From 680a04da8fa57358553fc9891685793520bcfd6c Mon Sep 17 00:00:00 2001 From: Ben Skelker <54019610+benskelker@users.noreply.github.com> Date: Mon, 13 Jul 2020 21:47:42 +0300 Subject: [PATCH] Fix terminology and doc links (#54) --- rules/ml/ml_linux_anomalous_network_activity.toml | 2 +- rules/ml/ml_linux_anomalous_network_port_activity.toml | 2 +- rules/ml/ml_linux_anomalous_network_service.toml | 2 +- rules/ml/ml_linux_anomalous_network_url_activity.toml | 2 +- rules/ml/ml_linux_anomalous_process_all_hosts.toml | 2 +- rules/ml/ml_linux_anomalous_user_name.toml | 2 +- rules/ml/ml_packetbeat_dns_tunneling.toml | 2 +- rules/ml/ml_packetbeat_rare_dns_question.toml | 2 +- rules/ml/ml_packetbeat_rare_server_domain.toml | 2 +- rules/ml/ml_packetbeat_rare_urls.toml | 2 +- rules/ml/ml_packetbeat_rare_user_agent.toml | 2 +- rules/ml/ml_rare_process_by_host_linux.toml | 2 +- rules/ml/ml_rare_process_by_host_windows.toml | 2 +- rules/ml/ml_suspicious_login_activity.toml | 2 +- rules/ml/ml_windows_anomalous_network_activity.toml | 2 +- rules/ml/ml_windows_anomalous_path_activity.toml | 2 +- rules/ml/ml_windows_anomalous_process_all_hosts.toml | 2 +- rules/ml/ml_windows_anomalous_process_creation.toml | 2 +- rules/ml/ml_windows_anomalous_script.toml | 2 +- rules/ml/ml_windows_anomalous_service.toml | 2 +- rules/ml/ml_windows_anomalous_user_name.toml | 2 +- rules/ml/ml_windows_rare_user_runas_event.toml | 2 +- rules/ml/ml_windows_rare_user_type10_remote_login.toml | 2 +- ...ommand_and_control_proxy_port_activity_to_the_internet.toml | 3 +-- ...defense_evasion_misc_lolbin_connecting_to_the_internet.toml | 2 +- ...ion_register_server_program_connecting_to_the_internet.toml | 2 +- 26 files changed, 26 insertions(+), 27 deletions(-) diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index d653ad131..b69886d2d 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -27,7 +27,7 @@ Signals from this rule indicate the presence of network activity from a Linux pr - Consider the user as identified by the username field. Is this network activity part of an expected workflow for the user who ran the program? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business or maintenance process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index eafee5439..462dcc463 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -18,7 +18,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "linux_anomalous_network_port_activity_ecs" name = "Unusual Linux Network Port Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_network_service.toml b/rules/ml/ml_linux_anomalous_network_service.toml index 3b8e61c99..3b2ebc8e1 100644 --- a/rules/ml/ml_linux_anomalous_network_service.toml +++ b/rules/ml/ml_linux_anomalous_network_service.toml @@ -17,7 +17,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "linux_anomalous_network_service" name = "Unusual Linux Network Service" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "52afbdc5-db15-596e-bc35-f5707f820c4b" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_network_url_activity.toml b/rules/ml/ml_linux_anomalous_network_url_activity.toml index 3adfeba4b..5316e7a6d 100644 --- a/rules/ml/ml_linux_anomalous_network_url_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_url_activity.toml @@ -25,7 +25,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "linux_anomalous_network_url_activity_ecs" name = "Unusual Linux Web Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "52afbdc5-db15-485e-bc35-f5707f820c4c" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml index 6b0615a08..e82034bb8 100644 --- a/rules/ml/ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_linux_anomalous_process_all_hosts.toml @@ -28,7 +28,7 @@ Signals from this rule indicate the presence of a Linux process that is rare and - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" severity = "low" diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml index 993fae1ac..0ea17fc3b 100644 --- a/rules/ml/ml_linux_anomalous_user_name.toml +++ b/rules/ml/ml_linux_anomalous_user_name.toml @@ -33,7 +33,7 @@ Signals from this rule indicate activity for a Linux user name that is rare and - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer? - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" severity = "low" diff --git a/rules/ml/ml_packetbeat_dns_tunneling.toml b/rules/ml/ml_packetbeat_dns_tunneling.toml index 84e218f5d..d954e9961 100644 --- a/rules/ml/ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/ml_packetbeat_dns_tunneling.toml @@ -24,7 +24,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_dns_tunneling" name = "DNS Tunneling" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" severity = "low" diff --git a/rules/ml/ml_packetbeat_rare_dns_question.toml b/rules/ml/ml_packetbeat_rare_dns_question.toml index 53c5315f5..cc205b033 100644 --- a/rules/ml/ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/ml_packetbeat_rare_dns_question.toml @@ -27,7 +27,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_rare_dns_question" name = "Unusual DNS Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" severity = "low" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 8dd1d5217..6c77bc97d 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -27,7 +27,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_rare_server_domain" name = "Unusual Network Destination Domain Name" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" diff --git a/rules/ml/ml_packetbeat_rare_urls.toml b/rules/ml/ml_packetbeat_rare_urls.toml index 3af3d0077..7414a22cf 100644 --- a/rules/ml/ml_packetbeat_rare_urls.toml +++ b/rules/ml/ml_packetbeat_rare_urls.toml @@ -30,7 +30,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_rare_urls" name = "Unusual Web Request" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" diff --git a/rules/ml/ml_packetbeat_rare_user_agent.toml b/rules/ml/ml_packetbeat_rare_user_agent.toml index fb06c72cc..0e67b8ec0 100644 --- a/rules/ml/ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/ml_packetbeat_rare_user_agent.toml @@ -28,7 +28,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "packetbeat_rare_user_agent" name = "Unusual Web User Agent" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml index 190287daf..5a6f9bff3 100644 --- a/rules/ml/ml_rare_process_by_host_linux.toml +++ b/rules/ml/ml_rare_process_by_host_linux.toml @@ -28,7 +28,7 @@ Signals from this rule indicate the presence of a Linux process that is rare and - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index f9344f615..b9578a18b 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -31,7 +31,7 @@ Signals from this rule indicate the presence of a Windows process that is rare a - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """ -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" diff --git a/rules/ml/ml_suspicious_login_activity.toml b/rules/ml/ml_suspicious_login_activity.toml index 559b427c9..c345827ae 100644 --- a/rules/ml/ml_suspicious_login_activity.toml +++ b/rules/ml/ml_suspicious_login_activity.toml @@ -19,7 +19,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "suspicious_login_activity_ecs" name = "Unusual Login Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index fd4a04369..1d5841086 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -29,7 +29,7 @@ Signals from this rule indicate the presence of network activity from a Windows - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_path_activity.toml b/rules/ml/ml_windows_anomalous_path_activity.toml index edac29c0e..a1e877f55 100644 --- a/rules/ml/ml_windows_anomalous_path_activity.toml +++ b/rules/ml/ml_windows_anomalous_path_activity.toml @@ -25,7 +25,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_anomalous_path_activity_ecs" name = "Unusual Windows Path Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml index 395b9207e..e92ed7533 100644 --- a/rules/ml/ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_windows_anomalous_process_all_hosts.toml @@ -31,7 +31,7 @@ Signals from this rule indicate the presence of a Windows process that is rare a - Examine arguments and working directory. These may provide indications as to the source of the program or the nature of the tasks it is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious. - If you have file hash values in the event data, and you suspect malware, you can optionally run a search for the file hash to see if the file is identified as malware by anti-malware tools. """ -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_process_creation.toml b/rules/ml/ml_windows_anomalous_process_creation.toml index 4029f3308..be6e92bc2 100644 --- a/rules/ml/ml_windows_anomalous_process_creation.toml +++ b/rules/ml/ml_windows_anomalous_process_creation.toml @@ -27,7 +27,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_anomalous_process_creation" name = "Anomalous Windows Process Creation" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_script.toml b/rules/ml/ml_windows_anomalous_script.toml index 66172bf9f..f2e2366e1 100644 --- a/rules/ml/ml_windows_anomalous_script.toml +++ b/rules/ml/ml_windows_anomalous_script.toml @@ -22,7 +22,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_anomalous_script" name = "Suspicious Powershell Script" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_service.toml b/rules/ml/ml_windows_anomalous_service.toml index 0e8ed05b3..e968af065 100644 --- a/rules/ml/ml_windows_anomalous_service.toml +++ b/rules/ml/ml_windows_anomalous_service.toml @@ -23,7 +23,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_anomalous_service" name = "Unusual Windows Service" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml index 095ca04e1..abdb12a4e 100644 --- a/rules/ml/ml_windows_anomalous_user_name.toml +++ b/rules/ml/ml_windows_anomalous_user_name.toml @@ -34,7 +34,7 @@ Signals from this rule indicate activity for a Windows user name that is rare an - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. - Examine the process arguments, title and working directory. These may provide indications as to the source of the program or the nature of the tasks that the user is performing. - Consider the same for the parent process. If the parent process is a legitimate system utility or service, this could be related to software updates or system management. If the parent process is something user-facing like an Office application, this process could be more suspicious.""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" diff --git a/rules/ml/ml_windows_rare_user_runas_event.toml b/rules/ml/ml_windows_rare_user_runas_event.toml index b14b1b0b7..dc112b0bb 100644 --- a/rules/ml/ml_windows_rare_user_runas_event.toml +++ b/rules/ml/ml_windows_rare_user_runas_event.toml @@ -23,7 +23,7 @@ interval = "15m" license = "Elastic License" machine_learning_job_id = "windows_rare_user_runas_event" name = "Unusual Windows User Privilege Elevation Activity" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml index e9677526c..85e17ebbe 100644 --- a/rules/ml/ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml @@ -27,7 +27,7 @@ note = """### Investigating an Unusual Windows User ### Signals from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? - Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" -references = ["https://www.elastic.co/guide/en/siem/guide/current/prebuilt-ml-jobs.html"] +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] risk_score = 21 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" diff --git a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml index 5a1adcdad..03460c0e4 100644 --- a/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml +++ b/rules/network/command_and_control_proxy_port_activity_to_the_internet.toml @@ -15,8 +15,7 @@ false_positives = [ """ Some proxied applications may use these ports but this usually occurs in local traffic using private IPs which this rule does not match. Proxies are widely used as a security technology but in enterprise environments this is usually - local traffic which this rule does not match. Internet proxy services using these ports can be white-listed if - desired. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or + local traffic which this rule does not match. If desired, internet proxy services using these ports can be added to allowlists. Some screen recording applications may use these ports. Proxy port activity involving an unusual source or destination may be more suspicious. Some cloud environments may use this port when VPNs or direct connects are not in use and cloud instances are accessed across the Internet. Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 36b7b839f..4acf54fba 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -9,7 +9,7 @@ author = ["Elastic"] description = """ Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass -application whitelisting and signature validation. +application allowlists and signature validation. """ index = ["winlogbeat-*"] language = "kuery" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 694875822..af12915df 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -8,7 +8,7 @@ updated_date = "2020/06/24" author = ["Elastic"] description = """ Identifies the native Windows tools regsvr32.exe and regsvr64.exe making a network connection. This may be indicative of -an attacker bypassing whitelisting or running arbitrary scripts via a signed Microsoft binary. +an attacker bypassing allowlists or running arbitrary scripts via a signed Microsoft binary. """ false_positives = [ """