[Rule Tuning] Standardizing Risk Score according to Severity (#2242)

2022-08-21 22:29:39 -03:00
parent fbfe1e3530
commit 6e2d20362a
23 changed files with 46 additions and 46 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/05/16"
 maturity = "production"
-updated_date = "2022/07/26"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
    "https://twitter.com/GossiTheDog/status/1522964028284411907",
    "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
 ]
-risk_score = 43
+risk_score = 47
 rule_id = "eb6a3790-d52d-11ec-8ce9-f661ea17fbce"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/05/11"
 maturity = "production"
-updated_date = "2022/05/12"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -35,7 +35,7 @@ references = [
    "https://twitter.com/GossiTheDog/status/1522964028284411907",
    "https://exatrack.com/public/Tricephalic_Hellkeeper.pdf",
 ]
-risk_score = 43
+risk_score = 47
 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/07/22"
 maturity = "production"
-updated_date = "2022/07/22"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ name = "Chkconfig Service Add"
 references = [
    "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
 ]
-risk_score = 74
+risk_score = 47
 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/07/12"
 maturity = "production"
-updated_date = "2022/07/12"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ name = "Dynamic Linker Copy"
 references = [
    "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/"
 ]
-risk_score = 85
+risk_score = 73
 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0"
 severity = "high"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/07/22"
 maturity = "production"
-updated_date = "2022/07/22"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ references = [
    "https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-threat/",
    "https://www.intezer.com/blog/research/lightning-framework-new-linux-threat/"
 ]
-risk_score = 80
+risk_score = 47
 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/07/11"
 maturity = "production"
-updated_date = "2022/07/11"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -16,7 +16,7 @@ name = "Kernel module load via insmod"
 references = [
    "https://decoded.avast.io/davidalvarez/linux-threat-hunting-syslogk-a-kernel-rootkit-found-under-development-in-the-wild/"
 ]
-risk_score = 85
+risk_score = 47
 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f"
 severity = "medium"
 tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/02/23"
 maturity = "production"
-updated_date = "2022/07/27"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -26,7 +26,7 @@ references = [
    "https://posts.specterops.io/introducing-mystikal-4fbd2f7ae520",
    "https://github.com/D00MFist/Mystikal"
 ]
-risk_score = 74
+risk_score = 47
 rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c"
 severity = "medium"
 tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Command and Control"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2022/07/20"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "InstallUtil Process Making Network Connections"
-risk_score = 21
+risk_score = 47
 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "development"
-updated_date = "2021/09/23"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "MsBuild Network Connection Sequence"
-risk_score = 21
+risk_score = 47
 rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2022/07/20"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Mshta Making Network Connections"
-risk_score = 21
+risk_score = 47
 rule_id = "c2d90150-0133-451c-a783-533e736c12d7"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "development"
-updated_date = "2021/10/13"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "MsXsl Making Network Connections"
-risk_score = 21
+risk_score = 47
 rule_id = "870d1753-1078-403e-92d4-735f142edcca"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Network Activity from a Windows System Binary"
-risk_score = 21
+risk_score = 47
 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2022/07/20"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ interval = "30m"
 language = "eql"
 license = "Elastic License v2"
 name = "Unusual Child Processes of RunDLL32"
-risk_score = 21
+risk_score = 73
 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2021/10/24"
 maturity = "production"
-updated_date = "2022/08/01"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious Process Creation CallTrace"
-risk_score = 43
+risk_score = 47
 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2022/08/02"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Suspicious WMIC XSL Script Execution"
-risk_score = 21
+risk_score = 47
 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2022/05/31"
 maturity = "production"
-updated_date = "2022/07/05"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
    "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)",
    "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/",
 ]
-risk_score = 23
+risk_score = 21
 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd"
 severity = "low"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/10/15"
 maturity = "production"
-updated_date = "2022/08/02"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -83,7 +83,7 @@ Microsoft introduced the [event used](https://docs.microsoft.com/en-us/windows/s

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
-risk_score = 43
+risk_score = 47
 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"]
@@ -2,7 +2,7 @@
 creation_date = "2020/09/02"
 maturity = "development"
 query_schema_validation = false
-updated_date = "2021/03/03"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Downloaded URL Files"
-risk_score = 21
+risk_score = 47
 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2022/05/23"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -74,7 +74,7 @@ persistence mechanisms, and malware components.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
 mean time to respond (MTTR).
 """
-risk_score = 21
+risk_score = 73
 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5"
 severity = "high"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/02"
 maturity = "production"
-updated_date = "2022/03/31"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ note = """## Setup

 If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
 """
-risk_score = 21
+risk_score = 47
 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 maturity = "production"
-updated_date = "2021/03/03"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -14,7 +14,7 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"]
 language = "eql"
 license = "Elastic License v2"
 name = "Installation of Custom Shim Databases"
-risk_score = 21
+risk_score = 47
 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2022/02/14"
+updated_date = "2022/08/17"
 min_stack_comments = "EQL regex syntax introduced in 7.12"
 min_stack_version = "7.12.0"

@@ -19,7 +19,7 @@ name = "Image File Execution Options Injection"
 references = [
    "https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/",
 ]
-risk_score = 41
+risk_score = 47
 rule_id = "6839c821-011d-43bd-bd5b-acff00257226"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/11/29"
 maturity = "production"
-updated_date = "2022/05/09"
+updated_date = "2022/08/17"

 [rule]
 author = ["Elastic"]
@@ -72,7 +72,7 @@ malware components.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
 mean time to respond (MTTR).
 """ 
-risk_score = 41
+risk_score = 47
 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f"
 severity = "medium"
 tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]