security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Tuning] Add logs-panw.panos index to Network rules (#4089)

Browse Source 
* [Tuning] Add logs-panw.panos index to Network rules

https://github.com/elastic/detection-rules/issues/3998

This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.

* add tag and integration

* Update command_and_control_fin7_c2_behavior.toml

* Build Manifest and Schema for panw integration

* Update definitions.py

* Update definitions.py

* Fix definitions declaration

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
This commit is contained in:
Samirbous
2024-09-19 08:01:44 +01:00
committed by GitHub
parent df31c002ca
commit 5e0fb4a63e
17 changed files with 58 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/schemas/definitions.py
+2 -1
View File
@@ -78,7 +78,8 @@ NON_DATASET_PACKAGES = ['apm',
'windows',
'sentinel_one_cloud_funnel',
'ti_rapid7_threat_command',
'm365_defender']
'm365_defender',
'panw']
NON_PUBLIC_FIELDS = {
"related_integrations": (Version.parse('8.3.0'), None),
"required_fields": (Version.parse('8.3.0'), None),
rules/network/command_and_control_accepted_default_telnet_port_connection.toml
+4 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/08/02"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -22,7 +22,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "Accepted Default Telnet Port Connection"
@@ -35,6 +35,7 @@ tags = [
"Tactic: Command and Control",
"Tactic: Lateral Movement",
"Tactic: Initial Access",
"Data Source: PAN-OS"
]
timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
timeline_title = "Comprehensive Network Timeline"
rules/network/command_and_control_download_rar_powershell_from_internet.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/07/02"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -19,7 +19,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet"
@@ -34,7 +34,7 @@ references = [
risk_score = 47
rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92"
severity = "medium"
tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_fin7_c2_behavior.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/07/06"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -17,7 +17,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "lucene"
license = "Elastic License v2"
name = "Possible FIN7 DGA Command and Control Behavior"
@@ -30,7 +30,7 @@ references = [
risk_score = 73
rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3"
severity = "high"
tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"]
tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_nat_traversal_port_activity.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -21,14 +21,14 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*"]
language = "kuery"
license = "Elastic License v2"
name = "IPSEC NAT Traversal Port Activity"
risk_score = 21
rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
severity = "low"
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_port_26_activity.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "SMTP on Port 26/TCP"
@@ -29,7 +29,7 @@ references = [
risk_score = 21
rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
severity = "low"
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "RDP (Remote Desktop Protocol) from the Internet"
@@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 47
rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
severity = "medium"
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
timeline_title = "Comprehensive Network Timeline"
timestamp_override = "event.ingested"
rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "VNC (Virtual Network Computing) from the Internet"
@@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
severity = "high"
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"
rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
""",
]
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "VNC (Virtual Network Computing) to the Internet"
@@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 47
rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
severity = "medium"
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"]
tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"
rules/network/discovery_potential_network_sweep_detected.toml
+4 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
integration = ["endpoint", "network_traffic", "panw"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ theft, or other malicious activities. This rule proposes threshold logic to chec
source host to 10 or more destination hosts on commonly used network services.
"""
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
@@ -28,6 +28,7 @@ tags = [
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring",
"Data Source: Elastic Defend",
"Data Source: PAN-OS"
]
timestamp_override = "event.ingested"
type = "threshold"
rules/network/discovery_potential_port_scan_detected.toml
+4 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
integration = ["endpoint", "network_traffic", "panw"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ exploitation of the targeted system or network. This rule proposes threshold log
one source host to 20 or more destination ports.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"]
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
@@ -29,6 +29,7 @@ tags = [
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring",
"Data Source: Elastic Defend",
"Data Source: PAN-OS"
]
timestamp_override = "event.ingested"
type = "threshold"
rules/network/discovery_potential_syn_port_scan_detected.toml
+4 -3
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2023/05/17"
integration = ["endpoint", "network_traffic"]
integration = ["endpoint", "network_traffic", "panw"]
maturity = "production"
updated_date = "2024/08/07"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ to data breaches or further malicious activities. This rule proposes threshold l
from one source host to 10 or more destination ports using 2 or less packets per port.
"""
from = "now-9m"
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"]
index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 5
@@ -29,6 +29,7 @@ tags = [
"Tactic: Reconnaissance",
"Use Case: Network Security Monitoring",
"Data Source: Elastic Defend",
"Data Source: PAN-OS"
]
timestamp_override = "event.ingested"
type = "threshold"
rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
backdoor vector.
"""
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "RPC (Remote Procedure Call) from the Internet"
@@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
severity = "high"
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"
rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by
backdoor vector.
"""
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "RPC (Remote Procedure Call) to the Internet"
@@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
severity = "high"
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"
rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+4 -4
View File
@@ -1,8 +1,8 @@
[metadata]
creation_date = "2020/02/18"
integration = ["network_traffic"]
integration = ["network_traffic", "panw"]
maturity = "production"
updated_date = "2024/05/21"
updated_date = "2024/09/18"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ systems. It should almost never be directly exposed to the Internet, as it is fr
threat actors as an initial access or backdoor vector or for data exfiltration.
"""
from = "now-9m"
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"]
index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"]
language = "kuery"
license = "Elastic License v2"
name = "SMB (Windows File Sharing) Activity to the Internet"
@@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana-
risk_score = 73
rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
severity = "high"
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"]
tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"]
timestamp_override = "event.ingested"
type = "query"