog/log4j-zero-day/", "https://github.com/christophetd/log4shell-vulnerable-app", "https://www.blackhat.com/docs/us-16/materials/us-16-Munoz-A-Journey-From-JNDI-LDAP-Manipulation-To-RCE.pdf", +"https://www.elastic.co/security-labs/detecting-log4j2-with-elastic-security", +"https://www.elastic.co/security-labs/analysis-of-log4shell-cve-2021-45046" ] risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index 1c96a5a39..a2d1c4bc3 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "azure" [rule] @@ -31,6 +31,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re references = [ "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 47 rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index db75e5ba6..02a9b544c 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -22,6 +22,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 90aa3dc19..28b89e1ba 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -24,6 +24,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index 2c8321700..caa4d0978 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -3,7 +3,7 @@ creation_date = "2022/01/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -20,7 +20,9 @@ name = "Potential Abuse of Repeated MFA Push Notifications" note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" -references = ["https://www.mandiant.com/resources/russian-targeting-gov-business"] +references = [ + "https://www.mandiant.com/resources/russian-targeting-gov-business", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy"] risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" severity = "high" diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index a07fcb683..233c3a800 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index de88ffbe2..c9e085d3b 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -3,7 +3,7 @@ creation_date = "2022/03/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -23,7 +23,8 @@ note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ - "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/" + "https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index ddab4460c..6b5bf4746 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -30,6 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 4df86f540..700417ccd 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -30,6 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index 171bf646b..d8f9a2486 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -30,6 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index d2f8fae7f..742198ea8 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index bc6f8ab4d..1b5356484 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/28" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -30,6 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 8cb518195..e7490aac6 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 4553719ba..da64de063 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -30,6 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 3fba102b2..99c6fdf4e 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 37e6f8283..5ea532d50 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 6156e8d08..68945d0bb 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -31,6 +31,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index 444e8e42e..ee336333f 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -28,6 +28,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7" diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 35d8d8d82..b67da8f34 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a" diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 2c316553c..f169f9539 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -28,6 +28,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index e9ffbb65d..c2493af91 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09" diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 950fc727c..b9277d6b9 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -22,6 +22,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68" diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 03103d0b2..047e03376 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -3,7 +3,7 @@ creation_date = "2021/05/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -16,6 +16,11 @@ name = "Unauthorized Access to an Okta Application" note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = [ + "https://developer.okta.com/docs/reference/api/system-log/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" +] risk_score = 21 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613" severity = "low" diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 0ba6ac995..f16428de8 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -23,6 +23,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588" diff --git a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml index d941e1b94..78b9db895 100644 --- a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -23,6 +23,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 1c259181d..9c0d4498f 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -30,6 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 1109d2395..f4ea1d94d 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -30,6 +30,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 88040f181..b5ad97af3 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index b6f58c794..8a6d67b6d 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/20" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -28,6 +28,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index c908c955a..3b026c2e5 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -3,7 +3,7 @@ creation_date = "2020/05/21" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index e0db1ed9c..637118da2 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" integration = "okta" [rule] @@ -29,6 +29,7 @@ references = [ "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy" ] risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 7b037a18b..272d9a7b5 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -81,6 +81,7 @@ references = [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" ] risk_score = 47 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 8a11f126d..5f75feb51 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -35,6 +35,7 @@ references = [ "https://www.sandflysecurity.com/blog/linux-file-masquerading-and-malicious-pids-sandfly-1-2-6-update/", "https://twitter.com/GossiTheDog/status/1522964028284411907", "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" ] risk_score = 73 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 916fea94f..780b301e7 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/10" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -27,6 +27,7 @@ name = "Binary Executed from Shared Memory Directory" references = [ "https://linuxsecurity.com/features/fileless-malware-on-linux", "https://twitter.com/GossiTheDog/status/1522964028284411907", + "https://www.elastic.co/security-labs/a-peek-behind-the-bpfdoor" ] risk_score = 73 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 8d9010b79..670c3fd7d 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -71,7 +71,9 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ -references = ["https://pentestlab.blog/tag/web-shell/"] +references = [ + "https://pentestlab.blog/tag/web-shell/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965"] risk_score = 47 rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb" severity = "medium" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index 589f986e4..669556046 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2022/08/24" +updated_date = "2022/11/07" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -23,7 +23,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = ["v3_windows_anomalous_script"] name = "Suspicious Powershell Script" -references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://www.elastic.co/security-labs/detecting-living-off-the-land-attacks-with-new-elastic-integration"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 64a54d756..cd9da9842 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/06" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -29,6 +29,7 @@ This activity has been observed in FIN7 campaigns.""" references = [ "https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" ] risk_score = 73 rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c" diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index d98a18edd..3b09d7fa2 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -28,6 +28,7 @@ references = [ "https://www.elastic.co/guide/en/beats/packetbeat/current/configuration-tls.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-suricata.html", "https://www.elastic.co/guide/en/beats/filebeat/7.9/filebeat-module-zeek.html", + "https://www.elastic.co/security-labs/collecting-cobalt-strike-beacons-with-the-elastic-stack" ] risk_score = 99 rule_id = "e7075e8d-a966-458e-a183-85cd331af255" diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 4b27173b9..e15f20b3f 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/11/07" [rule] author = ["Elastic", "Austin Songer"] @@ -24,6 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version references = [ "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 2deb0e17e..a6093cab4 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -67,6 +67,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 73 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index ab185579e..8ed3118d7 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -102,7 +102,8 @@ references = [ "https://twitter.com/jsecurity101/status/1227987828534956033?s=20", "https://attack.mitre.org/techniques/T1003/001/", "https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html", - "http://findingbad.blogspot.com/2017/" + "http://findingbad.blogspot.com/2017/", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 73 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index fb2e257b9..f28d3f271 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -3,7 +3,7 @@ creation_date = "2020/08/31" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -70,6 +70,9 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ +references = [ + "https://www.elastic.co/security-labs/detect-credential-access" +] risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" severity = "high" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 681aa3fd4..06bb5f665 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -99,6 +99,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo references = [ "https://attack.mitre.org/software/S0002/", "https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 73 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index ac3a5c1ca..862c19cd7 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -83,6 +83,7 @@ references = [ "https://www.csoonline.com/article/3438824/how-to-detect-and-halt-credential-theft-via-windows-wdigest.html", "https://www.praetorian.com/blog/mitigating-mimikatz-wdigest-cleartext-credential-theft?edition=2019", "https://frsecure.com/compromised-credentials-response-playbook", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 8297c5d38..22defdc09 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/26" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -61,6 +61,9 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/detect-credential-access" +] risk_score = 47 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494" severity = "medium" diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 23d8ae2ac..ab8409737 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -3,7 +3,7 @@ creation_date = "2022/03/01" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/26" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -68,7 +68,9 @@ collected from the host for this detection to work. If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = ["https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py"] +references = [ + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", + "https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" severity = "high" diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 035eb9d1c..af16bd419 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -3,7 +3,7 @@ creation_date = "2022/08/30" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/30" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = ["https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382",] +references = [ + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=5382", + "https://www.elastic.co/security-labs/detect-credential-access"] risk_score = 47 rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" severity = "medium" diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 3a52dd7dc..eba480d61 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -3,7 +3,7 @@ creation_date = "2021/01/19" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/27" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -24,6 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version references = [ "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://web.archive.org/web/20201004080456/https://rastamouse.me/blog/rdp-jump-boxes/", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index ebc49b167..62598030d 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/07" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -22,6 +22,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index 1e30dbf2e..0a514de0f 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -3,7 +3,7 @@ creation_date = "2022/02/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -89,6 +89,7 @@ Special Logon (Success) references = [ "https://github.com/mpgn/BackupOperatorToDA", "https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 47 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 177931b97..50062e1c3 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -86,6 +86,7 @@ references = [ "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-PSInject.ps1", "https://github.com/EmpireProject/Empire/blob/master/data/module_source/management/Invoke-ReflectivePEInjection.ps1", "https://github.com/BC-SECURITY/Empire/blob/master/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 73 rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d" diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index c3d3f03f9..ec6605555 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -56,6 +56,9 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). """ +references = [ + "https://www.elastic.co/security-labs/luna-ransomware-attack-pattern" +] risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 8a2207a81..78d1d11a6 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -79,6 +79,9 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ +references = [ + "https://www.elastic.co/blog/vulnerability-summary-follina" +] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 0656e96af..a5b2851d5 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -81,6 +81,7 @@ references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" ] risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 02884a3ac..32e5bb38d 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -30,6 +30,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" ] risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index 3803cb4ce..15a149e5f 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/13" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -68,6 +68,7 @@ references = [ "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/", "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/", "https://github.com/maxpl0it/CVE-2020-1350-DoS", + "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability" ] risk_score = 47 rule_id = "11013227-0301-4a8c-b150-4db924484475" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index a167b9765..0724f5ef4 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -17,6 +17,10 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Local Scheduled Task Creation" +references = [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-2" + ] risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index b179726ad..a196d45c0 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -3,7 +3,7 @@ creation_date = "2021/10/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/26" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -21,6 +21,7 @@ references = [ "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4724", "https://stealthbits.com/blog/manipulating-user-passwords-with-mimikatz/", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx", + "https://www.elastic.co/security-labs/detect-credential-access" ] risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 85f4569ad..cd35ed678 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -3,7 +3,7 @@ creation_date = "2020/11/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/20" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -77,6 +77,9 @@ mean time to respond (MTTR). If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ +references = [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" +] risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" severity = "medium" diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index dfe2ad4fe..daeeb9a00 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -3,7 +3,7 @@ creation_date = "2020/12/04" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/09/15" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -21,6 +21,9 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ +references= [ + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" +] risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" severity = "low" diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index e17ef2cd6..68e397ccb 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -3,7 +3,7 @@ creation_date = "2021/03/15" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -16,7 +16,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Persistence via WMI Standard Registry Provider" -references = ["https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov"] +references = [ + "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1"] risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 3e7325f4f..07e133f83 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -3,7 +3,7 @@ creation_date = "2021/08/24" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/10/11" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -79,6 +79,8 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version """ references = [ "https://www.microsoft.com/security/blog/2020/02/04/ghost-in-the-shell-investigating-web-shell-attacks/", + "https://www.elastic.co/security-labs/elastic-response-to-the-the-spring4shell-vulnerability-cve-2022-22965", + "https://www.elastic.co/security-labs/hunting-for-persistence-using-elastic-security-part-1" ] risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 5db14e805..6b281c3ec 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -3,7 +3,7 @@ creation_date = "2020/10/27" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2022/11/07" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ -references = ["https://github.com/hfiref0x/UACME"] +references = [ + "https://github.com/hfiref0x/UACME", + "https://www.elastic.co/security-labs/exploring-windows-uac-bypasses-techniques-and-detection-strategies"] risk_score = 73 rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" severity = "high"