diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 9275a5256..bdf6dea10 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 448eedfa9..c22550da5 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 3e2f7f86d..c4740542b 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -78,7 +78,8 @@ NON_DATASET_PACKAGES = ['apm', 'windows', 'sentinel_one_cloud_funnel', 'ti_rapid7_threat_command', - 'm365_defender'] + 'm365_defender', + 'panw'] NON_PUBLIC_FIELDS = { "related_integrations": (Version.parse('8.3.0'), None), "required_fields": (Version.parse('8.3.0'), None), diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index dbfd44870..d30f431fd 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/08/02" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "Accepted Default Telnet Port Connection" @@ -35,6 +35,7 @@ tags = [ "Tactic: Command and Control", "Tactic: Lateral Movement", "Tactic: Initial Access", + "Data Source: PAN-OS" ] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 22f2f919a..353a1460e 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/07/02" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92" severity = "medium" -tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 5766270a1..fcffd02c0 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/07/06" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "lucene" license = "Elastic License v2" name = "Possible FIN7 DGA Command and Control Behavior" @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3" severity = "high" -tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 94a0c4750..f61786952 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -21,14 +21,14 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.*"] language = "kuery" license = "Elastic License v2" name = "IPSEC NAT Traversal Port Activity" risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" severity = "low" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index d25a8aeb1..2a0140127 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "SMTP on Port 26/TCP" @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 6cfbbf069..e9e59ab3a 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "RDP (Remote Desktop Protocol) from the Internet" @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index d410f7aaa..db915e0a0 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "VNC (Virtual Network Computing) from the Internet" @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 09da32e8e..f7f629214 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ false_positives = [ """, ] from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "VNC (Virtual Network Computing) to the Internet" @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" -tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/discovery_potential_network_sweep_detected.toml b/rules/network/discovery_potential_network_sweep_detected.toml index e7c98678d..1f4a3572f 100644 --- a/rules/network/discovery_potential_network_sweep_detected.toml +++ b/rules/network/discovery_potential_network_sweep_detected.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/05/17" -integration = ["endpoint", "network_traffic"] +integration = ["endpoint", "network_traffic", "panw"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ theft, or other malicious activities. This rule proposes threshold logic to chec source host to 10 or more destination hosts on commonly used network services. """ from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-endpoint.events.network-*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -28,6 +28,7 @@ tags = [ "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend", + "Data Source: PAN-OS" ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/network/discovery_potential_port_scan_detected.toml b/rules/network/discovery_potential_port_scan_detected.toml index 949a0ac48..718b4ef6d 100644 --- a/rules/network/discovery_potential_port_scan_detected.toml +++ b/rules/network/discovery_potential_port_scan_detected.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/05/17" -integration = ["endpoint", "network_traffic"] +integration = ["endpoint", "network_traffic", "panw"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ exploitation of the targeted system or network. This rule proposes threshold log one source host to 20 or more destination ports. """ from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*"] +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "filebeat-*", "auditbeat-*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -29,6 +29,7 @@ tags = [ "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend", + "Data Source: PAN-OS" ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/network/discovery_potential_syn_port_scan_detected.toml b/rules/network/discovery_potential_syn_port_scan_detected.toml index 65d16a3d7..a73608000 100644 --- a/rules/network/discovery_potential_syn_port_scan_detected.toml +++ b/rules/network/discovery_potential_syn_port_scan_detected.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2023/05/17" -integration = ["endpoint", "network_traffic"] +integration = ["endpoint", "network_traffic", "panw"] maturity = "production" -updated_date = "2024/08/07" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ to data breaches or further malicious activities. This rule proposes threshold l from one source host to 10 or more destination ports using 2 or less packets per port. """ from = "now-9m" -index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*"] +index = ["logs-endpoint.events.network-*", "logs-network_traffic.*", "packetbeat-*", "auditbeat-*", "filebeat-*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" max_signals = 5 @@ -29,6 +29,7 @@ tags = [ "Tactic: Reconnaissance", "Use Case: Network Security Monitoring", "Data Source: Elastic Defend", + "Data Source: PAN-OS" ] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 1d7743ba0..ddaf50fd5 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by backdoor vector. """ from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "RPC (Remote Procedure Call) from the Internet" @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" severity = "high" -tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 0f11c9084..765d3d433 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ directly exposed to the Internet, as it is frequently targeted and exploited by backdoor vector. """ from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "RPC (Remote Procedure Call) to the Internet" @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index cdb0744ec..ec784917b 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -1,8 +1,8 @@ [metadata] creation_date = "2020/02/18" -integration = ["network_traffic"] +integration = ["network_traffic", "panw"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2024/09/18" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ systems. It should almost never be directly exposed to the Internet, as it is fr threat actors as an initial access or backdoor vector or for data exfiltration. """ from = "now-9m" -index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*"] +index = ["packetbeat-*", "auditbeat-*", "filebeat-*", "logs-network_traffic.*", "logs-panw.panos*"] language = "kuery" license = "Elastic License v2" name = "SMB (Windows File Sharing) Activity to the Internet" @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "high" -tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection", "Data Source: PAN-OS"] timestamp_override = "event.ingested" type = "query"