From 5589c47eab9128fd18e776b7d9da5705d602d149 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Tue, 7 Dec 2021 15:42:58 -0900 Subject: [PATCH] [Rule Tuning] updates from documentation review for 7.16 (#1645) (cherry picked from commit 14c46f50b941b2faec226776ec707817ac837c9e) --- .../aws/exfiltration_rds_snapshot_restored.toml | 2 +- .../impact_aws_eventbridge_rule_disabled_or_deleted.toml | 4 ++-- .../azure/defense_evasion_kubernetes_events_deleted.toml | 2 +- .../integrations/azure/impact_kubernetes_pod_deleted.toml | 3 ++- .../impact_gcp_virtual_private_cloud_route_created.toml | 8 ++++---- ...pact_microsoft_365_mass_download_by_a_single_user.toml | 2 +- ...mpact_microsoft_365_potential_ransomware_activity.toml | 3 ++- rules/promotions/endgame_ransomware_detected.toml | 2 +- rules/promotions/endgame_ransomware_prevented.toml | 2 +- rules/windows/collection_posh_audio_capture.toml | 2 +- ...ntial_access_potential_lsa_memdump_via_mirrordump.toml | 2 +- rules/windows/defense_evasion_dns_over_https_enabled.toml | 6 +++--- ...e_evasion_execution_control_panel_suspicious_args.toml | 2 +- ..._evasion_suspicious_process_access_direct_syscall.toml | 2 +- .../windows/discovery_posh_suspicious_api_functions.toml | 4 ++-- rules/windows/execution_posh_portable_executable.toml | 6 +++--- rules/windows/impact_backup_file_deletion.toml | 2 +- 17 files changed, 28 insertions(+), 26 deletions(-) diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index b2c6791de..d2fc0591a 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -7,7 +7,7 @@ integration = "aws" [rule] author = ["Austin Songer"] description = """ -Identifies when an attempt was made to restored RDS Snapshot. Snapshots are sometimes shared by threat actors in order to +Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. """ diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 0efa95cf8..de722d344 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -7,8 +7,8 @@ integration = "aws" [rule] author = ["Austin Songer"] description = """ -Identifies when a user disabled or deleted an EventBridge rule. This activity can result in an unintended loss of -visibility in applications or breaking the flow with other AWS services. +Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of +visibility in applications or a break in the flow with other AWS services. """ false_positives = [ """ diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 57f67d2f7..678f46355 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -7,7 +7,7 @@ integration = "azure" [rule] author = ["Austin Songer"] description = """ -Identifies when Events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. +Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes. Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. """ diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index bf4a4cce8..8ec515650 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -7,7 +7,8 @@ integration = "azure" [rule] author = ["Austin Songer"] description = """ -Identifies the deletion of Azure Kubernetes Pods. Adversary may delete a kubernetes pod to disrupt the normal behavior of the environment. +Identifies the deletion of Azure Kubernetes Pods. Adversaries may delete a Kubernetes pod to disrupt the normal behavior +of the environment. """ false_positives = [ """ diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml index 766848a51..d37ca04ff 100644 --- a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -7,10 +7,10 @@ integration = "gcp" [rule] author = ["Elastic"] description = """ -Identifies when a Virtual Private Cloud (VPC) route is created in Google Cloud Platform (GCP). Google Cloud routes -define the paths that network traffic takes from a virtual machine (VM) instance to other destinations. These -destinations can be inside a Google VPC network or outside it. An adversary may create a route in order to impact the -flow of network traffic in their target's cloud environment. +Identifies when a Virtual Private Cloud a virtual private cloud (VPC) route is created in Google Cloud Platform (GCP). +Google Cloud routes define the paths that network traffic takes from a virtual machine (VM) instance to other +destinations. These destinations can be inside a Google VPC network or outside it. An adversary may create a route in +order to impact the flow of network traffic in their target's cloud environment. """ false_positives = [ """ diff --git a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml index 212fe095a..9f81dca00 100644 --- a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml @@ -7,7 +7,7 @@ integration = "o365" [rule] author = ["Austin Songer"] description = """ -Identifies when Microsoft Cloud App Security reported when a single user performs more than 50 downloads within 1 minute. +Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute. """ false_positives = ["Unknown"] from = "now-30m" diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 9abce4f0b..4fd3ff33f 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -7,7 +7,8 @@ integration = "o365" [rule] author = ["Austin Songer"] description = """ -Identifies when Microsoft Cloud App Security reported when a user uploads files to the cloud that might be infected with ransomware. +Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected +with ransomware. """ false_positives = [ """ diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index b8d82168e..efa19dbb1 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -6,7 +6,7 @@ updated_date = "2021/03/04" [rule] author = ["Elastic"] description = """ -Elastic Endgame detected Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the +Elastic Endgame detected ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index bc51d8e23..c2a3b0242 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -6,7 +6,7 @@ updated_date = "2021/03/04" [rule] author = ["Elastic"] description = """ -Elastic Endgame prevented Ransomware. Click the Elastic Endgame icon in the event.module column or the link in the +Elastic Endgame prevented ransomware. Click the Elastic Endgame icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index d671639b0..d9c3c5934 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -6,7 +6,7 @@ updated_date = "2021/10/19" [rule] author = ["Elastic"] description = """ -Detects PowerShell Scripts that can record audio, a common feature in popular post-exploitation tooling. +Detects PowerShell scripts that can record audio, a common feature in popular post-exploitation tooling. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 9bfa6099c..194fdc204 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -7,7 +7,7 @@ updated_date = "2021/09/27" author = ["Elastic"] description = """ Identifies suspicious access to an LSASS handle via DuplicateHandle from an unknown call trace module. -This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump Lsass memory +This may indicate an attempt to bypass the NtOpenProcess API to evade detection and dump LSASS memory for credential access. """ from = "now-9m" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 49e54c4f4..5a8ceecd3 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -5,9 +5,9 @@ updated_date = "2021/10/15" [rule] author = ["Austin Songer"] -description = """Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or be used to hide -the process of exfiltrating data. With this enabled organization will lose visibility into data such as query type, response -and originating IP that are used to determine bad actors.""" +description = """Identifies when a user enables DNS-over-HTTPS. This can be used to hide internet activity or +the process of exfiltrating data. With this enabled, an organization will lose visibility into data such as query type, +response, and originating IP, which are used to determine bad actors.""" from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 884e1636b..0e034e975 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -7,7 +7,7 @@ updated_date = "2021/09/08" author = ["Elastic"] description = """ Identifies unusual instances of Control Panel with suspicious keywords or paths in the process command line value. -Adversaries may abuse Control.exe to proxy execution of malicious code. +Adversaries may abuse control.exe to proxy execution of malicious code. """ from = "now-9m" index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 3621e7ec3..3d16b4d31 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -6,7 +6,7 @@ updated_date = "2021/10/11" [rule] author = ["Elastic"] description = """ -Identifies suspicious process access events from unknown memory region. Endpoint security solutions usually hook userland +Identifies suspicious process access events from an unknown memory region. Endpoint security solutions usually hook userland Windows APIs in order to decide if the code that is being executed is malicious or not. It's possible to bypass hooked functions by writing malicious functions that call syscalls directly. """ diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 822032c68..efcecc666 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -6,9 +6,9 @@ updated_date = "2021/10/14" [rule] author = ["Elastic"] description = """ -This rule detects the use of discovery-related Windows API Functions in Powershell Scripts. Attackers can use these +This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain -trusts, groups, etc., +trusts, groups, etc. """ false_positives = ["Legitimate Powershell Scripts that make use of these Functions"] from = "now-9m" diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index a0a2494ce..d1e82fbaf 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -6,9 +6,9 @@ updated_date = "2021/10/15" [rule] author = ["Elastic"] description = """ -This rule detects the presence of Portable Executables in a PowerShell Script by Looking for its encoded header. -Attackers embed PEs into PowerShell Scripts for Injecting them into the memory, avoiding defenses by not writing to -disk., +Detects the presence of portable executables (PE) in a PowerShell script by looking for its encoded header. +Attackers embed PEs into PowerShell scripts for injecting them into the memory, avoiding defenses by not writing to +disk. """ from = "now-9m" index = ["winlogbeat-*", "logs-windows.*"] diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 83ea7352b..212108d8b 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -7,7 +7,7 @@ updated_date = "2021/10/01" author = ["Elastic"] description = """ Identifies the deletion of backup files, saved using third-party software, by a process outside of the backup suite. -Adversaries may delete Backup files to ensure that recovery from a Ransomware attack is less likely. +Adversaries may delete Backup files to ensure that recovery from a ransomware attack is less likely. """ false_positives = [ "Certain utilities that delete files for disk cleanup or Administrators manually removing backup files.",