diff --git a/CLI.md b/CLI.md index f2e6e63d5..3c9cb4958 100644 --- a/CLI.md +++ b/CLI.md @@ -33,6 +33,10 @@ Currently supported arguments: Environment variables using the argument format: `DR_` will be parsed in commands which expect it. EX: `DR_USER=joe` + +Using the environment variable `DR_BYPASS_NOTE_VALIDATION_AND_PARSE` will bypass the Detection Rules validation on the `note` field in toml files. + + ## Importing rules into the repo You can import rules into the repo using the `create-rule` or `import-rules` commands. Both of these commands will diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 6bc2f5b70..d899c4153 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -6,33 +6,39 @@ import copy import dataclasses import json +import os import typing from abc import ABC, abstractmethod from dataclasses import dataclass, field from functools import cached_property from pathlib import Path -from typing import Literal, Union, Optional, List, Any, Dict, Tuple +from typing import Any, Dict, List, Literal, Optional, Tuple, Union from uuid import uuid4 import eql +import kql +from marko.block import Document as MarkoDocument +from marko.ext.gfm import gfm from marshmallow import ValidationError, validates_schema -import kql -from . import beats -from . import ecs -from . import utils +from . import beats, ecs, utils from .misc import load_current_package_version from .mixins import MarshmallowDataclassMixin, StackCompatMixin -from .rule_formatter import toml_write, nested_normalize -from .schemas import SCHEMA_DIR, definitions, downgrade, get_stack_schemas, get_min_supported_stack_version +from .rule_formatter import nested_normalize, toml_write +from .schemas import (SCHEMA_DIR, definitions, downgrade, + get_min_supported_stack_version, get_stack_schemas) from .schemas.stack_compat import get_restricted_fields from .semver import Version from .utils import cached -BUILD_FIELD_VERSIONS = {"required_fields": (Version('8.3'), None)} _META_SCHEMA_REQ_DEFAULTS = {} MIN_FLEET_PACKAGE_VERSION = '7.13.0' +BUILD_FIELD_VERSIONS = { + "required_fields": (Version('8.3'), None), + "setup": (Version("8.3"), None) +} + @dataclass(frozen=True) class RuleMeta(MarshmallowDataclassMixin): @@ -221,6 +227,89 @@ class BaseRuleData(MarshmallowDataclassMixin, StackCompatMixin): fields: List[dataclasses.Field, ...] = list(dataclasses.fields(self)) return get_restricted_fields(fields) + @cached_property + def data_validator(self) -> Optional['DataValidator']: + return DataValidator(is_elastic_rule=self.is_elastic_rule, **self.to_dict()) + + @cached_property + def parsed_note(self) -> Optional[MarkoDocument]: + dv = self.data_validator + if dv: + return dv.parsed_note + + @property + def is_elastic_rule(self): + return 'elastic' in [a.lower() for a in self.author] + + +class DataValidator: + """Additional validation beyond base marshmallow schema validation.""" + + def __init__(self, + name: definitions.RuleName, + is_elastic_rule: bool, + note: Optional[definitions.Markdown] = None, + setup: Optional[str] = None, + **extras): + # only define fields needing additional validation + self.name = name + self.is_elastic_rule = is_elastic_rule + self.note = note + self.setup = setup + + self._setup_in_note = False + + @cached_property + def parsed_note(self) -> Optional[MarkoDocument]: + if self.note: + return gfm.parse(self.note) + + @property + def setup_in_note(self): + return self._setup_in_note + + @setup_in_note.setter + def setup_in_note(self, value: bool): + self._setup_in_note = value + + @cached_property + def skip_validate_note(self) -> bool: + return os.environ.get('DR_BYPASS_NOTE_VALIDATION_AND_PARSE') is not None + + def validate_note(self): + if self.skip_validate_note or not self.note: + return + + try: + for child in self.parsed_note.children: + if child.get_type() == "Heading": + header = gfm.renderer.render_children(child) + + if header.lower() == "setup": + + # check that the Setup header is correctly formatted at level 2 + if child.level != 2: + raise ValidationError(f"Setup section with wrong header level: {child.level}") + + # check that the Setup header is capitalized + if child.level == 2 and header != "Setup": + raise ValidationError(f"Setup header has improper casing: {header}") + + self.setup_in_note = True + + else: + # check that the header Config does not exist in the Setup section + if child.level == 2 and "config" in header.lower(): + raise ValidationError(f"Setup header contains Config: {header}") + + except Exception as e: + raise ValidationError(f"Invalid markdown in rule `{self.name}`: {e}. To bypass validation on the `note`" + f"field, use the environment variable `DR_BYPASS_NOTE_VALIDATION_AND_PARSE`") + + # raise if setup header is in note and in setup + if self.setup_in_note and self.setup: + raise ValidationError("Setup header found in both note and setup fields.") + @dataclass class QueryValidator: @@ -577,14 +666,13 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): super()._post_dict_transform(obj) self.add_related_integrations(obj) - self.add_required_fields(obj) - self.add_setup(obj) + self._add_required_fields(obj) + self._add_setup(obj) # validate new fields against the schema rule_type = obj['type'] subclass = self.get_data_subclass(rule_type) subclass.from_dict(obj) - return obj def add_related_integrations(self, obj: dict) -> None: @@ -592,7 +680,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): # field_name = "related_integrations" ... - def add_required_fields(self, obj: dict) -> None: + def _add_required_fields(self, obj: dict) -> None: """Add restricted field required_fields to the obj, derived from the query AST.""" if isinstance(self.data, QueryRuleData) and self.data.language != 'lucene': index = obj.get('index') or [] @@ -604,10 +692,55 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): if self.check_restricted_field_version(field_name=field_name): obj.setdefault(field_name, required_fields) - def add_setup(self, obj: dict) -> None: + def _add_setup(self, obj: dict) -> None: """Add restricted field setup to the obj.""" - # field_name = "setup" - ... + rule_note = obj.get("note", "") + field_name = "setup" + field_value = obj.get(field_name) + + if not self.check_explicit_restricted_field_version(field_name): + return + + data_validator = self.data.data_validator + + if not data_validator.skip_validate_note and data_validator.setup_in_note and not field_value: + parsed_note = self.data.parsed_note + + # parse note tree + for i, child in enumerate(parsed_note.children): + if child.get_type() == "Heading" and "Setup" in gfm.render(child): + field_value = self._get_setup_content(parsed_note.children[i + 1:]) + + # clean up old note field + investigation_guide = rule_note.replace("## Setup\n\n", "") + investigation_guide = investigation_guide.replace(field_value, "").strip() + obj["note"] = investigation_guide + obj[field_name] = field_value + break + + @cached + def _get_setup_content(self, note_tree: list) -> str: + """Get note paragraph starting from the setup header.""" + setup = [] + for child in note_tree: + if child.get_type() == "BlankLine" or child.get_type() == "LineBreak": + setup.append("\n") + elif child.get_type() == "CodeSpan": + setup.append(f"`{gfm.renderer.render_raw_text(child)}`") + elif child.get_type() == "Paragraph": + setup.append(self._get_setup_content(child.children)) + setup.append("\n") + elif child.get_type() == "FencedCode": + setup.append(f"```\n{self._get_setup_content(child.children)}\n```") + setup.append("\n") + elif child.get_type() == "RawText": + setup.append(child.children) + elif child.get_type() == "Heading" and child.level >= 2: + break + else: + setup.append(self._get_setup_content(child.children)) + + return "".join(setup).strip() def check_explicit_restricted_field_version(self, field_name: str) -> bool: """Explicitly check restricted fields against global min and max versions.""" @@ -619,19 +752,21 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): min_stack, max_stack = self.data.get_restricted_fields.get(field_name) return self.compare_field_versions(min_stack, max_stack) - def compare_field_versions(self, min_stack: Version, max_stack: Version) -> bool: - """Check current rule version is witihin min and max stack versions.""" + @staticmethod + def compare_field_versions(min_stack: Version, max_stack: Version) -> bool: + """Check current rule version is within min and max stack versions.""" current_version = Version(load_current_package_version()) max_stack = max_stack or current_version return Version(min_stack) <= current_version >= Version(max_stack) @validates_schema - def validate_query(self, value: dict, **kwargs): - """Validate queries by calling into the validator for the relevant method.""" + def post_validation(self, value: dict, **kwargs): + """Additional validations beyond base marshmallow schemas.""" data: AnyRuleData = value["data"] metadata: RuleMeta = value["metadata"] - return data.validate_query(metadata) + data.validate_query(metadata) + data.data_validator.validate_note() def to_dict(self, strip_none_values=True) -> dict: # Load schemas directly from the data and metadata classes to avoid schema ambiguity which can @@ -797,4 +932,4 @@ def get_unique_query_fields(rule: TOMLRule) -> List[str]: # avoid a circular import -from .rule_validators import KQLValidator, EQLValidator # noqa: E402 +from .rule_validators import EQLValidator, KQLValidator # noqa: E402 diff --git a/requirements.txt b/requirements.txt index 095ad3f93..b5d3de181 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,5 @@ jsl==0.2.4 +marko pytoml toml==0.10.0 requests~=2.27 diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index b5a3c43be..e990120df 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -17,7 +17,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Potential Cookies Theft via Browser Debugging" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -44,8 +44,8 @@ process where event.type in ("start", "process_started", "info") and "google-chrome-beta", "google-chrome", "msedge.exe") and - process.args : ("--remote-debugging-port=*", - "--remote-debugging-targets=*", + process.args : ("--remote-debugging-port=*", + "--remote-debugging-targets=*", "--remote-debugging-pipe=*") and process.args : "--user-data-dir=*" and not process.args:"--remote-debugging-port=0" ''' diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 259e750a6..283004af0 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows. language = "eql" license = "Elastic License v2" name = "WebServer Access Logs Deleted" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -27,10 +27,10 @@ type = "eql" query = ''' file where event.type == "deletion" and - file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", + file.path : ("C:\\inetpub\\logs\\LogFiles\\*.log", "/var/log/apache*/access.log", - "/etc/httpd/logs/access_log", - "/var/log/httpd/access_log", + "/etc/httpd/logs/access_log", + "/var/log/httpd/access_log", "/var/www/*/logs/access.log") ''' diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 59c0890dc..5f332e4cf 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Tampering of Bash Command-Line History" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index d368bfb44..b358698cf 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -16,7 +16,7 @@ index = ["logs-*"] language = "eql" license = "Elastic License v2" name = "Elastic Agent Service Terminated" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -31,18 +31,18 @@ query = ''' process where /* net, sc or wmic stopping or deleting Elastic Agent on Windows */ (event.type == "start" and - process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and + process.name : ("net.exe", "sc.exe", "wmic.exe","powershell.exe","taskkill.exe","PsKill.exe","ProcessHacker.exe") and process.args : ("stopservice","uninstall", "stop", "disabled","Stop-Process","terminate","suspend") and - process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) + process.args : ("elasticendpoint", "Elastic Agent","elastic-agent","elastic-endpoint")) or /* service or systemctl used to stop Elastic Agent on Linux */ (event.type == "end" and - (process.name : ("systemctl","service") and - process.args : ("elastic-agent", "stop")) - or + (process.name : ("systemctl","service") and + process.args : ("elastic-agent", "stop")) + or /* Unload Elastic Agent extension on MacOS */ (process.name : "kextunload" and - process.args : "com.apple.iokit.EndpointSecurity" and + process.args : "com.apple.iokit.EndpointSecurity" and event.action : "end")) ''' diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index 05694647e..cf14cceb8 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -15,7 +15,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Timestomping using Touch Command" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index d04c19d03..25f36fbd3 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "auditbeat-*"] language = "eql" license = "Elastic License v2" name = "Security Software Discovery via Grep" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index b5c595198..79ad53903 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -21,7 +21,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Virtual Machine Fingerprinting via Grep" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -36,7 +36,7 @@ type = "eql" query = ''' process where event.type == "start" and process.name in ("grep", "egrep") and user.id != "0" and - process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and + process.args : ("parallels*", "vmware*", "virtualbox*") and process.args : "Manufacturer*" and not process.parent.executable in ("/Applications/Docker.app/Contents/MacOS/Docker", "/usr/libexec/kcare/virt-what") ''' diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index d51cab758..525da55ce 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -15,7 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Python Script Execution via Command Line" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index fa83afeec..91da6fabb 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -11,7 +11,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Reverse Shell Activity via Terminal" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 40eb8dfa6..32913f597 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Suspicious JAVA Child Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index f8fa1b7cb..dbf0d0fb1 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -16,7 +16,7 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Zoom Meeting with no Passcode" -note = """## Config +note = """## Setup The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index c719e0418..d59e0a722 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Created" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index 1ae59b920..665bd5207 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS IAM Brute Force of Assume Role Policy" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index 50cff5319..9739cf4c3 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -21,7 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM User Addition to Group" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"] diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index f6dedbb79..4110331a4 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS Management Console Brute Force of Root User Identity" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml index 81d799975..97eac499c 100644 --- a/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -22,7 +22,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Access Secret in Secrets Manager" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 28943ebfc..702730aa6 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Deleted" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index e266a24db..311fe6589 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -24,7 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Suspended" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index e8b245ca7..9f92d8d1a 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudWatch Alarm Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 81cfc25a2..79cd4b24c 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -24,7 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Config Service Tampering" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index d8c92cd24..39aac78b1 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Configuration Recorder Stopped" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 6d9fde757..1e666509d 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Flow Log Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 35352e974..4d17f64ea 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Network Access Control List Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 31213904f..608c8a850 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS ElastiCache Security Group Created" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/API_CreateCacheSecurityGroup.html"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and +event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:"Create Cache Security Group" and event.outcome:success ''' @@ -47,7 +47,7 @@ reference = "https://attack.mitre.org/techniques/T1562/" id = "T1562.007" name = "Disable or Modify Cloud Firewall" reference = "https://attack.mitre.org/techniques/T1562/007/" - + [rule.threat.tactic] name = "Defense Evasion" id = "TA0005" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 9b6e61fc5..5a7dd4837 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -21,7 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS ElastiCache Security Group Modified or Deleted" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/Welcome.html"] @@ -33,8 +33,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or -"Authorize Cache Security Group Ingress" or "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or +event.dataset:aws.cloudtrail and event.provider:elasticache.amazonaws.com and event.action:("Delete Cache Security Group" or +"Authorize Cache Security Group Ingress" or "Revoke Cache Security Group Ingress" or "AuthorizeCacheSecurityGroupEgress" or "RevokeCacheSecurityGroupEgress") and event.outcome:success ''' diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index 6b62e24e4..c025a1455 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS GuardDuty Detector Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 145b8d6bf..0836f85b6 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS S3 Bucket Configuration Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 939b4a030..deac79fe2 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS WAF Access Control List Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 1714eb4fa..e3d58bd4f 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS WAF Rule or Rule Group Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 435f2ff78..6f40150d5 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -24,7 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Full Network Packet Capture Detected" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -39,8 +39,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and -event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and +event.action:(CreateTrafficMirrorFilter or CreateTrafficMirrorFilterRule or CreateTrafficMirrorSession or CreateTrafficMirrorTarget) and event.outcome:success ''' diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 2ab12f44b..35fe1cba8 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Snapshot Activity" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index cab193e64..a991c5f57 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -22,7 +22,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 VM Export Failure" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.html#export-instance"] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index 16f081725..1e8dcd0ff 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Snapshot Export" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index 6e054b5d5..7bb6f136d 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS RDS Snapshot Restored" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 5be201c92..e0574f879 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -12,7 +12,7 @@ visibility in applications or a break in the flow with other AWS services. """ false_positives = [ """ - EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or + EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS EventBridge Rule Disabled or Deleted" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -38,7 +38,7 @@ type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and +event.dataset:aws.cloudtrail and event.provider:eventbridge.amazonaws.com and event.action:(DeleteRule or DisableRule) and event.outcome:success ''' diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 3ec2baff2..d0465dcf1 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Updated" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index ce21a7a46..db3f0d910 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudWatch Log Group Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 3d291e55d..306aad7f5 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudWatch Log Stream Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 868f893eb..8c5d534e7 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Encryption Disabled" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 3f480a119..9e650a1e7 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -24,7 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EFS File System or Mount Deleted" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -39,7 +39,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and +event.dataset:aws.cloudtrail and event.provider:elasticfilesystem.amazonaws.com and event.action:(DeleteMountTarget or DeleteFileSystem) and event.outcome:success ''' diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index d49e57544..c661983dc 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -24,7 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Deactivation of MFA Device" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 6b409506d..d799a20c7 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Group Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 8d26ba224..481df4dfd 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -21,7 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Security Group Deletion" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBSecurityGroup.html"] diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index f5b692029..90fd97a39 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Deletion of RDS Instance or Cluster" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -43,7 +43,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:(DeleteDBCluster or DeleteGlobalCluster or DeleteDBInstance) and event.outcome:success ''' diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index f6c851a97..390904788 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Instance/Cluster Stoppage" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index ce29dc00a..24f578269 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -21,7 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Management Console Root Login" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index ec54e563e..2b276c1ab 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Password Recovery Requested" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"] diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index c6b35a04a..4d8723d6a 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -24,7 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Execution via System Manager" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"] diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index 5b5d0f91c..266d40969 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" machine_learning_job_id = "high_distinct_count_error_message" name = "Spike in AWS Error Messages" note = """ -## Config +## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index df39b1184..3cfb36da7 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" machine_learning_job_id = "rare_error_code" name = "Rare AWS Error Code" note = """ -## Config +## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index a64738482..c715ece35 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -25,7 +25,7 @@ license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_city" name = "Unusual City For an AWS Command" note = """ -## Config +## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 52003f225..e5365b450 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -25,7 +25,7 @@ license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_country" name = "Unusual Country For an AWS Command" note = """ -## Config +## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 4744d2f8d..39f0c166f 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -24,7 +24,7 @@ license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_username" name = "Unusual AWS Command for a User" note = """ -## Config +## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 514a74b92..eb988ea16 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Network Access Control List Creation" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 85cdb5cca..a16ed0dad 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -24,7 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Security Group Configuration Change Detection" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-security-groups.html"] @@ -36,8 +36,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or -CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or +event.dataset:aws.cloudtrail and event.provider:ec2.amazonaws.com and event.action:(AuthorizeSecurityGroupEgress or +CreateSecurityGroup or ModifyInstanceAttribute or ModifySecurityGroupRules or RevokeSecurityGroupEgress or RevokeSecurityGroupIngress) and event.outcome:success ''' diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index a898a74cd..d20094ff6 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Group Creation" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 2b1be4fae..94ae3cfac 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Cluster Creation" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 59a850d34..374d94fc6 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Security Group Creation" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBSecurityGroup.html"] diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index 07a3b184d..485575f3b 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Instance Creation" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html"] diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index 590767605..3f1575d0c 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -7,8 +7,8 @@ integration = "aws" [rule] author = ["Elastic"] description = """ -Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user -may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured +Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user +may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. """ false_positives = [ @@ -24,7 +24,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Redshift Cluster Creation" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_CreateCluster.html"] diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index d40018ebb..de34c8b9c 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Route 53 Domain Transfer Lock Disabled" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index e81b9391c..597ea914d 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -21,7 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Route 53 Domain Transferred to Another Account" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"] diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index fd4fb5ae5..086300809 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -20,7 +20,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Route53 private hosted zone associated with a VPC" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_AssociateVPCWithHostedZone.html"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and +event.dataset:aws.cloudtrail and event.provider:route53.amazonaws.com and event.action:AssociateVPCWithHostedZone and event.outcome:success ''' diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index ca4c12253..98a6e2df0 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -21,7 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Route Table Created" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and +event.dataset:aws.cloudtrail and event.provider:cloudtrail.amazonaws.com and event.action:(CreateRoute or CreateRouteTable) and event.outcome:success ''' diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index 4986f48cd..13720d80a 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -9,9 +9,9 @@ author = ["Elastic", "Austin Songer"] description = "Identifies when an AWS Route Table has been modified or deleted." false_positives = [ """ - Route Table could be modified or deleted by a system administrator. Verify whether the user identity, + Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified - from unfamiliar users should be investigated. If known behavior is causing false positives, it can be + from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. Also automated processes that use Terraform may lead to false positives. """, ] @@ -21,7 +21,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Route Table Modified or Deleted" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml index 5fb7e84c7..b4baff8da 100644 --- a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml @@ -11,7 +11,7 @@ Identifies when SAML activity has occurred in AWS. An adversary could manipulate """ false_positives = [ """ - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or + SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS SAML Activity" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or +event.dataset:aws.cloudtrail and event.provider:(iam.amazonaws.com or sts.amazonaws.com) and event.action:(Assumerolewithsaml or UpdateSAMLProvider) and event.outcome:success ''' diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 37026f7c3..21d0c74fb 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -22,7 +22,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Root Login Without MFA" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 19c581c0e..360a6f533 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -20,7 +20,7 @@ language = "kuery" license = "Elastic License v2" name = "AWS Security Token Service (STS) AssumeRole Usage" references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html"] -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 21 @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and +event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:AssumedRole and aws.cloudtrail.user_identity.session_context.session_issuer.type:Role and event.outcome:success ''' diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index dd192e563..afa2cfedd 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -7,13 +7,13 @@ integration = "aws" [rule] author = ["Austin Songer"] description = """ -Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and +Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. """ false_positives = [ """ - GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or + GetSessionToken may be done by a system or network administrator. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. GetSessionToken from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS STS GetSessionToken Abuse" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and +event.dataset:aws.cloudtrail and event.provider:sts.amazonaws.com and event.action:GetSessionToken and aws.cloudtrail.user_identity.type:IAMUser and event.outcome:success ''' diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 14c1f2afc..d01743d79 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -23,7 +23,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Assume Role Policy Update" -note = """## Config +note = """## Setup The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"] diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index 9c2442246..533d7a9aa 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -25,7 +25,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Event Hub Authorization Rule Created or Updated" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"] diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index 8fec05544..39af8aec7 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -14,7 +14,7 @@ internal traffic. """ false_positives = [ """ - Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, + Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Full Network Packet Capture Detected" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"] @@ -41,7 +41,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name: "MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION" or "MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION" or "MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE" - ) and + ) and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index 4626cf146..6b4fb1714 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Key Vault Modified" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 75fb07e47..8c4c4820f 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Storage Account Key Regenerated" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index e3180ce57..f6a2068e9 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -25,7 +25,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Application Credential Modification" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index ebaa8f2d1..52912a862 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Blob Permissions Modification" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles"] @@ -35,7 +35,7 @@ type = "query" query = ''' event.dataset:azure.activitylogs and azure.activitylogs.operation_name:( "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MANAGEOWNERSHIP/ACTION" or - "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and + "MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/BLOBS/MODIFYPERMISSIONS/ACTION") and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index 3cf3da2c5..69f3b560c 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Diagnostic Settings Deletion" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"] diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 49c7baaeb..df3048adf 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Service Principal Addition" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 3541624e7..763c1d368 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Event Hub Deletion" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index 0f77eecea..fff5ce515 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Firewall Policy Deletion" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"] diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index f19083c0c..a4711ef0c 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -7,12 +7,12 @@ integration = "azure" [rule] author = ["Austin Songer"] description = """ -Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall +Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective. """ false_positives = [ """ - Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, + Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 1a0c11705..b4ead5ba3 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Kubernetes Events Deleted" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 7661bcfbf..bbbe2ce81 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Network Watcher Deletion" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"] diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index 4e9991d87..cd5ea2371 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Alert Suppression Rule Created or Modified" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -38,7 +38,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE" and event.outcome: "success" ''' diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index c6f417ddc..a38057a25 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Blob Container Access Level Modification" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"] diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index d14d11ce1..1289b596f 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -25,7 +25,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Command Execution on Virtual Machine" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/impact_azure_automation_runbook_deleted.toml b/rules/integrations/azure/impact_azure_automation_runbook_deleted.toml index 2b9b46a0f..70f1050d9 100644 --- a/rules/integrations/azure/impact_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/impact_azure_automation_runbook_deleted.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Runbook Deleted" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index 2d15cabfe..25fa04cb3 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -25,7 +25,7 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Azure Service Principal Credentials Added" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 9b87ebb86..507e10868 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Kubernetes Pods Deleted" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -36,7 +36,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index 4803ecb68..545b3d503 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Resource Group Deletion" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index 7f13d6365..901654240 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -13,7 +13,7 @@ appliance, virtual hub, or virtual router. false_positives = [ """ Virtual Network Device modification or deletion may be performed by a system administrator. Verify - whether the user identity, user agent, and/or hostname should be making changes in your environment. + whether the user identity, user agent, and/or hostname should be making changes in your environment. Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Virtual Network Device Modified or Deleted" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"] @@ -40,7 +40,7 @@ event.dataset:azure.activitylogs and azure.activitylogs.operation_name:("MICROSO "MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION" or "MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE" or "MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE" or "MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE" or "MICROSOFT.NETWORK/VIRTUALHUBS/DELETE" or "MICROSOFT.NETWORK/VIRTUALHUBS/WRITE" or -"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE" or "MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE") and +"MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE" or "MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE") and event.outcome:(Success or success) ''' diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index 71e355c47..4451d2c34 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -17,7 +17,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Active Directory High Risk Sign-in" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 87075de4c..a6abe98e9 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -8,14 +8,14 @@ integration = "azure" author = ["Austin Songer"] description = """ Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning -and heuristics. +and heuristics. """ from = "now-25m" index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Active Directory High Risk User Sign-in Heuristic" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 5c5b2e492..34a07cd54 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Active Directory PowerShell Sign-in" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 7b7556d24..2e614c095 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -23,7 +23,7 @@ note = """## Triage and analysis - Security analysts should review the list of trusted applications for any suspicious items. -## Config +## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -37,7 +37,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and +event.dataset:(azure.activitylogs or azure.auditlogs or o365.audit) and ( azure.activitylogs.operation_name:"Consent to application" or azure.auditlogs.operation_name:"Consent to application" or diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index c3d75fff2..d90deeca4 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure External Guest User Invitation" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"] diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index cb6dd3dbc..837197b0d 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Account Created" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index a71006a46..a9c2aa29c 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Runbook Created or Modified" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index 7220f459a..603ddb258 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Webhook Created" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index fc6635d00..2a321bae5 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -17,7 +17,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Conditional Access Policy Modified" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"] diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index eb931018e..701240ba0 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure AD Global Administrator Role Assigned" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index 5888f921a..d2ffbe795 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Global Administrator Role Addition to PIM User" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 44a788198..a7cea2de7 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -17,7 +17,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Privilege Identity Management Role Modified" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index 6824c4e47..84b1fa3ef 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Multi-Factor Authentication Disabled for an Azure User" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 47 diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 9118cbe46..0392badda 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "User Added as Owner for Azure Application" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 21 diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 77c798d35..367d4626b 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "User Added as Owner for Azure Service Principal" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index 1fa2c5501..22a288179 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -7,17 +7,17 @@ integration = "azure" [rule] author = ["Austin Songer"] description = """ -Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects +Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects (users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other high privileges -roles. +roles. """ from = "now-20m" index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Kubernetes Rolebindings Created" -note = """## Config +note = """## Setup The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -34,7 +34,7 @@ type = "query" query = ''' event.dataset:azure.activitylogs and azure.activitylogs.operation_name: ("MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE" or - "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and + "MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE") and event.outcome:(Success or success) ''' diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index 019430820..7d460b4b1 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -8,7 +8,7 @@ min_stack_version = "7.14.0" [rule] author = ["Elastic"] -description = """Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The +description = """Identifies the occurrence of a CyberArk Privileged Access Security (PAS) error level audit event. The event.code correlates to the CyberArk Vault Audit Action Code. """ false_positives = ["To tune this rule, add exceptions to exclude any event.code which should not trigger this rule."] @@ -17,7 +17,7 @@ index = ["filebeat-*", "logs-cyberarkpas.audit*"] language = "kuery" license = "Elastic License v2" name = "CyberArk Privileged Access Security Error" -note = """## Config +note = """## Setup The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index f8bfe2945..81c4a24c9 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-cyberarkpas.audit*"] language = "kuery" license = "Elastic License v2" name = "CyberArk Privileged Access Security Recommended Monitor" -note = """## Config +note = """## Setup The CyberArk Privileged Access Security (PAS) Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 2c450b0a2..907d6723b 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Pub/Sub Subscription Creation" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 6eedb3269..23dc89f56 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Pub/Sub Topic Creation" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/pubsub/docs/admin"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 8ce7d7a1b..a74e6bfe2 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Firewall Rule Creation" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index d7dea736e..710e22b12 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Firewall Rule Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 062d69925..fdfd02114 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Firewall Rule Modification" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/firewalls"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index aadea9b77..0565cb14b 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Logging Bucket Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index f36dce530..403b6875e 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Logging Sink Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/logging/docs/export"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 4e3f071d3..59fb75af4 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Pub/Sub Subscription Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 2a7503df3..7ccc2b98c 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Pub/Sub Topic Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/pubsub/docs/overview"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index d8df8e451..eb990a8be 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Storage Bucket Configuration Modification" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 65c5763a5..4da1427f9 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Storage Bucket Permissions Modification" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/storage/docs/access-control/iam-permissions"] diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index c0d2cf28d..0777913e5 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Logging Sink Modification" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index a46ed0a80..4ffde449b 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP IAM Role Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/understanding-roles"] diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 70f42ef98..7885762c1 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Service Account Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 809316e34..00ffcb31d 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Service Account Disabled" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 2b167ca40..8c6af845f 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Storage Bucket Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml index 655257c37..b11570fac 100644 --- a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Virtual Private Cloud Network Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/vpc"] diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml index bf101495f..da80efa4a 100644 --- a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Virtual Private Cloud Route Creation" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"] diff --git a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml index 26a27c7f9..4cb8b5edb 100644 --- a/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Virtual Private Cloud Route Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index 380bc5e44..c2298cbf4 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP IAM Custom Role Creation" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 1c336f2a1..48a8f04e9 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP IAM Service Account Key Deletion" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 77a9b161b..b2abb298b 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Service Account Key Creation" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 6a2c19384..af19e82b9 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -24,7 +24,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Service Account Creation" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/service-accounts"] diff --git a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml index 059bc40c6..7af1baa49 100644 --- a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml +++ b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Kubernetes Rolebindings Created or Patched" -note = """## Config +note = """## Setup The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -31,8 +31,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or -io.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or +event.dataset:(googlecloud.audit or gcp.audit) and event.action:(io.k8s.authorization.rbac.v*.clusterrolebindings.create or +io.k8s.authorization.rbac.v*.rolebindings.create or io.k8s.authorization.rbac.v*.clusterrolebindings.patch or io.k8s.authorization.rbac.v*.rolebindings.patch) and event.outcome:success and not gcp.audit.authentication_info.principal_email:"system:addon-manager" ''' diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 077a538ff..7ab7db8d0 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Inbox Forwarding Rule Created" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -46,7 +46,7 @@ event.category:web and event.action:"New-InboxRule" and o365.audit.Parameters.ForwardTo:* or o365.audit.Parameters.ForwardAsAttachmentTo:* or o365.audit.Parameters.RedirectTo:* - ) + ) and event.outcome:success ''' diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 51b3be80c..e8f9c357d 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Attempts to Brute Force a Microsoft 365 User Account" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-using-siem"] diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index fcc5b183a..cb87e6635 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Potential Password Spraying of Microsoft 365 User Accounts" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 73 @@ -32,7 +32,7 @@ tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", type = "threshold" query = ''' -event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and +event.dataset:o365.audit and event.provider:(Exchange or AzureActiveDirectory) and event.category:authentication and event.action:("UserLoginFailed" or "PasswordLogonInitialAuthUsingPassword") ''' diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 59d9f49cc..61d2041dc 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "O365 Excessive Single Sign-On Logon Errors" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 73 diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 244705746..d152bc53a 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange DLP Policy Removed" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index dfaa30b82..1bd643578 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Policy Deletion" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 2a9a65c2f..1b839998c 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Rule Modification" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index eae6a21df..c186b8e6f 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Attachment Rule Disabled" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index e7c2d01fa..df9ab1439 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "O365 Mailbox Audit Logging Bypass" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 71a9478f2..2b270b5ca 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Creation" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index dd5328a2c..e04ff860a 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Modification" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml index 627d4eb2b..c3e5d09d6 100644 --- a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Mass download by a single user" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 291d86c6c..613963e93 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Potential ransomware activity" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index d5d187b11..9c92c20dc 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Unusual Volume of File Deletion" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index bc158cc46..3727a0bb1 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 486976225..669e137ca 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Rule Modification" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 95a4a827a..5d38fb7af 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Link Policy Disabled" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml index a4439500c..7a1d2a093 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml @@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Impossible travel activity" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index 77578bbb2..9e1591341 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 User Restricted from Sending Email" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 32eb0b2df..7b739f01c 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "O365 Email Reported by User as Malware or Phish" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index b39b51e49..4239655f3 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "OneDrive Malware File Upload" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index c8e7dd095..505427744 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "SharePoint Malware File Upload" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml index 0a267b2f5..a1a85e207 100644 --- a/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml index 8fe1cd55a..3d7c53f43 100644 --- a/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams Custom Application Interaction Allowed" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"] diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 1676327bf..15bd6afd4 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "O365 Exchange Suspicious Mailbox Right Delegation" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 21 @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and +event.dataset:o365.audit and event.provider:Exchange and event.action:Add-MailboxPermission and o365.audit.Parameters.AccessRights:(FullAccess or SendAs or SendOnBehalf) and event.outcome:success and not user.id : "NT AUTHORITY\SYSTEM (Microsoft.Exchange.Servicehost)" ''' diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index f5168d0f7..5619369f8 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Management Group Role Assignment" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index 821f25621..c4167343b 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -18,7 +18,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Global Administrator Role Assigned" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index 75ea7049d..67bc2197d 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -22,7 +22,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams External Access Enabled" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"] diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index cfabf3d78..10918a90f 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams Guest Access Enabled" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 7ecd5481c..d42815e8a 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -14,7 +14,7 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "New or Modified Federation Domain" -note = """## Config +note = """## Setup The Office 365 Logs Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -33,8 +33,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or -"Set-MsolDomainFederationSettings" or "Add-FederatedDomain" or "New-AcceptedDomain" or "Remove-AcceptedDomain" or "Remove-FederatedDomain") and +event.dataset:o365.audit and event.provider:Exchange and event.category:web and event.action:("Set-AcceptedDomain" or +"Set-MsolDomainFederationSettings" or "Add-FederatedDomain" or "New-AcceptedDomain" or "Remove-AcceptedDomain" or "Remove-FederatedDomain") and event.outcome:success ''' diff --git a/rules/integrations/okta/attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/attempt_to_deactivate_okta_network_zone.toml index 80092f4fe..bad6ff15c 100644 --- a/rules/integrations/okta/attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/attempt_to_deactivate_okta_network_zone.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Network Zone" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/attempt_to_delete_okta_network_zone.toml index ebce1cd8f..457c8c13b 100644 --- a/rules/integrations/okta/attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/attempt_to_delete_okta_network_zone.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Network Zone" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 8e405ff44..d4302ebad 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -14,7 +14,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempted Bypass of Okta MFA" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 74fa9456e..8d3669b2f 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -16,7 +16,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempts to Brute Force an Okta User Account" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index acd8a8bbf..bbdb7edf8 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-okta*"] language = "eql" license = "Elastic License v2" name = "Potential Abuse of Repeated MFA Push Notifications" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://www.mandiant.com/resources/russian-targeting-gov-business"] diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 4e1754a52..c183eadf5 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Okta Brute Force or Password Spraying Attack" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index ac755ab0f..01701df4b 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -17,7 +17,7 @@ interval = "15m" language = "kuery" license = "Elastic License v2" name = "Okta User Session Impersonation" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 07a6d7b76..982e8458a 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -7,8 +7,8 @@ integration = "okta" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] description = """ -Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain -unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their +Identifies a high number of Okta user password reset or account unlock attempts. An adversary may attempt to obtain +unauthorized access to Okta user accounts using these methods and attempt to blend in with normal activity in their target's environment and evade detection. """ false_positives = [ @@ -23,7 +23,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "High Number of Okta User Password Reset or Unlock Attempts" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ @@ -86,4 +86,4 @@ reference = "https://attack.mitre.org/tactics/TA0001/" field = ["okta.actor.alternate_id"] value = 5 - + diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index 75059547b..d02dcb724 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Revoke Okta API Token" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 344bc46d6..4ceb6a981 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -14,7 +14,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Possible Okta DoS Attack" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 1e0371d6b..3d8a299b1 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -11,7 +11,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Unauthorized Access to an Okta Application" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 21 diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index d565631a1..1d46e5fee 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Activity Reported by Okta User" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/okta_attempt_to_deactivate_okta_application.toml index 873d8aa39..3243b839d 100644 --- a/rules/integrations/okta/okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/okta_attempt_to_deactivate_okta_application.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Application" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy.toml index 27f1c7dcf..f66d5c79c 100644 --- a/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy_rule.toml index d659b89ea..1b03b7aa2 100644 --- a/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy_rule.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy Rule" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/okta_attempt_to_delete_okta_application.toml index 513bc21c3..1d217caeb 100644 --- a/rules/integrations/okta/okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/okta_attempt_to_delete_okta_application.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Application" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/okta_attempt_to_delete_okta_policy.toml index 05130455b..3009a0610 100644 --- a/rules/integrations/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/okta_attempt_to_delete_okta_policy.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Policy" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/okta_attempt_to_delete_okta_policy_rule.toml index ba9f4c6e0..848b4cbed 100644 --- a/rules/integrations/okta/okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/okta_attempt_to_delete_okta_policy_rule.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Policy Rule" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/okta_attempt_to_modify_okta_application.toml index b2ec1e9ec..7de9623c3 100644 --- a/rules/integrations/okta/okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_okta_application.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Application" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/okta_attempt_to_modify_okta_network_zone.toml index 98858b363..0c253e5cc 100644 --- a/rules/integrations/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Network Zone" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/okta_attempt_to_modify_okta_policy.toml index 0fb7c0cc9..c1d355628 100644 --- a/rules/integrations/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_okta_policy.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Policy" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/okta_attempt_to_modify_okta_policy_rule.toml index 1d27bc0a9..ba4e123b9 100644 --- a/rules/integrations/okta/okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_okta_policy_rule.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Policy Rule" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index a26e9880c..74b64f3f2 100644 --- a/rules/integrations/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Modification or Removal of an Okta Application Sign-On Policy" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml index cb839b2fe..4931d2f79 100644 --- a/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -15,7 +15,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Threat Detected by Okta ThreatInsight" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index cd9ed22e1..0e0743422 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Administrator Privileges Assigned to an Okta Group" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index da1202900..2d04368f2 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Administrator Role Assigned to an Okta User" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index a108f451e..c24a7c895 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Create Okta API Token" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index afd22d362..4d46e0381 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -20,7 +20,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate MFA for an Okta User Account" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index f77ad1b3f..82a72dfe7 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -21,7 +21,7 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Reset MFA Factors for an Okta User Account" -note = """## Config +note = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 5ab1e77fc..d38d0b831 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -15,7 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Protocol Tunneling via EarthWorm" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 248a08d5f..2285b7da3 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -16,7 +16,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential OpenSSH Backdoor Logging Activity" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -36,24 +36,24 @@ file where event.type == "change" and process.executable : ("/usr/sbin/sshd", "/ ( file.name : (".*", "~*") or file.extension : ("in", "out", "ini", "h", "gz", "so", "sock", "sync", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9") or - file.path : + file.path : ( - "/private/etc/*--", - "/usr/share/*", - "/usr/include/*", - "/usr/local/include/*", - "/private/tmp/*", + "/private/etc/*--", + "/usr/share/*", + "/usr/include/*", + "/usr/local/include/*", + "/private/tmp/*", "/private/var/tmp/*", - "/usr/tmp/*", - "/usr/share/man/*", - "/usr/local/share/*", - "/usr/lib/*.so.*", + "/usr/tmp/*", + "/usr/share/man/*", + "/usr/local/share/*", + "/usr/lib/*.so.*", "/private/etc/ssh/.sshd_auth", - "/usr/bin/ssd", - "/private/var/opt/power", - "/private/etc/ssh/ssh_known_hosts", - "/private/var/html/lol", - "/private/var/log/utmp", + "/usr/bin/ssd", + "/private/var/opt/power", + "/private/etc/ssh/ssh_known_hosts", + "/private/var/html/lol", + "/private/var/log/utmp", "/private/var/lib", "/var/run/sshd/sshd.pid", "/var/run/nscd/ns.pid", diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index f13b8d58b..7b4c2af3f 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -24,7 +24,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Creation of Hidden Files and Directories" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 6006301d9..db66f9baf 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "System Log File Deletion" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -29,17 +29,17 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -file where event.type == "deletion" and - file.path : +file where event.type == "deletion" and + file.path : ( - "/var/run/utmp", - "/var/log/wtmp", - "/var/log/btmp", - "/var/log/lastlog", + "/var/run/utmp", + "/var/log/wtmp", + "/var/log/btmp", + "/var/log/lastlog", "/var/log/faillog", - "/var/log/syslog", - "/var/log/messages", - "/var/log/secure", + "/var/log/syslog", + "/var/log/messages", + "/var/log/secure", "/var/log/auth.log" ) ''' diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 5cce07017..ad66ab685 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -62,7 +62,7 @@ Initiate the incident response process based on the outcome of the triage. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The session view analysis for the command alerted is avalible in versions 8.2 and above. """ diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 6d153d9cf..2434c1352 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Persistence via KDE AutoStart Script or Desktop File Modification" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index dcd7a6d42..6f598bd5c 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Access of Stored Browser Credentials" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -30,17 +30,17 @@ query = ''' process where event.type in ("start", "process_started") and process.args : ( - "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", - "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", - "/Users/*/Library/Cookies*", - "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", - "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", - "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", + "/Users/*/Library/Application Support/Google/Chrome/Default/Login Data", + "/Users/*/Library/Application Support/Google/Chrome/Default/Cookies", + "/Users/*/Library/Cookies*", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/cookies.sqlite", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/key*.db", + "/Users/*/Library/Application Support/Firefox/Profiles/*.default/logins.json", "Login Data", - "Cookies.binarycookies", - "key4.db", - "key3.db", - "logins.json", + "Cookies.binarycookies", + "key4.db", + "key3.db", + "logins.json", "cookies.sqlite" ) ''' diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 1fcd9eff3..95dc17790 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -15,7 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Access to Keychain Credentials Directories" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index 7e187a506..a44761bef 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -15,7 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Dumping of Keychain Content via Security Command" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index 5001a9ed7..0e5f6b7d0 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -16,7 +16,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Keychain Password Retrieval via Command Line" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index b356f19cc..bc2ee9eb7 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Prompt for Credentials with OSASCRIPT" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 46fc5e15b..df4655ad2 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -15,7 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Remove File Quarantine Attribute" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index a7e042577..38750e8c3 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -15,7 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privacy Control Bypass via TCCDB Modification" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and process.name : "sqlite*" and +process where event.type in ("start", "process_started") and process.name : "sqlite*" and process.args : "/*/Application Support/com.apple.TCC/TCC.db" ''' diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index a8d505fcc..6c160808b 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -15,7 +15,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Potential Privacy Control Bypass via Localhost Secure Copy" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -30,9 +30,9 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where event.type in ("start", "process_started") and process.name:"scp" and - process.args:"StrictHostKeyChecking=no" and + process.args:"StrictHostKeyChecking=no" and process.command_line:("scp *localhost:/*", "scp *127.0.0.1:/*") and not process.args:"vagrant@*127.0.0.1*" ''' diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 3c4fbb08e..b0fe70db9 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -11,7 +11,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Enumeration of Users or Groups via Built-in Commands" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -24,16 +24,16 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", + not process.parent.executable : ("/Applications/NoMAD.app/Contents/MacOS/NoMAD", "/Applications/ZoomPresence.app/Contents/MacOS/ZoomPresence", "/Applications/Sourcetree.app/Contents/MacOS/Sourcetree", "/Library/Application Support/JAMF/Jamf.app/Contents/MacOS/JamfDaemon.app/Contents/MacOS/JamfDaemon", "/Applications/Jamf Connect.app/Contents/MacOS/Jamf Connect", "/usr/local/jamf/bin/jamf" - ) and + ) and process.name : ("ldapsearch", "dsmemberutil") or - (process.name : "dscl" and - process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and + (process.name : "dscl" and + process.args : ("read", "-read", "list", "-list", "ls", "search", "-search") and process.args : ("/Active Directory/*", "/Users*", "/Groups*")) ''' diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index a193d2d56..4c9642cee 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Attempt to Mount SMB Share via Command Line" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 4920e0dcd..d2c689562 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -11,7 +11,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Virtual Private Network Connection Attempt" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index c30ff647b..01451501a 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Creation of Hidden Login Item via Apple Script" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 7221f26a1..48fcbcafd 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Emond Rules Creation or Modification" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index fcef6f4f7..0de21067d 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Creation of Hidden Launch Agent or Daemon" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -30,7 +30,7 @@ type = "eql" query = ''' file where event.type != "deletion" and - file.path : + file.path : ( "/System/Library/LaunchAgents/.*.plist", "/Library/LaunchAgents/.*.plist", diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index 5e6dedb34..38b4b1d16 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Login or Logout Hook" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index d2c1057f2..14e31a872 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Sublime Plugin or Application Script Modification" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -28,17 +28,17 @@ type = "eql" query = ''' file where event.type in ("change", "creation") and file.extension : "py" and - file.path : + file.path : ( - "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", + "/Users/*/Library/Application Support/Sublime Text*/Packages/*.py", "/Applications/Sublime Text.app/Contents/MacOS/sublime.py" ) and - not process.executable : + not process.executable : ( - "/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*", - "/usr/local/Cellar/git/*/bin/git", - "/usr/libexec/xpcproxy", - "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper", + "/Applications/Sublime Text*.app/Contents/MacOS/Sublime Text*", + "/usr/local/Cellar/git/*/bin/git", + "/usr/libexec/xpcproxy", + "/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper", "/Applications/Sublime Text.app/Contents/MacOS/plugin_host" ) ''' diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index facf2413a..134ff9d8c 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -24,7 +24,7 @@ as a download of a payload from a server. identify whether the file is malicious or not. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index 42b678a20..995245bb5 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -21,7 +21,7 @@ note = """## Triage and analysis - Investigate the process that modified the plist file for malicious code or other suspicious behavior - Identify if any suspicious or known malicious screensaver (.saver) files were recently written to or modified on the host -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index e1875149d..537ec8cdc 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -14,7 +14,7 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Apple Scripting Execution with Administrator Privileges" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 6ce29e2c4..90ecee9d6 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -20,7 +20,7 @@ index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License v2" name = "Inbound Connection to an Unsecure Elasticsearch Node" -note = """## Config +note = """## Setup This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.""" references = [ diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index a905fd663..5cb676cd0 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -65,7 +65,7 @@ persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 9a8958161..d97c9cd9b 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -61,15 +61,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text : ( "Get-MicrophoneAudio" or (waveInGetNumDevs and mciSendStringA) ) diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index b3393a299..c61454c42 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -61,15 +61,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -91,9 +91,9 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and - ( - powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or +event.category:process and + ( + powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or powershell.file.script_block_text : ( (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL") diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index 14e8394af..ea98f15c1 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -60,15 +60,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -87,7 +87,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text : ( CopyFromScreen and ("System.Drawing.Bitmap" or "Drawing.Bitmap") diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index d08b4e1c4..5ca39206e 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -56,7 +56,7 @@ malware components. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 80836a43f..8979e423b 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Connection to Commonly Abused Free SSL Certificate Providers" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -29,7 +29,7 @@ query = ''' network where network.protocol == "dns" and /* Add new free SSL certificate provider domains here */ dns.question.name : ("*letsencrypt.org", "*.sslforfree.com", "*.zerossl.com", "*.freessl.org") and - + /* Native Windows process paths that are unlikely to have network connections to domains secured using free SSL certificates */ process.executable : ("C:\\Windows\\System32\\*.exe", "C:\\Windows\\System\\*.exe", @@ -37,7 +37,7 @@ network where network.protocol == "dns" and "C:\\Windows\\Microsoft.NET\\Framework*\\*.exe", "C:\\Windows\\explorer.exe", "C:\\Windows\\notepad.exe") and - + /* Insert noisy false positives here */ not process.name : ("svchost.exe", "MicrosoftEdge*.exe", "msedge.exe") ''' diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 35fd2cbfc..187f2ac78 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -67,7 +67,7 @@ systems, and web services. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index a023cfc3f..144464a55 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -59,7 +59,7 @@ malware components. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index ff6444780..387e42187 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -72,7 +72,7 @@ malware components. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 35307e9cd..bf99ab3ba 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -64,7 +64,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index 86db5954e..92d7cd735 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -65,7 +65,7 @@ systems, and web services. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 60f8acb4a..249e2ddce 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -62,7 +62,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 303378e4c..4859ea0c8 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -15,7 +15,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "NTDS or SAM Database File Copied" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index 5da1ecc1f..99628ad60 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -25,7 +25,7 @@ automatically transferred to other domain controllers that store the same data. Active Directory data consists of objects that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. Objects are defined by the values of their attributes, and changes to attribute values must be transferred from the domain -controller on which they occur to every other domain controller that stores a replica of an affected object. +controller on which they occur to every other domain controller that stores a replica of an affected object. Adversaries can use the DCSync technique that uses Windows Domain Controller's API to simulate the replication process from a remote domain controller, compromising major credential material such as the Kerberos krbtgt keys used @@ -39,7 +39,7 @@ More details can be found on [Threat Hunter Playbook](https://threathunterplaybo This rule monitors for Event ID 4662 (Operation was performed on an Active Directory object) and identifies events that use the access mask 0x100 (Control Access) and properties that contain at least one of the following or their equivalent: Schema-Id-GUID (DS-Replication-Get-Changes, DS-Replication-Get-Changes-All, DS-Replication-Get-Changes-In-Filtered-Set). -It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). +It also filters out events that use computer accounts and also Azure AD Connect MSOL accounts (more details [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/ad-connect-msol-user-suspected-dcsync-attack/m-p/788028)). #### Possible investigation steps @@ -51,7 +51,7 @@ It also filters out events that use computer accounts and also Azure AD Connect came from another DC or not. - Scope which credentials were compromised (for example, whether all accounts were replicated or specific ones). -### False positive analysis +### False positive analysis - This activity should not happen legitimately, since replication should be done by Domain Controllers only. Any potential benign true positive (B-TP) should be mapped and monitored by the security team. Any account that performs @@ -74,7 +74,7 @@ information to scope ways that the attacker could use to regain access to the en - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -121,8 +121,8 @@ any where event.action == "Directory Service Access" and "*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*", "*1131f6aa-9c07-11d1-f79f-00c04fc2dcd2*", - "*89e95b76-444d-4c62-991a-0facbeda640c*") - + "*89e95b76-444d-4c62-991a-0facbeda640c*") + /* The right to perform an operation controlled by an extended access right. */ and winlog.event_data.AccessMask : "0x100" and diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index b666564e1..a3bbfb742 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -53,19 +53,19 @@ systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'Audit User Account Management' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -Account Management > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Account Management > Audit User Account Management (Success,Failure) ``` """ diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 798eae787..4992858da 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -18,7 +18,7 @@ note = """## Triage and analysis Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 2e70f0f6a..40dd670c3 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -59,7 +59,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index 5ef415e12..224df3d85 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -15,7 +15,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Service Account Password Dumped" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -29,7 +29,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and + (process.name : "appcmd.exe" or process.pe.original_file_name == "appcmd.exe") and process.args : "/list" and process.args : "/text*password" ''' diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 7c39a1811..eba67d253 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -16,7 +16,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "Microsoft IIS Connection Strings Decryption" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index 8c6d564fb..6343b0bbe 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -74,7 +74,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index d276f7f67..7d2f763e0 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -28,7 +28,7 @@ password changes, and creates access tokens. Adversaries may attempt to access credential material stored in LSASS process memory. After a user logs on,the system generates and stores a variety of credential materials in LSASS process memory. This is meant to facilitate single sign-on (SSO) ensuring a user isn’t prompted each time resource access is requested. These credential materials can be -harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using +harvested by an adversary using administrative user or SYSTEM privileges to conduct lateral movement using [alternate authentication material](https://attack.mitre.org/techniques/T1550/). #### Possible investigation steps @@ -74,7 +74,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup Ensure advanced audit policies for Windows are enabled, specifically: Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index 049b89fa1..f4ddafe66 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -64,7 +64,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 3455df446..edde3a347 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -75,16 +75,16 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be configured (Enable). Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 8eb2e6094..07217949c 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -73,7 +73,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -91,7 +91,7 @@ type = "eql" query = ''' registry where event.type : ("creation", "change") and - registry.path : + registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Control\\SecurityProviders\\WDigest\\UseLogonCredential" and registry.data.strings : ("1", "0x00000001") ''' diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index 1e1f3cf69..fbc289771 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -60,15 +60,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index ba6bf6d32..52aeb5f57 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -59,15 +59,15 @@ systems, and web services. Prioritize privileged accounts. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -89,7 +89,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text : ( KerberosRequestorSecurityToken ) diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index b6858b937..6222ee588 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via DuplicateHandle in LSASS" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -27,7 +27,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.code == "10" and +process where event.code == "10" and /* LSASS requesting DuplicateHandle access right to another process */ process.name : "lsass.exe" and winlog.event_data.GrantedAccess == "0x40" and diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index d85b01531..48876d9a2 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -20,7 +20,7 @@ note = """## Triage and analysis ### Investigating Potential Remote Credential Access via Registry -Dumping registry hives is a common way to access credential information. Some hives store credential material, +Dumping registry hives is a common way to access credential information. Some hives store credential material, such as the SAM hive, which stores locally cached credentials (SAM secrets), and the SECURITY hive, which stores domain cached credentials (LSA secrets). Dumping these hives in combination with the SYSTEM hive enables the attacker to decrypt these secrets. @@ -61,7 +61,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup This rule uses Elastic Endpoint file creation and system integration events for correlation. Both data should be collected from the host for this detection to work. diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index 9d0613066..1f317a28b 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Searching for Saved Credentials via VaultCmd" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 257a8a15d..498a1ca0a 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -36,7 +36,7 @@ delegation**. It is critical to control the assignment of this privilege. A user with this privilege and write access to a computer can control delegation settings, perform the attacks described above, and harvest TGTs from any user that connects to -the system. +the system. #### Possible investigation steps @@ -63,7 +63,7 @@ environment legitimately, the security team should notify the administrators abo - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'Audit Authorization Policy Change' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index f2403abf2..eb8ba1019 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -21,19 +21,19 @@ index = ["winlogbeat-*", "logs-system.*"] language = "kuery" license = "Elastic License v2" name = "Potential Shadow Credentials added to AD Object" -note = """## Config +note = """## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -DS Access > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > Audit Directory Service Changes (Success,Failure) ``` diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index ca058b37e..b7294aac8 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -54,7 +54,7 @@ Domain Administrators that define this kind of setting can put the domain at ris security standards as computer accounts (which have long, complex, random passwords that change frequently), exposing them to credential cracking attacks (Kerberoasting, brute force, etc.). -### Response and remediation +### Response and remediation - Initiate the incident response process based on the outcome of the triage. - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are @@ -65,7 +65,7 @@ systems, and web services. Prioritize privileged accounts. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: @@ -104,7 +104,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectClass:"user" +event.action:"Directory Service Changes" and event.code:5136 and winlog.event_data.ObjectClass:"user" and winlog.event_data.AttributeLDAPDisplayName:"servicePrincipalName" ''' diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 3a5a841b1..2d94e68d0 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -16,7 +16,7 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via Renamed COM+ Services DLL" -note = """## Config +note = """## Setup You will need to enable logging of ImageLoads in your Sysmon configuration to include COMSVCS.DLL by Imphash or Original File Name.""" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 2e2b46b69..bc9c9a1c3 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Credential Access via LSASS Memory Dump" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -31,10 +31,10 @@ type = "eql" query = ''' process where event.code == "10" and winlog.event_data.TargetImage : "?:\\WINDOWS\\system32\\lsass.exe" and - + /* DLLs exporting MiniDumpWriteDump API to create an lsass mdmp*/ winlog.event_data.CallTrace : ("*dbghelp*", "*dbgcore*") and - + /* case of lsass crashing */ not process.executable : ("?:\\Windows\\System32\\WerFault.exe", "?:\\Windows\\System32\\WerFaultSecure.exe") ''' diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index f0b9bb07e..e07435001 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -18,7 +18,7 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "kuery" license = "Elastic License v2" name = "Potential LSASS Memory Dump via PssCaptureSnapShot" -note = """## Config +note = """## Setup This is meant to run only on datasources using Elastic Agent 7.14+ since versions prior to that will be missing the threshold rule cardinality feature.""" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index bc48f88d2..fef63ce6c 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-system.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Remote Registry Access via SeBackupPrivilege" -note = """## Config +note = """## Setup The 'Audit Detailed File Share' audit policy is required be configured (Success) on Domain Controllers and Sensitive Windows Servers. Steps to implement the logging policy with with Advanced Audit Configuration: diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 7d6c80504..9d9ec54cc 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -41,11 +41,11 @@ for prevalence, whether they are located in expected locations, and if they are - This rule should cause very few false positives. Benign true positives (B-TPs) can be added as exceptions if necessary. -### Related rules +### Related rules - NTDS or SAM Database File Copied - 3bc6deaa-fbd4-433a-ae21-3e892f95624f -### Response and remediation +### Response and remediation - Initiate the incident response process based on the outcome of the triage. - Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are @@ -62,28 +62,28 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup Ensure advanced audit policies for Windows are enabled, specifically: -Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) - -``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -System Audit Policies > -Object Access > -Audit File System (Success,Failure) -Audit Handle Manipulation (Success,Failure) -``` - -This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments. -Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule. +Object Access policies [Event ID 4656](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4656) (Handle to an Object was Requested) + +``` +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +System Audit Policies > +Object Access > +Audit File System (Success,Failure) +Audit Handle Manipulation (Success,Failure) +``` + +This event will only trigger if symbolic links are created from a new process spawning cmd.exe or powershell.exe with the correct arguments. +Direct access to a shell and calling symbolic link creation tools will not generate an event matching this rule. If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" +""" references = [ "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mklink", "https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Kheirkhabarov_Hunting_for_Credentials_Dumping_in_Windows_Environment.pdf", @@ -98,9 +98,9 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start","process_created") and - process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and - +process where event.type in ("start","process_created") and + process.pe.original_file_name in ("Cmd.Exe","PowerShell.EXE") and + /* Create Symbolic Link to Shadow Copies */ process.args : ("*mklink*", "*SymbolicLink*") and process.command_line : ("*HarddiskVolumeShadowCopy*") ''' diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index b46682219..89b1c2be6 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential LSASS Clone Creation via PssCaptureSnapShot" -note = """## Config +note = """## Setup This is meant to run only on datasources using Windows security event 4688 that captures the process clone creation. diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 7d4be2a4f..2cde9436b 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -72,7 +72,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index eb86821a9..e3de73a4d 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -54,7 +54,7 @@ malware components. mean time to respond (MTTR). - Ensure that PowerShell auditing policies and log collection are in place to grant future visibility. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 29644b707..ff9e41864 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -56,7 +56,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_code_injection_conhost.toml b/rules/windows/defense_evasion_code_injection_conhost.toml index 47028d052..94157ed4c 100644 --- a/rules/windows/defense_evasion_code_injection_conhost.toml +++ b/rules/windows/defense_evasion_code_injection_conhost.toml @@ -68,7 +68,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index cbfbd3077..5dd316011 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -16,7 +16,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Root Certificate" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index ca20d35fd..724ca94a6 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -60,7 +60,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index c67ccaa05..e9e6d2edf 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -22,7 +22,7 @@ Microsoft Windows Defender is an antivirus product built into Microsoft Windows. used to prevent and stop malware, it's important to monitor what specific exclusions are made to the product's configuration settings. These can often be signs of an adversary or malware trying to bypass Windows Defender's capabilities. One of the more notable [examples](https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/) -was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection. +was observed in 2018 where Trickbot incorporated mechanisms to disable Windows Defender to avoid detection. #### Possible investigation steps @@ -71,10 +71,10 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" +""" references = ["https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf"] risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 6d4b91dff..1b9d1c547 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Delete Volume USN Journal with Fsutil" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -27,7 +27,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and + (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and process.args : "deletejournal" and process.args : "usn" ''' diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index 8ff73aa37..41011adf8 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -59,16 +59,16 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be configured (Enable). Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -92,7 +92,7 @@ type = "eql" query = ''' registry where event.type == "change" and - registry.path : + registry.path : "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\\EnableScriptBlockLogging" and registry.data.strings : ("0", "0x00000000") ''' diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 84309ff20..dc98a8dc7 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -48,7 +48,7 @@ troubleshooting. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 129f61bdb..9dd37de19 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -59,7 +59,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index d28ece6f5..b23c86bc7 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -51,7 +51,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -75,7 +75,7 @@ process where event.type in ("start", "process_started") and ((process.name : ("pwsh.exe", "powershell.exe", "powershell_ise.exe") or process.pe.original_file_name in ("pwsh.exe", "powershell.exe", "powershell_ise.exe")) and process.args : "Set-Service" and process.args: "EventLog" and process.args : "Disabled") or - + ((process.name:"auditpol.exe" or process.pe.original_file_name == "AUDITPOL.EXE") and process.args : "/success:disable") ''' diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index e21d5badd..560f2d795 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "DNS-over-HTTPS Enabled via Registry" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 915546e03..588a78273 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -11,7 +11,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious .NET Code Compilation" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index 2c5386fa2..ba0d52245 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -56,7 +56,7 @@ of it, whether RDP should be open, and whether the action exposes the environmen - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index cc0642844..0592b61ba 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -54,7 +54,7 @@ systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 60edb4f93..fe35337eb 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Control Panel Process with Unusual Arguments" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 6e62f03dc..bac0405d7 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -84,7 +84,7 @@ persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 570b332e3..a62d75041 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a Script Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index af7669a29..8752c8e19 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started by a System Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index e78bff4f4..b14688c4b 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Using an Alternate Name" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 0029e4ae4..b096c92c1 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -20,7 +20,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Microsoft Build Engine Started an Unusual Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index c96c59d81..955a53ea7 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential DLL SideLoading via Trusted Microsoft Programs" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index da683c076..387b75639 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -16,7 +16,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential DLL Side-Loading via Microsoft Antimalware Service Executable" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index a228af30b..4045980b6 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -17,7 +17,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Executable File Creation with Multiple Extensions" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 0f9cb0ad8..c31f119af 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -15,7 +15,7 @@ language = "eql" license = "Elastic License v2" max_signals = 33 name = "IIS HTTP Logging Disabled" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index 19cc06ea5..f62ca5f74 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Endpoint Security Parent Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -30,9 +30,9 @@ process where event.type in ("start", "process_started", "info") and process.name : ("esensor.exe", "elastic-endpoint.exe") and process.parent.executable != null and /* add FPs here */ - not process.parent.executable : ("C:\\Program Files\\Elastic\\*", - "C:\\Windows\\System32\\services.exe", - "C:\\Windows\\System32\\WerFault*.exe", + not process.parent.executable : ("C:\\Program Files\\Elastic\\*", + "C:\\Windows\\System32\\services.exe", + "C:\\Windows\\System32\\WerFault*.exe", "C:\\Windows\\System32\\wermgr.exe") ''' diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 4d06b644f..0828749b9 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Renamed AutoIt Scripts Interpreter" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 13b26cec6..c33ccef3d 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious WerFault Child Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 8ec8fe386..e7161d089 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Program Files Directory Masquerading" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index cb96667c1..5d7a7ba29 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -62,7 +62,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 996b9a33e..31ee40955 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -78,7 +78,7 @@ malware components. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -94,7 +94,7 @@ registry where event.type == "change" and registry.path : ( "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\AccessVBOM", "HKU\\S-1-5-21-*\\SOFTWARE\\Microsoft\\Office\\*\\Security\\VbaWarnings" - ) and + ) and registry.data.strings == "0x00000001" and process.name : ("cscript.exe", "wscript.exe", "mshta.exe", "mshta.exe", "winword.exe", "excel.exe") ''' diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index 45bbc12d8..238e72e3a 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -75,15 +75,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -104,7 +104,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text : ( "[System.Reflection.Assembly]::Load" or "[Reflection.Assembly]::Load" diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 84b8ed33c..b486d12cf 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -6,7 +6,7 @@ updated_date = "2022/05/21" [rule] author = ["Elastic"] description = """ -Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which +Identifies the use of .NET functionality for decompression and base64 decoding combined in PowerShell scripts, which malware and security tools heavily use to deobfuscate payloads and load them directly in memory to bypass defenses. """ false_positives = ["Legitimate PowerShell Scripts which makes use of compression and encoding."] @@ -76,15 +76,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -102,7 +102,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text : ( ( "System.IO.Compression.DeflateStream" or diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 6cf868e41..97779af30 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -6,7 +6,7 @@ updated_date = "2022/05/09" [rule] author = ["Elastic"] description = """ -Detects the use of Windows API functions that are commonly abused by malware and security tools to load +Detects the use of Windows API functions that are commonly abused by malware and security tools to load malicious code or inject it into remote processes. """ false_positives = ["Legitimate PowerShell scripts that make use of these functions."] @@ -62,15 +62,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -93,7 +93,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text : ( (VirtualAlloc or VirtualAllocEx or VirtualProtect or LdrLoadDll or LoadLibrary or LoadLibraryA or LoadLibraryEx or GetProcAddress or OpenProcess or OpenProcessToken or AdjustTokenPrivileges) and diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index 1506f9588..481f5dfae 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -61,7 +61,7 @@ systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index 9702ae6cc..20efeb6c2 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Microsoft Diagnostics Wizard Execution" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -34,7 +34,7 @@ process where event.type in ("start", "process_started") and ( process.args : ("IT_RebrowseForFile=*", "ms-msdt:/id", "ms-msdt:-id", "*FromBase64*") or - (process.args : "-af" and process.args : "/skip" and + (process.args : "-af" and process.args : "/skip" and process.parent.name : ("explorer.exe", "cmd.exe", "powershell.exe", "cscript.exe", "wscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe") and process.args : ("?:\\WINDOWS\\diagnostics\\index\\PCWDiagnostic.xml", "PCWDiagnostic.xml", "?:\\Users\\Public\\*", "?:\\Windows\\Temp\\*")) or diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index d1381a9d7..8b069e3c1 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Scheduled Tasks AT Command Enabled" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -28,8 +28,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -registry where - registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and +registry where + registry.path : "HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Configuration\\EnableAt" and registry.data.strings : ("1", "0x00000001") ''' diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index 7854fb63d..26ba3a776 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -18,7 +18,7 @@ note = """## Triage and analysis Verify process details such as command line and hash to confirm this activity legitimacy. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 0448d44be..2b4a23fcc 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "SolarWinds Process Disabling Services via Registry" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -32,12 +32,12 @@ query = ''' registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and registry.data.strings : ("4", "0x00000004") and process.name : ( - "SolarWinds.BusinessLayerHost*.exe", - "ConfigurationWizard*.exe", - "NetflowDatabaseMaintenance*.exe", - "NetFlowService*.exe", - "SolarWinds.Administration*.exe", - "SolarWinds.Collector.Service*.exe" , + "SolarWinds.BusinessLayerHost*.exe", + "ConfigurationWizard*.exe", + "NetflowDatabaseMaintenance*.exe", + "NetFlowService*.exe", + "SolarWinds.Administration*.exe", + "SolarWinds.Collector.Service*.exe" , "SolarwindsDiagnostics*.exe") ''' diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 37f1cd258..9c8718992 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution from a Mounted Device" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index 838133e77..29c368ade 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Process Access via Direct System Call" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -33,7 +33,7 @@ type = "eql" query = ''' process where event.code == "10" and length(winlog.event_data.CallTrace) > 0 and - + /* Sysmon CallTrace starting with unknown memory module instead of ntdll which host Windows NT Syscalls */ not winlog.event_data.CallTrace : ("?:\\WINDOWS\\SYSTEM32\\ntdll.dll*", "?:\\WINDOWS\\SysWOW64\\ntdll.dll*") ''' diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 45639f6fe..347a288c9 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Zoom Child Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 1120a7aa6..ad7083482 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -62,7 +62,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index ee80fcb4a..d1ac29d5c 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual File Creation - Alternate Data Stream" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 1dbb3b4de..89516e87e 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual Process Execution Path - Alternate Data Stream" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index c2912aa17..b61d1ab8b 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -11,7 +11,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual Child Process from a System Virtual Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 61b0bda6b..840911786 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Filter Manager" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -26,7 +26,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where event.type in ("start", "process_started") and process.name : "fltMC.exe" and process.args : "unload" ''' diff --git a/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml b/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml index 71b812cf4..b36b45027 100644 --- a/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml +++ b/rules/windows/defense_evasion_whitespace_padding_in_command_line.toml @@ -23,7 +23,7 @@ note = """## Triage and analysis - Analyze the command line of the process in question for evidence of malicious code execution. - Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -37,8 +37,8 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.command_line regex ".*[ ]{20,}.*" or - + process.command_line regex ".*[ ]{20,}.*" or + /* this will match on 3 or more separate occurrences of 3+ contiguous whitespace characters */ process.command_line regex "([^ ]+[ ]{3,}[^ ]*){3,}.*" ''' diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 52dd84195..491316180 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -25,7 +25,7 @@ accessing the synced share. Using Work Folders to execute a masqueraded control.exe could allow an adversary to bypass application controls and increase privileges. - + #### Possible investigation steps - Investigate the process tree starting with parent process WorkFolders.exe and child process control.exe to determine @@ -38,13 +38,13 @@ or network traffic. - Determine if control.exe was synced to sync share, indicating potential lateral movement. - Review how control.exe was originally delivered on the host, such as emailed, downloaded from the web, or written to disk from a separate binary. - -### False positive analysis + +### False positive analysis - Windows Work Folders are used legitimately by end users and administrators for file sharing and syncing but not in the instance where a suspicious control.exe is passed as an argument. -### Response and remediation +### Response and remediation - Initiate the incident response process based on the outcome of the triage. - Isolate the involved host to prevent further post-compromise behavior. @@ -55,7 +55,7 @@ control.exe binary as well as any additional artifacts identified during investi Work Folders. - Confirm with the user whether this was expected or not, and reset their password. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 7f0b913ac..6e963b3e2 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -61,7 +61,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -81,12 +81,12 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and - (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and - process.args : ("objectcategory=computer", "(objectcategory=computer)", +process where event.type in ("start", "process_started") and + (process.name : "AdFind.exe" or process.pe.original_file_name == "AdFind.exe") and + process.args : ("objectcategory=computer", "(objectcategory=computer)", "objectcategory=person", "(objectcategory=person)", "objectcategory=subnet", "(objectcategory=subnet)", - "objectcategory=group", "(objectcategory=group)", + "objectcategory=group", "(objectcategory=group)", "objectcategory=organizationalunit", "(objectcategory=organizationalunit)", "objectcategory=attributeschema", "(objectcategory=attributeschema)", "domainlist", "dcmodes", "adinfo", "dclist", "computers_pwnotreqd", "trustdmp") diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index e55855c6d..9db5ed801 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -22,7 +22,7 @@ After successfully compromising an environment, attackers may try to gain situat This can happen by running commands to enumerate network resources, users, connections, files, and installed security software. -This rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups +This rule looks for the execution of the `net` and `wmic` utilities to enumerate administrator-related users or groups in the domain and local machine scope. Attackers can use this information to plan their next steps of the attack, such as mapping targets for credential compromise and other post-exploitation activities. @@ -57,7 +57,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 512d34fa7..f29e17be0 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -57,7 +57,7 @@ malware components. mean time to respond (MTTR). - Use the data collected through the analysis to investigate other machines affected in the environment. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -69,7 +69,7 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and +process where event.type in ("start", "process_started") and (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and (process.name : "whoami.exe" or diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index 8a1817fff..dee075c87 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -21,7 +21,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Enumerating Domain Trusts via NLTEST.EXE" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index c1c0f99be..20bc4c12c 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -50,7 +50,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 8a50fcd16..9d82dda66 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -55,7 +55,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -68,7 +68,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and + (process.name : "fsutil.exe" or process.pe.original_file_name == "fsutil.exe") and process.args : "fsinfo" and process.args : "drives" ''' diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index 33b86701a..4c0feb423 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -58,15 +58,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -88,7 +88,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text : ( NetShareEnum or NetWkstaUserEnum or diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 7c7e8cd69..e96345a34 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -63,18 +63,18 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'Audit Security Group Management' audit policy must be configured (Success). Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > Account Management > Audit Security Group Management (Success) ``` diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index aa03689fc..1030003c6 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -49,7 +49,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index bb1540da7..3365e23a0 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -53,7 +53,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index 6c5afe094..e64f31380 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -62,7 +62,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index fe634a1bd..02fbad45b 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Command Execution via SolarWinds Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index 0b670201f..f9bc6e9a4 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious SolarWinds Child Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 8f48afd7f..5f123a7ab 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Execution of COM object via Xwizard" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index 9a4ed1c6d..39e4ec455 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -11,7 +11,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual Parent Process for cmd.exe" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index fc9ceda4f..dd406eaeb 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -12,7 +12,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Command Shell Activity Started via RunDLL32" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 51cf34af1..a4194430c 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Enumeration Command Spawned via WMIPrvSE" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_from_unusual_directory.toml b/rules/windows/execution_from_unusual_directory.toml index 8b7c24a71..91916e034 100644 --- a/rules/windows/execution_from_unusual_directory.toml +++ b/rules/windows/execution_from_unusual_directory.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Process Execution from an Unusual Directory" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 05c1bd9c5..2bf61e04a 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -18,7 +18,7 @@ note = """## Triage and analysis This is related to the `Process Execution from an Unusual Directory rule`. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -31,27 +31,27 @@ type = "eql" query = ''' process where event.type in ("start", "process_started", "info") and - process.name : ("wscript.exe", - "cscript.exe", - "rundll32.exe", - "regsvr32.exe", + process.name : ("wscript.exe", + "cscript.exe", + "rundll32.exe", + "regsvr32.exe", "cmstp.exe", "RegAsm.exe", "installutil.exe", "mshta.exe", - "RegSvcs.exe", - "powershell.exe", - "pwsh.exe", + "RegSvcs.exe", + "powershell.exe", + "pwsh.exe", "cmd.exe") and - + /* add suspicious execution paths here */ process.args : ("C:\\PerfLogs\\*", "C:\\Users\\Public\\*", "C:\\Users\\Default\\*", "C:\\Windows\\Tasks\\*", - "C:\\Intel\\*", - "C:\\AMD\\Temp\\*", - "C:\\Windows\\AppReadiness\\*", + "C:\\Intel\\*", + "C:\\AMD\\Temp\\*", + "C:\\Windows\\AppReadiness\\*", "C:\\Windows\\ServiceState\\*", "C:\\Windows\\security\\*", "C:\\Windows\\IdentityCRL\\*", diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index 9dcf72bb5..b20181093 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -71,15 +71,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -100,7 +100,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text : ( TVqQAAMAAAAEAAAA ) diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index c396df328..c40773fa2 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -84,16 +84,16 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be configured (Enable). Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -115,7 +115,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.category:process and +event.category:process and powershell.file.script_block_text:( "New-InMemoryModule" or "Add-Win32Type" or diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 191c05914..0e1e196ba 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -19,7 +19,7 @@ note = """## Triage and analysis The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index a03647c22..1ccfb17e6 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Cmd Execution via WMI" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index 3d47714cf..04bcda410 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious WMI Image Load from MS Office" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 0a41ee9aa..2fb99c696 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -62,7 +62,7 @@ systems, and web services. - Remove and block malicious artifacts identified during triage. - Run a full scan using the antimalware tool in place. This scan can reveal additional artifacts left in the system, persistence mechanisms, and malware components. -- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. +- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector. - If the malicious file was delivered via phishing: - Block the email sender from sending future emails. - Block the malicious web pages. @@ -71,7 +71,7 @@ persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index aee5b809b..2641bb5d9 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -70,15 +70,15 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Administrative Templates > -Windows PowerShell > +Computer Configuration > +Administrative Templates > +Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` @@ -88,7 +88,7 @@ Steps to implement the logging policy via registry: reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index dfae259bd..277f4556a 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Process Execution via Renamed PsExec Executable" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_suspicious_short_program_name.toml b/rules/windows/execution_suspicious_short_program_name.toml index 1a52f5676..4411e8c7e 100644 --- a/rules/windows/execution_suspicious_short_program_name.toml +++ b/rules/windows/execution_suspicious_short_program_name.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution - Short Program Name" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 1ecdad3de..cf350f688 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -22,7 +22,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Process Activity via Compiled HTML File" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -34,8 +34,8 @@ timestamp_override = "event.ingested" type = "eql" query = ''' -process where event.type in ("start", "process_started") and - process.parent.name : "hh.exe" and +process where event.type in ("start", "process_started") and + process.parent.name : "hh.exe" and process.name : ("mshta.exe", "cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "cscript.exe", "wscript.exe") ''' diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 714639552..ee9f680a4 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -21,7 +21,7 @@ note = """## Triage and analysis The Windows Console Host, or `conhost.exe`, is both the server application for all of the Windows Console APIs as well as the classic Windows user interface for working with command-line applications. -Attackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and +Attackers often rely on custom shell implementations to avoid using built-in command interpreters like `cmd.exe` and `PowerShell.exe` and bypass application allowlisting and security features. Attackers commonly inject these implementations into legitimate system processes. @@ -72,7 +72,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index dda7f5085..bfb0704ba 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Execution via MSSQL xp_cmdshell Stored Procedure" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index b00df4a19..07f355d36 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -65,7 +65,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index facd3d06a..78c8dd66c 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -60,7 +60,7 @@ for ransomware preparation and execution activities. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 4a4a7664e..7e86a6184 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -61,7 +61,7 @@ for ransomware preparation and execution activities. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index 38f3e419a..a049d324d 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -82,7 +82,7 @@ malware components. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index cf5841d2b..5aa7db9cf 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -81,7 +81,7 @@ malware components. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -99,7 +99,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and + process.name : ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : ("*Get-WmiObject*", "*gwmi*", "*Get-CimInstance*", "*gcim*") and process.args : ("*Win32_ShadowCopy*") and process.args : ("*.Delete()*", "*Remove-WmiObject*", "*rwmi*", "*Remove-CimInstance*", "*rcim*") diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 5bdd3c3b1..9f6e33d60 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -81,7 +81,7 @@ malware components. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index c12dbee0a..8ad0c47c2 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -71,7 +71,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 96b0c97f9..b97252ffa 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -34,7 +34,7 @@ from existing intrusions. Other tools for detecting and mitigating can be found [repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security) -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 8cb57ff93..83dc1d357 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -20,7 +20,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Spawning Suspicious Processes" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index 348ef66dd..1fb11a8ec 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Worker Spawning Suspicious Processes" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 70ed8496f..8af826f09 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -73,7 +73,7 @@ persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -88,10 +88,10 @@ query = ''' process where event.type in ("start", "process_started") and process.parent.name : ("eqnedt32.exe", "excel.exe", "fltldr.exe", "msaccess.exe", "mspub.exe", "powerpnt.exe", "winword.exe", "outlook.exe") and process.name : ("Microsoft.Workflow.Compiler.exe", "arp.exe", "atbroker.exe", "bginfo.exe", "bitsadmin.exe", "cdb.exe", "certutil.exe", - "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", - "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", - "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", - "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", + "cmd.exe", "cmstp.exe", "control.exe", "cscript.exe", "csi.exe", "dnx.exe", "dsget.exe", "dsquery.exe", "forfiles.exe", + "fsi.exe", "ftp.exe", "gpresult.exe", "hostname.exe", "ieexec.exe", "iexpress.exe", "installutil.exe", "ipconfig.exe", + "mshta.exe", "msxsl.exe", "nbtstat.exe", "net.exe", "net1.exe", "netsh.exe", "netstat.exe", "nltest.exe", "odbcconf.exe", + "ping.exe", "powershell.exe", "pwsh.exe", "qprocess.exe", "quser.exe", "qwinsta.exe", "rcsi.exe", "reg.exe", "regasm.exe", "regsvcs.exe", "regsvr32.exe", "sc.exe", "schtasks.exe", "systeminfo.exe", "tasklist.exe", "tracert.exe", "whoami.exe", "wmic.exe", "wscript.exe", "xwizard.exe", "explorer.exe", "rundll32.exe", "hh.exe", "msdt.exe") ''' diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index f3abfa4da..397e53e29 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -70,7 +70,7 @@ persistence mechanisms, and malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 0768e5f59..ce4f4bf64 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -30,7 +30,7 @@ Detection alerts from this rule indicate potential suspicious child processes sp - If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring. - Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 3818a24bd..634aef780 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -21,7 +21,7 @@ Detection alerts from this rule indicate potential unusual/abnormal file writes - Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. - Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 6da172df5..9f6293858 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Explorer Child Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 3a9d82db1..e71d29e94 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Remote Desktop Shadowing Activity" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -34,11 +34,11 @@ query = ''' /* Identifies the modification of RDP Shadow registry or the execution of processes indicative of active shadow RDP session */ -any where +any where (event.category == "registry" and registry.path : "HKLM\\Software\\Policies\\Microsoft\\Windows NT\\Terminal Services\\Shadow" ) or - (event.category == "process" and + (event.category == "process" and (process.name : ("RdpSaUacHelper.exe", "RdpSaProxy.exe") and process.parent.name : "svchost.exe") or (process.pe.original_file_name : "mstsc.exe" and process.args : "/shadow:*") ) diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 3ffee4327..275db0008 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Execution via TSClient Mountpoint" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index f85667b82..9bbe1bb44 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Mounting Hidden or WebDav Remote Shares" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 6f6530550..8aa1a6fe3 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -56,7 +56,7 @@ they are aware of it, whether RDP should be open, and whether the action exposes - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 241f9bc3f..33ce418da 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Remote File Copy to a Hidden Share" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -27,7 +27,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.name : ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and + process.name : ("cmd.exe", "powershell.exe", "robocopy.exe", "xcopy.exe") and process.args : ("copy*", "move*", "cp", "mv") and process.args : "*$*" ''' diff --git a/rules/windows/lateral_movement_service_control_spawned_script_int.toml b/rules/windows/lateral_movement_service_control_spawned_script_int.toml index 8ae725b42..2926e729f 100644 --- a/rules/windows/lateral_movement_service_control_spawned_script_int.toml +++ b/rules/windows/lateral_movement_service_control_spawned_script_int.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "logs-system.*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Service Control Spawned via Script Interpreter" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 1bbe2582c..1014076b3 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious RDP ActiveX Client Loaded" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index abc8ce791..d492600da 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Lateral Movement via Startup Folder" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index c0223aab6..afeb0fdc6 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -60,7 +60,7 @@ systems, and web services. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index b5da731ae..3d848d399 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppCert DLL" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index a8899053a..b2c73e2ac 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Registry Persistence via AppInit DLL" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -27,10 +27,10 @@ type = "eql" query = ''' registry where - registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", + registry.path : ("HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls", "HKLM\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_Dlls") and - not process.executable : ("C:\\Windows\\System32\\msiexec.exe", - "C:\\Windows\\SysWOW64\\msiexec.exe", + not process.executable : ("C:\\Windows\\System32\\msiexec.exe", + "C:\\Windows\\SysWOW64\\msiexec.exe", "C:\\Program Files\\Commvault\\ContentStore*\\Base\\cvd.exe", "C:\\Program Files (x86)\\Commvault\\ContentStore*\\Base\\cvd.exe") ''' diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index e7fac94f9..3825fa432 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -45,7 +45,7 @@ prevalence, whether they are located in expected locations, and if they are sign - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 1600f59b4..4ec2dfca6 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of a new GPO Scheduled Task or Service" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index eb93f83e5..560c30f21 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Scheduled Job Creation" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index d2bf687d3..1133fb27c 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -11,7 +11,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Microsoft Office AddIns" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index c8efd187c..059c908b7 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -12,7 +12,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Microsoft Outlook VBA" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index c3e6e9a81..7711fd215 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -14,19 +14,19 @@ index = ["winlogbeat-*", "logs-system.*"] language = "kuery" license = "Elastic License v2" name = "KRBTGT Delegation Backdoor" -note = """## Config +note = """## Setup The 'Audit User Account Management' logging policy must be configured for (Success, Failure). Steps to implement the logging policy with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -Account Management > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Account Management > Audit User Account Management (Success,Failure) ``` """ diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index aad86a9a8..60357bba5 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "New ActiveSyncAllowedDeviceID Added via PowerShell" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index dc3642277..0a055ef4c 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -73,7 +73,7 @@ systems, and web services. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index b988714e2..3d49f5d77 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -65,13 +65,13 @@ should be mapped and reviewed by the security team for alternatives as this weak - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'Audit Directory Service Changes' logging policy must be configured for (Success). Steps to implement the logging policy with Advanced Audit Configuration: ``` -Computer Configuration > +Computer Configuration > Policies > Windows Settings > Security Settings > diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 71933361a..a36c9a584 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -43,7 +43,7 @@ software installations. ### False positive analysis -- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, +- Administrators may add programs to this mechanism via command-line shells. Before the further investigation, verify that this activity is not benign. ### Related rules @@ -71,10 +71,10 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. -""" +""" risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" severity = "medium" @@ -85,7 +85,7 @@ type = "eql" query = ''' file where event.type != "deletion" and user.domain != "NT AUTHORITY" and - file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", + file.path : ("C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\*") and process.name : ("cmd.exe", "powershell.exe", diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index 6f06276ba..4ca25716e 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -70,7 +70,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -83,16 +83,16 @@ type = "eql" query = ''' file where event.type != "deletion" and user.domain != "NT AUTHORITY" and - + /* detect shortcuts created by wscript.exe or cscript.exe */ (file.path : "C:\\*\\Programs\\Startup\\*.lnk" and process.name : ("wscript.exe", "cscript.exe")) or /* detect vbs or js files created by any process */ - file.path : ("C:\\*\\Programs\\Startup\\*.vbs", - "C:\\*\\Programs\\Startup\\*.vbe", - "C:\\*\\Programs\\Startup\\*.wsh", - "C:\\*\\Programs\\Startup\\*.wsf", + file.path : ("C:\\*\\Programs\\Startup\\*.vbs", + "C:\\*\\Programs\\Startup\\*.vbe", + "C:\\*\\Programs\\Startup\\*.wsh", + "C:\\*\\Programs\\Startup\\*.wsf", "C:\\*\\Programs\\Startup\\*.js") ''' diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index 47301090d..53ce2d3d0 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -62,7 +62,7 @@ malware components. mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -79,13 +79,13 @@ type = "eql" query = ''' registry where (registry.path : "HK*}\\InprocServer32\\" and registry.data.strings: ("scrobj.dll", "C:\\*\\scrobj.dll") and - not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") + not registry.path : "*\\{06290BD*-48AA-11D2-8432-006008C3FBFC}\\*") or /* in general COM Registry changes on Users Hive is less noisy and worth alerting */ (registry.path : ("HKEY_USERS\\*Classes\\*\\InprocServer32\\", "HKEY_USERS\\*Classes\\*\\LocalServer32\\", - "HKEY_USERS\\*Classes\\*\\DelegateExecute\\", - "HKEY_USERS\\*Classes\\*\\TreatAs\\", + "HKEY_USERS\\*Classes\\*\\DelegateExecute\\", + "HKEY_USERS\\*Classes\\*\\TreatAs\\", "HKEY_USERS\\*Classes\\CLSID\\*\\ScriptletURL\\") and not (process.executable : "?:\\Program Files*\\Veeam\\Backup and Replication\\Console\\veeam.backup.shell.exe" and registry.path : "HKEY_USERS\\S-1-5-21-*_Classes\\CLSID\\*\\LocalServer32\\") and diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index e61eea6d9..604baa4f9 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -16,7 +16,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Image Load (taskschd.dll) from MS Office" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index af8ed0fc1..d12fbd6dc 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -12,7 +12,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Execution via Scheduled Task" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -50,12 +50,12 @@ process where event.type == "start" and /* add suspicious paths here */ process.args : ( "C:\\Users\\*", - "C:\\ProgramData\\*", - "C:\\Windows\\Temp\\*", - "C:\\Windows\\Tasks\\*", - "C:\\PerfLogs\\*", - "C:\\Intel\\*", - "C:\\Windows\\Debug\\*", + "C:\\ProgramData\\*", + "C:\\Windows\\Temp\\*", + "C:\\Windows\\Tasks\\*", + "C:\\PerfLogs\\*", + "C:\\Intel\\*", + "C:\\Windows\\Debug\\*", "C:\\HP\\*") ''' diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 72a9ddfda..f92ac6ca9 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -54,7 +54,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -69,7 +69,7 @@ query = ''' process where event.type in ("start", "process_started") and process.parent.name : "services.exe" and process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") and - + /* Third party FP's */ not process.args : "NVDisplay.ContainerLocalSystem" ''' diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index c11c1ba64..a4d154837 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -49,7 +49,7 @@ this level of privilege. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index 34a4f2111..ea713ca4d 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -51,7 +51,7 @@ systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 7bf7a83c5..355869f27 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Application Shimming via Sdbinst" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 439571b9b..84f48f3f8 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via BITS Job Notify Cmdline" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 983593bfb..60d217ff9 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Hidden Run Key Detected" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -34,8 +34,8 @@ query = ''' registry where /* length(registry.data.strings) > 0 and */ registry.path : ("HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", - "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", - "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", + "HKLM\\Software\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\", "HKEY_USERS\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", "HKU\\*\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\") diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index de931ee21..6ae200217 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Installation of Security Support Provider" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -27,7 +27,7 @@ type = "eql" query = ''' registry where - registry.path : ("HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", + registry.path : ("HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\Security Packages*", "HKLM\\SYSTEM\\*ControlSet*\\Control\\Lsa\\OSConfig\\Security Packages*") and not process.executable : ("C:\\Windows\\System32\\msiexec.exe", "C:\\Windows\\SysWOW64\\msiexec.exe") ''' diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index a332fd1bc..6fc02c637 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via TelemetryController Scheduled Task Hijack" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 0a0c41248..f73f22305 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via Update Orchestrator Service Hijack" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 7c55bb97c..e4549f5bd 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Persistence via WMI Event Subscription" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index ff3ad3f69..f35db5c32 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -21,7 +21,7 @@ note = """## Triage and analysis Detections should be investigated to identify if the activity corresponds to legitimate activity. As this rule detects post-exploitation process activity, investigations into this should be prioritized. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -37,7 +37,7 @@ type = "eql" query = ''' process where event.type == "start" and - process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and + process.parent.name : ("w3wp.exe", "httpd.exe", "nginx.exe", "php.exe", "php-cgi.exe", "tomcat.exe") and process.name : ("cmd.exe", "cscript.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "wmic.exe", "wscript.exe") ''' diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 66bde8acd..cf600e0a3 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -16,7 +16,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Disabling User Account Control via Registry Modification" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 4c8b33e8f..afbc05d74 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -50,19 +50,19 @@ potentially malicious commands or binaries. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -Object Access > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > Audit Detailed File Share (Success,Failure) ``` @@ -70,13 +70,13 @@ The 'Audit Directory Service Changes' audit policy must be configured (Success F Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -DS Access > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > Audit Directory Service Changes (Success,Failure) ``` """ diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 32d6248a2..b56a7fcaf 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -47,19 +47,19 @@ dangerous high privileges, for example: SeTakeOwnershipPrivilege, SeEnableDelega - Remove the script from the GPO. - Check if other GPOs have suspicious scripts attached. -## Config +## Setup The 'Audit Directory Service Changes' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -DS Access > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > Audit Directory Service Changes (Success,Failure) ``` """ @@ -75,7 +75,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames" and +event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:"gPCMachineExtensionNames" and winlog.event_data.AttributeValue:(*827D319E-6EAC-11D2-A4EA-00C04F79F83A* and *803E14A0-B4FB-11D0-A0D0-00A0C90F574B*) ''' diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 270f7b874..82f314a47 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -48,19 +48,19 @@ potentially malicious commands or binaries. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup The 'Audit Detailed File Share' audit policy must be configured (Success Failure). Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -Object Access > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +Object Access > Audit Detailed File Share (Success,Failure) ``` @@ -68,13 +68,13 @@ The 'Audit Directory Service Changes' audit policy must be configured (Success F Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -DS Access > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +DS Access > Audit Directory Service Changes (Success,Failure) ``` """ @@ -93,8 +93,8 @@ timestamp_override = "event.ingested" type = "query" query = ''' -(event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and - winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) +(event.code: "5136" and winlog.event_data.AttributeLDAPDisplayName:("gPCMachineExtensionNames" or "gPCUserExtensionNames") and + winlog.event_data.AttributeValue:(*CAB54552-DEEA-4691-817E-ED4A4D1AFC72* and *AADCED64-746C-4633-A97C-D61349046527*)) or (event.code: "5145" and winlog.event_data.ShareName: "\\\\*\\SYSVOL" and winlog.event_data.RelativeTargetName: *ScheduledTasks.xml and (message: WriteData or winlog.event_data.AccessList: *%%4417*)) diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 9f071f64e..faeb8989e 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -72,7 +72,7 @@ systems, and web services. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -87,15 +87,15 @@ type = "eql" query = ''' /* This rule is compatible with both Sysmon and Elastic Endpoint */ -process where event.type == "start" and +process where event.type == "start" and (?process.Ext.token.integrity_level_name : "System" or ?winlog.event_data.IntegrityLevel : "System") and ( - (process.name : "elevation_service.exe" and + (process.name : "elevation_service.exe" and not process.pe.original_file_name == "elevation_service.exe") or - (process.parent.name : "elevation_service.exe" and - process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) + (process.parent.name : "elevation_service.exe" and + process.name : ("rundll32.exe", "cmd.exe", "powershell.exe")) ) ''' diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 8daae33dd..8ef1ebecc 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Named Pipe Impersonation" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -30,7 +30,7 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and - process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and + process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE") and process.args : "echo" and process.args : ">" and process.args : "\\\\.\\pipe\\*" ''' diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index a8f89633e..271af49f2 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious DLL Loaded for Persistence or Privilege Escalation" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -52,7 +52,7 @@ library where dll.name : "cdpsgshims.dll", "windowsperformancerecordercontrol.dll", "diagtrack_win.dll" - ) and + ) and not (dll.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation") and dll.code_signature.status : "trusted") ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index b3fb8900f..b444af272 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious PrintSpooler Service Executable File Creation" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 35d3428e2..4952c61bd 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -20,7 +20,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Print Spooler File Deletion" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 9c884acb1..af56fb238 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -18,7 +18,7 @@ note = """## Threat intel Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched. -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 6723cd0bd..8d32b4342 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -15,7 +15,7 @@ index = ["winlogbeat-*", "logs-system.*"] language = "eql" license = "Elastic License v2" name = "Potential Privileged Escalation via SamAccountName Spoofing" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index cae2d4976..70a509e6e 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 5617001e3..e02bb7e96 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 53e9cf5d7..d1dfe81db 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass via ICMLuaUtil Elevated COM Interface" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index fa8a216be..ee62820a9 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass via DiskCleanup Scheduled Task Hijack" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 1ceef1a83..3dc01cfe0 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Privileged IFileOperation COM Interface" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 9535af509..6c1cb2afb 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Bypass UAC via Event Viewer" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ @@ -28,8 +28,8 @@ type = "eql" query = ''' process where event.type in ("start", "process_started") and process.parent.name : "eventvwr.exe" and - not process.executable : - ("?:\\Windows\\SysWOW64\\mmc.exe", + not process.executable : + ("?:\\Windows\\SysWOW64\\mmc.exe", "?:\\Windows\\System32\\mmc.exe", "?:\\Windows\\SysWOW64\\WerFault.exe", "?:\\Windows\\System32\\WerFault.exe") diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 3ffaa48d5..a7885fb6b 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass Attempt via Windows Directory Masquerading" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index 219a22c6b..699c01eb8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "UAC Bypass via Windows Firewall Snap-In Hijack" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index 25d44aaeb..ee4a4b19f 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -62,7 +62,7 @@ malware components. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). -## Config +## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index 9b523d023..5d80bc710 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -22,7 +22,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual Print Spooler Child Process" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 44d39e612..925cc92ef 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual Service Host Child Process - Childless Service" -note = """## Config +note = """## Setup If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work. """ diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 374421e17..03e0c4740 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via Rogue Named Pipe Impersonation" -note = """## Config +note = """## Setup Named Pipe Creation Events need to be enabled within the Sysmon configuration by including the following settings: `condition equal "contains" and keyword equal "pipe"` diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 5d6be35e9..4f186739d 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -15,19 +15,19 @@ index = ["winlogbeat-*", "logs-system.*"] language = "kuery" license = "Elastic License v2" name = "Windows Service Installed via an Unusual Client" -note = """## Config +note = """## Setup The 'Audit Security System Extension' logging policy must be configured for (Success) Steps to implement the logging policy with with Advanced Audit Configuration: ``` -Computer Configuration > -Policies > -Windows Settings > -Security Settings > -Advanced Audit Policies Configuration > -Audit Policies > -System > +Computer Configuration > +Policies > +Windows Settings > +Security Settings > +Advanced Audit Policies Configuration > +Audit Policies > +System > Audit Security System Extension (Success) ``` """ diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 3e781dce8..a7aad48f2 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -652,7 +652,7 @@ class TestIntegrationRules(BaseRuleTest): def test_integration_guide(self): """Test that rules which require a config note are using standard verbiage.""" - config = '## Config\n\n' + config = '## Setup\n\n' beats_integration_pattern = config + 'The {} Fleet integration, Filebeat module, or similarly ' \ 'structured data is required to be compatible with this rule.' render = beats_integration_pattern.format