From 6ef5c53b0c15e344f0f2d1649941391aea6fa253 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Mon, 10 May 2021 13:40:56 -0800 Subject: [PATCH] Cleanup note field in rules (#1194) * standardize usage of note field --- rules/aws/collection_cloudtrail_logging_created.toml | 6 ++++-- ...ential_access_aws_iam_assume_role_brute_force.toml | 6 ++++-- .../credential_access_iam_user_addition_to_group.toml | 6 ++++-- ...ntial_access_root_console_failure_brute_force.toml | 6 ++++-- ...edential_access_secretsmanager_getsecretvalue.toml | 6 ++++-- .../defense_evasion_cloudtrail_logging_deleted.toml | 6 ++++-- .../defense_evasion_cloudtrail_logging_suspended.toml | 6 ++++-- .../defense_evasion_cloudwatch_alarm_deletion.toml | 6 ++++-- .../defense_evasion_config_service_rule_deletion.toml | 6 ++++-- ...efense_evasion_configuration_recorder_stopped.toml | 6 ++++-- rules/aws/defense_evasion_ec2_flow_log_deletion.toml | 6 ++++-- .../aws/defense_evasion_ec2_network_acl_deletion.toml | 6 ++++-- .../defense_evasion_guardduty_detector_deletion.toml | 6 ++++-- ...ense_evasion_s3_bucket_configuration_deletion.toml | 6 ++++-- rules/aws/defense_evasion_waf_acl_deletion.toml | 6 ++++-- ...fense_evasion_waf_rule_or_rule_group_deletion.toml | 6 ++++-- .../exfiltration_ec2_snapshot_change_activity.toml | 6 ++++-- rules/aws/impact_cloudtrail_logging_updated.toml | 6 ++++-- rules/aws/impact_cloudwatch_log_group_deletion.toml | 6 ++++-- rules/aws/impact_cloudwatch_log_stream_deletion.toml | 6 ++++-- rules/aws/impact_ec2_disable_ebs_encryption.toml | 6 ++++-- rules/aws/impact_iam_deactivate_mfa_device.toml | 6 ++++-- rules/aws/impact_iam_group_deletion.toml | 6 ++++-- rules/aws/impact_rds_cluster_deletion.toml | 6 ++++-- rules/aws/impact_rds_instance_cluster_stoppage.toml | 6 ++++-- rules/aws/initial_access_console_login_root.toml | 6 ++++-- rules/aws/initial_access_password_recovery.toml | 6 ++++-- rules/aws/initial_access_via_system_manager.toml | 6 ++++-- rules/aws/persistence_ec2_network_acl_creation.toml | 6 ++++-- rules/aws/persistence_iam_group_creation.toml | 6 ++++-- rules/aws/persistence_rds_cluster_creation.toml | 6 ++++-- .../privilege_escalation_root_login_without_mfa.toml | 6 ++++-- .../privilege_escalation_updateassumerolepolicy.toml | 6 ++++-- .../azure/collection_update_event_hub_auth_rule.toml | 6 ++++-- rules/azure/credential_access_key_vault_modified.toml | 6 ++++-- ...ential_access_storage_account_key_regenerated.toml | 6 ++++-- ...ion_azure_application_credential_modification.toml | 6 ++++-- ...se_evasion_azure_diagnostic_settings_deletion.toml | 6 ++++-- ...ense_evasion_azure_service_principal_addition.toml | 6 ++++-- rules/azure/defense_evasion_event_hub_deletion.toml | 6 ++++-- .../defense_evasion_firewall_policy_deletion.toml | 6 ++++-- .../defense_evasion_network_watcher_deletion.toml | 6 ++++-- rules/azure/discovery_blob_container_access_mod.toml | 6 ++++-- rules/azure/execution_command_virtual_machine.toml | 6 ++++-- .../impact_azure_automation_runbook_deleted.toml | 6 ++++-- rules/azure/impact_resource_group_deletion.toml | 6 ++++-- ...ccess_azure_active_directory_high_risk_signin.toml | 6 ++++-- ...cess_azure_active_directory_powershell_signin.toml | 6 ++++-- ...grant_attack_via_azure_registered_application.toml | 11 ++++++++--- .../initial_access_external_guest_user_invite.toml | 6 ++++-- .../persistence_azure_automation_account_created.toml | 6 ++++-- ..._azure_automation_runbook_created_or_modified.toml | 6 ++++-- .../persistence_azure_automation_webhook_created.toml | 6 ++++-- ...ence_azure_conditional_access_policy_modified.toml | 6 ++++-- ...persistence_azure_pim_user_added_global_admin.toml | 6 ++++-- ..._privileged_identity_management_role_modified.toml | 6 ++++-- .../persistence_mfa_disabled_for_azure_user.toml | 6 ++++-- ...nce_user_added_as_owner_for_azure_application.toml | 6 ++++-- ...er_added_as_owner_for_azure_service_principal.toml | 6 ++++-- rules/cross-platform/impact_hosts_file_modified.toml | 6 ++++-- .../initial_access_zoom_meeting_with_no_passcode.toml | 6 ++++-- rules/cross-platform/threat_intel_module_match.toml | 6 +++--- .../collection_gcp_pub_sub_subscription_creation.toml | 6 ++++-- rules/gcp/collection_gcp_pub_sub_topic_creation.toml | 6 ++++-- .../defense_evasion_gcp_firewall_rule_created.toml | 6 ++++-- .../defense_evasion_gcp_firewall_rule_deleted.toml | 6 ++++-- .../defense_evasion_gcp_firewall_rule_modified.toml | 6 ++++-- .../defense_evasion_gcp_logging_bucket_deletion.toml | 6 ++++-- .../defense_evasion_gcp_logging_sink_deletion.toml | 6 ++++-- ...nse_evasion_gcp_pub_sub_subscription_deletion.toml | 6 ++++-- .../defense_evasion_gcp_pub_sub_topic_deletion.toml | 6 ++++-- ...ion_gcp_storage_bucket_configuration_modified.toml | 6 ++++-- ...asion_gcp_storage_bucket_permissions_modified.toml | 6 ++++-- .../exfiltration_gcp_logging_sink_modification.toml | 6 ++++-- rules/gcp/impact_gcp_iam_role_deletion.toml | 6 ++++-- rules/gcp/impact_gcp_service_account_deleted.toml | 6 ++++-- rules/gcp/impact_gcp_service_account_disabled.toml | 6 ++++-- rules/gcp/impact_gcp_storage_bucket_deleted.toml | 6 ++++-- ...act_gcp_virtual_private_cloud_network_deleted.toml | 6 ++++-- ...mpact_gcp_virtual_private_cloud_route_created.toml | 6 ++++-- ...mpact_gcp_virtual_private_cloud_route_deleted.toml | 6 ++++-- .../initial_access_gcp_iam_custom_role_creation.toml | 6 ++++-- ...sistence_gcp_iam_service_account_key_deletion.toml | 6 ++++-- ...rsistence_gcp_key_created_for_service_account.toml | 6 ++++-- .../gcp/persistence_gcp_service_account_created.toml | 6 ++++-- .../application_added_to_google_workspace_domain.toml | 8 ++++++-- ...ain_added_to_google_workspace_trusted_domains.toml | 8 ++++++-- .../google_workspace_admin_role_deletion.toml | 8 ++++++-- .../google_workspace_mfa_enforcement_disabled.toml | 8 ++++++-- .../google_workspace_policy_modified.toml | 8 ++++++-- ...fa_disabled_for_google_workspace_organization.toml | 8 ++++++-- ..._google_workspace_admin_role_assigned_to_user.toml | 8 ++++++-- ...anted_via_domain_wide_delegation_of_authority.toml | 8 ++++++-- ...ce_google_workspace_custom_admin_role_created.toml | 8 ++++++-- .../persistence_google_workspace_role_modified.toml | 8 ++++++-- .../persistence_loginwindow_plist_modification.toml | 6 ++++-- .../collection_microsoft_365_new_inbox_rule.toml | 6 ++++-- ...icrosoft_365_brute_force_user_account_attempt.toml | 6 ++++-- ...rosoft_365_potential_password_spraying_attack.toml | 6 ++++-- ...ion_microsoft_365_exchange_dlp_policy_removed.toml | 6 ++++-- ...t_365_exchange_malware_filter_policy_deletion.toml | 6 ++++-- ...icrosoft_365_exchange_malware_filter_rule_mod.toml | 6 ++++-- ...rosoft_365_exchange_safe_attach_rule_disabled.toml | 6 ++++-- ...icrosoft_365_exchange_transport_rule_creation.toml | 6 ++++-- ...ion_microsoft_365_exchange_transport_rule_mod.toml | 6 ++++-- ...osoft_365_exchange_anti_phish_policy_deletion.toml | 6 ++++-- ...ss_microsoft_365_exchange_anti_phish_rule_mod.toml | 6 ++++-- ...ess_microsoft_365_exchange_safelinks_disabled.toml | 6 ++++-- ...oft_365_exchange_dkim_signing_config_disabled.toml | 6 ++++-- ...soft_365_teams_custom_app_interaction_allowed.toml | 6 ++++-- ...osoft_365_exchange_management_role_assignment.toml | 6 ++++-- ...e_microsoft_365_teams_external_access_enabled.toml | 6 ++++-- ...ence_microsoft_365_teams_guest_access_enabled.toml | 6 ++++-- rules/ml/ml_cloudtrail_error_message_spike.toml | 6 ++++-- rules/ml/ml_cloudtrail_rare_error_code.toml | 6 ++++-- rules/ml/ml_cloudtrail_rare_method_by_city.toml | 6 ++++-- rules/ml/ml_cloudtrail_rare_method_by_country.toml | 6 ++++-- rules/ml/ml_cloudtrail_rare_method_by_user.toml | 6 ++++-- rules/ml/ml_linux_anomalous_network_activity.toml | 6 ++++-- rules/ml/ml_linux_anomalous_process_all_hosts.toml | 6 ++++-- rules/ml/ml_linux_anomalous_user_name.toml | 6 ++++-- rules/ml/ml_rare_process_by_host_linux.toml | 6 ++++-- rules/ml/ml_rare_process_by_host_windows.toml | 6 ++++-- rules/ml/ml_windows_anomalous_network_activity.toml | 6 ++++-- rules/ml/ml_windows_anomalous_process_all_hosts.toml | 6 ++++-- rules/ml/ml_windows_anomalous_user_name.toml | 6 ++++-- .../ml/ml_windows_rare_user_type10_remote_login.toml | 6 ++++-- .../command_and_control_cobalt_strike_beacon.toml | 6 ++++-- ...control_cobalt_strike_default_teamserver_cert.toml | 6 ++++-- ...control_download_rar_powershell_from_internet.toml | 6 ++++-- .../network/command_and_control_fin7_c2_behavior.toml | 6 ++++-- .../network/command_and_control_halfbaked_beacon.toml | 6 ++++-- .../initial_access_unsecure_elasticsearch_node.toml | 6 ++++-- .../okta/attempt_to_deactivate_okta_network_zone.toml | 6 ++++-- rules/okta/attempt_to_delete_okta_network_zone.toml | 6 ++++-- ...redential_access_attempted_bypass_of_okta_mfa.toml | 6 ++++-- ...ess_attempts_to_brute_force_okta_user_account.toml | 6 ++++-- ..._access_okta_brute_force_or_password_spraying.toml | 6 ++++-- ...s_okta_user_password_reset_or_unlock_attempts.toml | 6 ++++-- .../okta/impact_attempt_to_revoke_okta_api_token.toml | 6 ++++-- rules/okta/impact_possible_okta_dos_attack.toml | 6 ++++-- ...ess_suspicious_activity_reported_by_okta_user.toml | 6 ++++-- .../okta_attempt_to_deactivate_okta_application.toml | 6 ++++-- .../okta/okta_attempt_to_deactivate_okta_policy.toml | 6 ++++-- .../okta_attempt_to_deactivate_okta_policy_rule.toml | 6 ++++-- .../okta/okta_attempt_to_delete_okta_application.toml | 6 ++++-- rules/okta/okta_attempt_to_delete_okta_policy.toml | 6 ++++-- .../okta/okta_attempt_to_delete_okta_policy_rule.toml | 6 ++++-- .../okta/okta_attempt_to_modify_okta_application.toml | 6 ++++-- .../okta_attempt_to_modify_okta_network_zone.toml | 6 ++++-- rules/okta/okta_attempt_to_modify_okta_policy.toml | 6 ++++-- .../okta/okta_attempt_to_modify_okta_policy_rule.toml | 6 ++++-- ...o_modify_or_delete_application_sign_on_policy.toml | 6 ++++-- .../okta_threat_detected_by_okta_threatinsight.toml | 6 ++++-- ...ministrator_privileges_assigned_to_okta_group.toml | 6 ++++-- ...ence_administrator_role_assigned_to_okta_user.toml | 6 ++++-- .../persistence_attempt_to_create_okta_api_token.toml | 6 ++++-- ...tempt_to_deactivate_mfa_for_okta_user_account.toml | 6 ++++-- ...pt_to_reset_mfa_factors_for_okta_user_account.toml | 6 ++++-- ...command_and_control_remote_file_copy_mpcmdrun.toml | 6 ++++-- ...and_and_control_sunburst_c2_activity_detected.toml | 6 ++++-- ...ntial_access_domain_backup_dpapi_private_keys.toml | 6 ++++-- .../credential_access_mimikatz_powershell_module.toml | 6 ++++-- ...efense_evasion_defender_disabled_via_registry.toml | 6 ++++-- .../defense_evasion_sdelete_like_filename_rename.toml | 6 ++++-- rules/windows/discovery_adfind_command_activity.toml | 6 ++++-- .../windows/execution_from_unusual_path_cmdline.toml | 6 ++++-- .../execution_shared_modules_local_sxs_dll.toml | 6 ++++-- .../initial_access_suspicious_ms_exchange_files.toml | 3 ++- .../initial_access_unusual_dns_service_children.toml | 6 ++++-- ...nitial_access_unusual_dns_service_file_writes.toml | 6 ++++-- .../windows/lateral_movement_dns_server_overflow.toml | 6 ++++-- .../lateral_movement_scheduled_task_target.toml | 6 ++++-- ...vasion_registry_startup_shell_folder_modified.toml | 6 ++++-- .../persistence_local_scheduled_task_scripting.toml | 6 ++++-- ...e_escalation_printspooler_suspicious_spl_file.toml | 6 ++++-- 176 files changed, 725 insertions(+), 353 deletions(-) diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/aws/collection_cloudtrail_logging_created.toml index b8cf49920..5fc7bb37c 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/aws/collection_cloudtrail_logging_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Created" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_CreateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/create-trail.html", diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml index c01f8c0a4..98789e600 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS IAM Brute Force of Assume Role Policy" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://www.praetorian.com/blog/aws-iam-assume-role-vulnerabilities", "https://rhinosecuritylabs.com/aws/assume-worst-aws-assume-role-enumeration/", diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/aws/credential_access_iam_user_addition_to_group.toml index 936ccdf81..c5d7a4de2 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/aws/credential_access_iam_user_addition_to_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM User Addition to Group" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/IAM/latest/APIReference/API_AddUserToGroup.html"] risk_score = 21 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" diff --git a/rules/aws/credential_access_root_console_failure_brute_force.toml b/rules/aws/credential_access_root_console_failure_brute_force.toml index fbfb3ddd5..9034d5f98 100644 --- a/rules/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/aws/credential_access_root_console_failure_brute_force.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-aws*"] language = "kuery" license = "Elastic License v2" name = "AWS Management Console Brute Force of Root User Identity" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] risk_score = 73 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml index 638fa6b06..4fc267b74 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Nick Jones", "Elastic"] @@ -21,7 +21,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Access Secret in Secrets Manager" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html", "http://detectioninthe.cloud/credential_access/access_secret_in_secrets_manager/", diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml index 36358aa2d..cdc1c2790 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Deleted" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_DeleteTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/delete-trail.html", diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml index 9bad72e96..568850c6c 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Suspended" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_StopLogging.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/stop-logging.html", diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 1ce4f46dd..7c1474608 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudWatch Alarm Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudwatch/delete-alarms.html", "https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_DeleteAlarms.html", diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/aws/defense_evasion_config_service_rule_deletion.toml index 3c07893b1..8519fb23a 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/26" maturity = "production" -updated_date = "2021/04/13" +updated_date = "2021/05/10" [rule] author = ["Elastic", "Austin Songer"] @@ -23,7 +23,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Config Service Tampering" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_Operations.html", diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/aws/defense_evasion_configuration_recorder_stopped.toml index 20e0bcb48..09df4fe0e 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/16" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Configuration Recorder Stopped" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/configservice/stop-configuration-recorder.html", "https://docs.aws.amazon.com/config/latest/APIReference/API_StopConfigurationRecorder.html", diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml index 4bc975de1..7d51cdafb 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Flow Log Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-flow-logs.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteFlowLogs.html", diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml index eba6b2f7b..27c6b33d4 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Network Access Control List Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/delete-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DeleteNetworkAcl.html", diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/aws/defense_evasion_guardduty_detector_deletion.toml index e6c8379fa..3382be44f 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS GuardDuty Detector Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/guardduty/delete-detector.html", "https://docs.aws.amazon.com/guardduty/latest/APIReference/API_DeleteDetector.html", diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 93e0ce3cc..78d8b95e9 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/27" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS S3 Bucket Configuration Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketPolicy.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteBucketReplication.html", diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/aws/defense_evasion_waf_acl_deletion.toml index 6386652bc..ab1d496f6 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/aws/defense_evasion_waf_acl_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS WAF Access Control List Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf-regional/delete-web-acl.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_wafRegional_DeleteWebACL.html", diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index abfcc098b..ab6fbbdd2 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/09" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS WAF Rule or Rule Group Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/waf/delete-rule-group.html", "https://docs.aws.amazon.com/waf/latest/APIReference/API_waf_DeleteRuleGroup.html", diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml index a7b1daf29..48a801774 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/24" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Snapshot Activity" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/modify-snapshot-attribute.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_ModifySnapshotAttribute.html", diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/aws/impact_cloudtrail_logging_updated.toml index b3ea1f7e2..c333ffc71 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/aws/impact_cloudtrail_logging_updated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudTrail Log Updated" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/awscloudtrail/latest/APIReference/API_UpdateTrail.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudtrail/update-trail.html", diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/aws/impact_cloudwatch_log_group_deletion.toml index 1a24d04fa..7aa3cd0da 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/18" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudWatch Log Group Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-group.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogGroup.html", diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/aws/impact_cloudwatch_log_stream_deletion.toml index 01289f8bb..6760b73e7 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS CloudWatch Log Stream Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/logs/delete-log-stream.html", "https://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/API_DeleteLogStream.html", diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/aws/impact_ec2_disable_ebs_encryption.toml index 0a0353efa..158d23eb7 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Encryption Disabled" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html", "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/disable-ebs-encryption-by-default.html", diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/aws/impact_iam_deactivate_mfa_device.toml index 58bea8c7c..6ba260ef2 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/aws/impact_iam_deactivate_mfa_device.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/04/20" +updated_date = "2021/05/10" [rule] author = ["Elastic", "Austin Songer"] @@ -23,7 +23,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Deactivation of MFA Device" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/deactivate-mfa-device.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeactivateMFADevice.html", diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/aws/impact_iam_group_deletion.toml index 0bbc36aab..60f8ab568 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/aws/impact_iam_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Group Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/delete-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_DeleteGroup.html", diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/aws/impact_rds_cluster_deletion.toml index a16253165..53edd45dd 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/aws/impact_rds_cluster_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Cluster Deletion" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/delete-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DeleteDBCluster.html", diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/aws/impact_rds_instance_cluster_stoppage.toml index 49a83416a..cc042dc00 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Instance/Cluster Stoppage" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/stop-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StopDBCluster.html", diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/aws/initial_access_console_login_root.toml index 5d4340b7e..ef4600158 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/aws/initial_access_console_login_root.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/11" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Management Console Root Login" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] risk_score = 73 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/aws/initial_access_password_recovery.toml index 1fc90b7fa..cc7f9aa8d 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/aws/initial_access_password_recovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Password Recovery Requested" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://www.cadosecurity.com/2020/06/11/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" diff --git a/rules/aws/initial_access_via_system_manager.toml b/rules/aws/initial_access_via_system_manager.toml index 9202b9921..f405e67e1 100644 --- a/rules/aws/initial_access_via_system_manager.toml +++ b/rules/aws/initial_access_via_system_manager.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Execution via System Manager" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-plugins.html"] risk_score = 21 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa" diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/aws/persistence_ec2_network_acl_creation.toml index fbbe83fdc..b109af0f8 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/aws/persistence_ec2_network_acl_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS EC2 Network Access Control List Creation" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/ec2/create-network-acl.html", "https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkAcl.html", diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/aws/persistence_iam_group_creation.toml index f19d7488d..c9f4c4ec5 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/aws/persistence_iam_group_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Group Creation" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-group.html", "https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreateGroup.html", diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/aws/persistence_rds_cluster_creation.toml index 00f126fb1..f189d2479 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/aws/persistence_rds_cluster_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS RDS Cluster Creation" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://awscli.amazonaws.com/v2/documentation/api/latest/reference/rds/create-db-cluster.html", "https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBCluster.html", diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/aws/privilege_escalation_root_login_without_mfa.toml index 3fd3b6696..e1d42995b 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS Root Login Without MFA" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html"] risk_score = 73 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc" diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/aws/privilege_escalation_updateassumerolepolicy.toml index acb113033..fe42d5424 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "AWS IAM Assume Role Policy Update" -note = "The AWS Filebeat module must be enabled to use this rule." +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://labs.bishopfox.com/tech-blog/5-privesc-attack-vectors-in-aws"] risk_score = 21 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd" diff --git a/rules/azure/collection_update_event_hub_auth_rule.toml b/rules/azure/collection_update_event_hub_auth_rule.toml index c68f9ea39..f2f32ffd2 100644 --- a/rules/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/azure/collection_update_event_hub_auth_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -24,7 +24,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Event Hub Authorization Rule Created or Updated" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"] risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" diff --git a/rules/azure/credential_access_key_vault_modified.toml b/rules/azure/credential_access_key_vault_modified.toml index 589f1ac6b..c8cb00d0b 100644 --- a/rules/azure/credential_access_key_vault_modified.toml +++ b/rules/azure/credential_access_key_vault_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Key Vault Modified" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/key-vault/general/basic-concepts", "https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault", diff --git a/rules/azure/credential_access_storage_account_key_regenerated.toml b/rules/azure/credential_access_storage_account_key_regenerated.toml index a9156380c..3fb65b30c 100644 --- a/rules/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/azure/credential_access_storage_account_key_regenerated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Storage Account Key Regenerated" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal", ] diff --git a/rules/azure/defense_evasion_azure_application_credential_modification.toml b/rules/azure/defense_evasion_azure_application_credential_modification.toml index f834d36ca..20c3c94af 100644 --- a/rules/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -24,7 +24,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Application Credential Modification" -note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", ] diff --git a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index d95640f8f..f417c9b2c 100644 --- a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Diagnostic Settings Deletion" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/diagnostic-settings"] risk_score = 47 rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de" diff --git a/rules/azure/defense_evasion_azure_service_principal_addition.toml b/rules/azure/defense_evasion_azure_service_principal_addition.toml index b7c0c8c42..47b37056b 100644 --- a/rules/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Service Principal Addition" -note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal", diff --git a/rules/azure/defense_evasion_event_hub_deletion.toml b/rules/azure/defense_evasion_event_hub_deletion.toml index d035e2e48..93f3d7583 100644 --- a/rules/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/azure/defense_evasion_event_hub_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Event Hub Deletion" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-about", "https://azure.microsoft.com/en-in/services/event-hubs/", diff --git a/rules/azure/defense_evasion_firewall_policy_deletion.toml b/rules/azure/defense_evasion_firewall_policy_deletion.toml index 63db6a177..114deff19 100644 --- a/rules/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Firewall Policy Deletion" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-overview"] risk_score = 21 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" diff --git a/rules/azure/defense_evasion_network_watcher_deletion.toml b/rules/azure/defense_evasion_network_watcher_deletion.toml index 41e903722..2673d2267 100644 --- a/rules/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/azure/defense_evasion_network_watcher_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Network Watcher Deletion" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-monitoring-overview"] risk_score = 47 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" diff --git a/rules/azure/discovery_blob_container_access_mod.toml b/rules/azure/discovery_blob_container_access_mod.toml index 5d2725785..b7dcd4f3c 100644 --- a/rules/azure/discovery_blob_container_access_mod.toml +++ b/rules/azure/discovery_blob_container_access_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Blob Container Access Level Modification" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-prevent"] risk_score = 21 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45" diff --git a/rules/azure/execution_command_virtual_machine.toml b/rules/azure/execution_command_virtual_machine.toml index de9381a5d..4b694c280 100644 --- a/rules/azure/execution_command_virtual_machine.toml +++ b/rules/azure/execution_command_virtual_machine.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -24,7 +24,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Command Execution on Virtual Machine" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://adsecurity.org/?p=4277", "https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a", diff --git a/rules/azure/impact_azure_automation_runbook_deleted.toml b/rules/azure/impact_azure_automation_runbook_deleted.toml index f0a50dccc..ff425325f 100644 --- a/rules/azure/impact_azure_automation_runbook_deleted.toml +++ b/rules/azure/impact_azure_automation_runbook_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Runbook Deleted" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", diff --git a/rules/azure/impact_resource_group_deletion.toml b/rules/azure/impact_resource_group_deletion.toml index 9b2e80a5f..1e9505643 100644 --- a/rules/azure/impact_resource_group_deletion.toml +++ b/rules/azure/impact_resource_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Resource Group Deletion" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal", ] diff --git a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml index ad7ae9450..b86f013fb 100644 --- a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic", "Willem D'Haese"] @@ -16,7 +16,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Active Directory High Risk Sign-in" -note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", diff --git a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml index fb3a78d6e..a76d8128e 100644 --- a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Active Directory PowerShell Sign-in" -note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide", diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index e2c02c756..e49b30313 100644 --- a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,11 +15,16 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Possible Consent Grant Attack via Azure-Registered Application" -note = """- The Azure Filebeat module must be enabled to use this rule. +note = """## Triage and analysis + - In a consent grant attack, an attacker tricks an end user into granting a malicious application consent to access their data, usually via a phishing attack. After the malicious application has been granted consent, it has account-level access to data without the need for an organizational account. - Normal remediation steps, like resetting passwords for breached accounts or requiring Multi-Factor Authentication (MFA) on accounts, are not effective against this type of attack, since these are third-party applications and are external to the organization. - Security analysts should review the list of trusted applications for any suspicious items. -""" + + +## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", ] diff --git a/rules/azure/initial_access_external_guest_user_invite.toml b/rules/azure/initial_access_external_guest_user_invite.toml index ed5cbbdb2..e6c1cc949 100644 --- a/rules/azure/initial_access_external_guest_user_invite.toml +++ b/rules/azure/initial_access_external_guest_user_invite.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure External Guest User Invitation" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"] risk_score = 21 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e" diff --git a/rules/azure/persistence_azure_automation_account_created.toml b/rules/azure/persistence_azure_automation_account_created.toml index 651363701..798d91e65 100644 --- a/rules/azure/persistence_azure_automation_account_created.toml +++ b/rules/azure/persistence_azure_automation_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Account Created" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", diff --git a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml index f3667dc41..ac281f635 100644 --- a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/04" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Runbook Created or Modified" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", diff --git a/rules/azure/persistence_azure_automation_webhook_created.toml b/rules/azure/persistence_azure_automation_webhook_created.toml index 25ee2fbed..a37f7c3ad 100644 --- a/rules/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Automation Webhook Created" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://powerzure.readthedocs.io/en/latest/Functions/operational.html#create-backdoor", "https://github.com/hausec/PowerZure", diff --git a/rules/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/azure/persistence_azure_conditional_access_policy_modified.toml index 424f6682c..4e737e79e 100644 --- a/rules/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -16,7 +16,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Conditional Access Policy Modified" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview"] risk_score = 47 rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" diff --git a/rules/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/azure/persistence_azure_pim_user_added_global_admin.toml index 69602dc43..65d81e8d0 100644 --- a/rules/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/24" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Global Administrator Role Addition to PIM User" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles", ] diff --git a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml index 8e52d7908..1d6edcc87 100644 --- a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -16,7 +16,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Azure Privilege Identity Management Role Modified" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles", "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure", diff --git a/rules/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/azure/persistence_mfa_disabled_for_azure_user.toml index c0a0ffdc1..fbcb6d8c0 100644 --- a/rules/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "Multi-Factor Authentication Disabled for an Azure User" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 47 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml index 8b88fe34b..e7804741a 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "User Added as Owner for Azure Application" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 21 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86" severity = "low" diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index c19d87165..d21f4a407 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -17,7 +17,9 @@ index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" name = "User Added as Owner for Azure Service Principal" -note = "The Azure Filebeat module must be enabled to use this rule." +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals", ] diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index ccd47cb47..6dfd70f1b 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/07" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -16,7 +16,9 @@ index = ["auditbeat-*", "winlogbeat-*", "logs-endpoint.events.*", "logs-windows. language = "eql" license = "Elastic License v2" name = "Hosts File Modified" -note = "For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml." +note = """## Config + +For Windows systems using Auditbeat, this rule requires adding 'C:/Windows/System32/drivers/etc' as an additional path in the 'file_integrity' module of auditbeat.yml.""" references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-reference-yml.html"] risk_score = 47 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c" diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 05ad411c9..f8fa1b7cb 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/14" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -16,7 +16,9 @@ index = ["filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Zoom Meeting with no Passcode" -note = "This rule requires the Zoom Filebeat module." +note = """## Config + +The Zoom Filebeat module or similarly structured data is required to be compatible with this rule.""" references = [ "https://blog.zoom.us/a-message-to-our-users/", "https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic", diff --git a/rules/cross-platform/threat_intel_module_match.toml b/rules/cross-platform/threat_intel_module_match.toml index 899b24f64..1ce0c43e3 100644 --- a/rules/cross-platform/threat_intel_module_match.toml +++ b/rules/cross-platform/threat_intel_module_match.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/04/21" maturity = "production" -updated_date = "2021/04/21" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,8 +14,8 @@ interval = "9m" language = "kuery" license = "Elastic License v2" name = "Threat Intel Filebeat Module Indicator Match" -note = """ -## Triage and Analysis +note = """## Triage and Analysis + If an indicator matches a local observation, the following enriched fields will be generated to identify the indicator, field, and type matched. - `threatintel.indicator.matched.atomic` - this identifies the atomic indicator that matched the local observation diff --git a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml index 97ec23ad8..8e729a7ec 100644 --- a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Pub/Sub Subscription Creation" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7" diff --git a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml index 196be90b9..55fd2bc64 100644 --- a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Pub/Sub Topic Creation" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/pubsub/docs/admin"] risk_score = 21 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5" diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml index ce3664160..98486db1a 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Firewall Rule Creation" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/firewalls"] risk_score = 21 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170" diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 082fc6af0..2494ce0fd 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Firewall Rule Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/firewalls"] risk_score = 47 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1" diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 945eb96c8..8ab15b925 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Firewall Rule Modification" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/firewalls"] risk_score = 47 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b" diff --git a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 5ac477009..e03f4bd2e 100644 --- a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Logging Bucket Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.google.com/logging/docs/storage"] risk_score = 47 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e" diff --git a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 17ebbe970..d99130274 100644 --- a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Logging Sink Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/logging/docs/export"] risk_score = 47 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305" diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 0f9a6cdb6..ca0343a54 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Pub/Sub Subscription Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 7a0bdaeb5..1fe7b3f4d 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Pub/Sub Topic Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 2c95a19a8..2bc42b9c3 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Storage Bucket Configuration Modification" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e" diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 5bb804a4a..49401c18e 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Storage Bucket Permissions Modification" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/storage/docs/access-control/iam-permissions"] risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" diff --git a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml index 57ceaddd4..b735412de 100644 --- a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Logging Sink Modification" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" diff --git a/rules/gcp/impact_gcp_iam_role_deletion.toml b/rules/gcp/impact_gcp_iam_role_deletion.toml index 980f6432b..16f93ee58 100644 --- a/rules/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/gcp/impact_gcp_iam_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP IAM Role Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/understanding-roles"] risk_score = 21 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd" diff --git a/rules/gcp/impact_gcp_service_account_deleted.toml b/rules/gcp/impact_gcp_service_account_deleted.toml index ef5b9a3b6..0f167ac7b 100644 --- a/rules/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/gcp/impact_gcp_service_account_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Service Account Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13" diff --git a/rules/gcp/impact_gcp_service_account_disabled.toml b/rules/gcp/impact_gcp_service_account_disabled.toml index 24c6e4bb6..4e0c480c3 100644 --- a/rules/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/gcp/impact_gcp_service_account_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Service Account Disabled" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61" diff --git a/rules/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/gcp/impact_gcp_storage_bucket_deleted.toml index 873050391..87c6325a0 100644 --- a/rules/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Storage Bucket Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331" diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml index 053d2267b..1048d586f 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Virtual Private Cloud Network Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml index 10073cab2..7e79082d4 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/22" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Virtual Private Cloud Route Creation" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"] risk_score = 21 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8" diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml index 2d2dfb7eb..1e73654b8 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Virtual Private Cloud Route Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google.com/vpc/docs/using-routes"] risk_score = 47 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a" diff --git a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml index c17077902..d27befa4e 100644 --- a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP IAM Custom Role Creation" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" diff --git a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 669ec9249..1c2d66959 100644 --- a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP IAM Service Account Key Deletion" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys", diff --git a/rules/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/gcp/persistence_gcp_key_created_for_service_account.toml index b0e053784..88ee49bc1 100644 --- a/rules/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Service Account Key Creation" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://cloud.google.com/iam/docs/service-accounts", "https://cloud.google.com/iam/docs/creating-managing-service-account-keys", diff --git a/rules/gcp/persistence_gcp_service_account_created.toml b/rules/gcp/persistence_gcp_service_account_created.toml index 39b4155f8..0d7de23d2 100644 --- a/rules/gcp/persistence_gcp_service_account_created.toml +++ b/rules/gcp/persistence_gcp_service_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -23,7 +23,9 @@ index = ["filebeat-*", "logs-gcp*"] language = "kuery" license = "Elastic License v2" name = "GCP Service Account Creation" -note = "The GCP Filebeat module must be enabled to use this rule." +note = """## Config + +The GCP Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 21 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623" diff --git a/rules/google-workspace/application_added_to_google_workspace_domain.toml b/rules/google-workspace/application_added_to_google_workspace_domain.toml index fc6a78204..3703336a2 100644 --- a/rules/google-workspace/application_added_to_google_workspace_domain.toml +++ b/rules/google-workspace/application_added_to_google_workspace_domain.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Application Added to Google Workspace Domain" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml b/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml index 2b19c8998..cb3299449 100644 --- a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Domain Added to Google Workspace Trusted Domains" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/google_workspace_admin_role_deletion.toml b/rules/google-workspace/google_workspace_admin_role_deletion.toml index e73d06a8b..d2b9d8b34 100644 --- a/rules/google-workspace/google_workspace_admin_role_deletion.toml +++ b/rules/google-workspace/google_workspace_admin_role_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Google Workspace Admin Role Deletion" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml index 9b004a660..e3425b9b4 100644 --- a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml +++ b/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Google Workspace MFA Enforcement Disabled" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/google_workspace_policy_modified.toml b/rules/google-workspace/google_workspace_policy_modified.toml index a822c3bb7..82d866fc3 100644 --- a/rules/google-workspace/google_workspace_policy_modified.toml +++ b/rules/google-workspace/google_workspace_policy_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Google Workspace Password Policy Modified" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml index 109d2549e..ec34c9be9 100644 --- a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml +++ b/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "MFA Disabled for Google Workspace Organization" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 109659514..49648f5fa 100644 --- a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Google Workspace Admin Role Assigned to a User" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index e620c2bde..10e9100c2 100644 --- a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Google Workspace API Access Granted via Domain-Wide Delegation of Authority" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml index 92d427563..4b468c4c8 100644 --- a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Google Workspace Custom Admin Role Created" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/google-workspace/persistence_google_workspace_role_modified.toml b/rules/google-workspace/persistence_google_workspace_role_modified.toml index e612b0955..90669e3b6 100644 --- a/rules/google-workspace/persistence_google_workspace_role_modified.toml +++ b/rules/google-workspace/persistence_google_workspace_role_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,11 @@ interval = "10m" language = "kuery" license = "Elastic License v2" name = "Google Workspace Role Modified" -note = """### Important Information Regarding Google Workspace Event Lag Times +note = """## Config + +The Google Workspace Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +### Important Information Regarding Google Workspace Event Lag Times - As per Google's documentation, Google Workspace administrators may observe lag times ranging from minutes up to 3 days between the time of an event's occurrence and the event being visible in the Google Workspace admin/audit logs. - This rule is configured to run every 10 minutes with a lookback time of 130 minutes. - To reduce the risk of false negatives, consider reducing the interval that the Google Workspace (formerly G Suite) Filebeat module polls Google's reporting API for new events. diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index ffa4efea4..de9b092b1 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/01/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License v2" name = "Potential Persistence via Login Hook" -note = "Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system." +note = """## Triage and analysis + +Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. This can be abused to establish or maintain persistence on a compromised system.""" references = ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"] risk_score = 47 rule_id = "ac412404-57a5-476f-858f-4e8fbb4f48d8" diff --git a/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml b/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml index 0563f8864..15e82fbbc 100644 --- a/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/29" maturity = "production" -updated_date = "2021/03/29" +updated_date = "2021/05/10" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 New Inbox Rule Created" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/responding-to-a-compromised-email-account?view=o365-worldwide", "https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps", diff --git a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index b3b494aa4..9ed5bcec4 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Attempts to Brute Force a Microsoft 365 User Account" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 73 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "high" diff --git a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 5f5de37b2..ddc55dae8 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/01" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Potential Password Spraying of Microsoft 365 User Accounts" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" risk_score = 73 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d" severity = "high" diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 531c17f62..171edc5a2 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange DLP Policy Removed" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-dlppolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/compliance/data-loss-prevention-policies?view=o365-worldwide", diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 5ceec6c56..b289b7583 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Policy Deletion" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterpolicy?view=exchange-ps", ] diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 72d619601..16159c1bb 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Malware Filter Rule Modification" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-malwarefilterrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-malwarefilterrule?view=exchange-ps", diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index cb1ab8e6c..3e63453b8 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Attachment Rule Disabled" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safeattachmentrule?view=exchange-ps", ] diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index a154afe29..693de73a4 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Creation" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules", diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index eb090e627..c1a1ec8fb 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Transport Rule Modification" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-transportrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-transportrule?view=exchange-ps", diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index d08455f66..b5a7d2817 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Policy Deletion" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishpolicy?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-anti-phishing-policies?view=o365-worldwide", diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 1b374938b..7e9ce2fa4 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Anti-Phish Rule Modification" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/remove-antiphishrule?view=exchange-ps", "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-antiphishrule?view=exchange-ps", diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index a31bb3ad5..6b7a65ec6 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Safe Link Policy Disabled" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/disable-safelinksrule?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-safe-links?view=o365-worldwide", diff --git a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml index 53d340185..a4b103a03 100644 --- a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange DKIM Signing Configuration Disabled" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/set-dkimsigningconfig?view=exchange-ps", ] diff --git a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml index b7be6ae99..f67493f98 100644 --- a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams Custom Application Interaction Allowed" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/microsoftteams/platform/concepts/deploy-and-publish/apps-upload"] risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" diff --git a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml index 53c78b895..1646fc7b1 100644 --- a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Exchange Management Group Role Assignment" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps", "https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/about-admin-roles?view=o365-worldwide", diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml index e870da0e4..3bd94958e 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams External Access Enabled" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-access"] risk_score = 47 rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51" diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml index d319c93da..589df0229 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-o365*"] language = "kuery" license = "Elastic License v2" name = "Microsoft 365 Teams Guest Access Enabled" -note = "The Microsoft 365 Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://docs.microsoft.com/en-us/powershell/module/skype/get-csteamsclientconfiguration?view=skype-ps", ] diff --git a/rules/ml/ml_cloudtrail_error_message_spike.toml b/rules/ml/ml_cloudtrail_error_message_spike.toml index 1d8bce75e..f689639e6 100644 --- a/rules/ml/ml_cloudtrail_error_message_spike.toml +++ b/rules/ml/ml_cloudtrail_error_message_spike.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -22,7 +22,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_distinct_count_error_message" name = "Spike in AWS Error Messages" -note = """### Investigating Spikes in CloudTrail Errors ### +note = """## Triage and analysis + +### Investigating Spikes in CloudTrail Errors Detection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation: - Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_message` field, manifested only very recently, it might be related to recent changes in an automation module or script. - Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation or lateral movement attempts. diff --git a/rules/ml/ml_cloudtrail_rare_error_code.toml b/rules/ml/ml_cloudtrail_rare_error_code.toml index 7ebf968f9..ad9161306 100644 --- a/rules/ml/ml_cloudtrail_rare_error_code.toml +++ b/rules/ml/ml_cloudtrail_rare_error_code.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/04/12" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -22,7 +22,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_error_code" name = "Rare AWS Error Code" -note = """### Investigating Unusual CloudTrail Error Activity ### +note = """## Triage and analysis + +Investigating Unusual CloudTrail Error Activity ### Detection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation: - Examine the history of the error. Has it manifested before? If the error, which is visible in the `aws.cloudtrail.error_code field`, manifested only very recently, it might be related to recent changes in an automation module or script. - Examine the request parameters. These may provide indications as to the nature of the task being performed when the error occurred. Is the error related to unsuccessful attempts to enumerate or access objects, data, or secrets? If so, this can sometimes be a byproduct of discovery, privilege escalation, or lateral movement attempts. diff --git a/rules/ml/ml_cloudtrail_rare_method_by_city.toml b/rules/ml/ml_cloudtrail_rare_method_by_city.toml index 48da5e8e8..fc22b0b75 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_city.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/04/12" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -23,7 +23,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_city" name = "Unusual City For an AWS Command" -note = """### Investigating an Unusual CloudTrail Event ### +note = """## Triage and analysis + +### Investigating an Unusual CloudTrail Event Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation: - Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? - Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. diff --git a/rules/ml/ml_cloudtrail_rare_method_by_country.toml b/rules/ml/ml_cloudtrail_rare_method_by_country.toml index 7e34c2d3d..dc43a0197 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_country.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/04/12" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -23,7 +23,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_country" name = "Unusual Country For an AWS Command" -note = """### Investigating an Unusual CloudTrail Event ### +note = """## Triage and analysis + +### Investigating an Unusual CloudTrail Event Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation: - Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? - Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. diff --git a/rules/ml/ml_cloudtrail_rare_method_by_user.toml b/rules/ml/ml_cloudtrail_rare_method_by_user.toml index ce0750614..29635ab84 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/ml/ml_cloudtrail_rare_method_by_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/04/12" +updated_date = "2021/05/10" [rule] anomaly_threshold = 75 @@ -22,7 +22,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_username" name = "Unusual AWS Command for a User" -note = """### Investigating an Unusual CloudTrail Event ### +note = """## Triage and analysis + +### Investigating an Unusual CloudTrail Event Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation: - Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 259b71c31..eda9365b5 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -18,7 +18,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_network_activity_ecs" name = "Unusual Linux Network Activity" -note = """### Investigating Unusual Network Activity ### +note = """## Triage and analysis + +### Investigating Unusual Network Activity Detection alerts from this rule indicate the presence of network activity from a Linux process for which network activity is rare and unusual. Here are some possible avenues of investigation: - Consider the IP addresses and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? - If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. diff --git a/rules/ml/ml_linux_anomalous_process_all_hosts.toml b/rules/ml/ml_linux_anomalous_process_all_hosts.toml index 3f880823e..48957b8c0 100644 --- a/rules/ml/ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_linux_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -22,7 +22,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_process_all_hosts_ecs" name = "Anomalous Process For a Linux Population" -note = """### Investigating an Unusual Linux Process ### +note = """## Triage and analysis + +### Investigating an Unusual Linux Process Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for all of the monitored Linux hosts for which Auditbeat data is available. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. diff --git a/rules/ml/ml_linux_anomalous_user_name.toml b/rules/ml/ml_linux_anomalous_user_name.toml index 0d2fd1b3c..c4919a397 100644 --- a/rules/ml/ml_linux_anomalous_user_name.toml +++ b/rules/ml/ml_linux_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -27,7 +27,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "linux_anomalous_user_name_ecs" name = "Unusual Linux Username" -note = """### Investigating an Unusual Linux User ### +note = """## Triage and analysis + +### Investigating an Unusual Linux User Detection alerts from this rule indicate activity for a Linux user name that is rare and unusual. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to troubleshooting or debugging activity by a developer or site reliability engineer? - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. diff --git a/rules/ml/ml_rare_process_by_host_linux.toml b/rules/ml/ml_rare_process_by_host_linux.toml index c2d0d6955..92675280c 100644 --- a/rules/ml/ml_rare_process_by_host_linux.toml +++ b/rules/ml/ml_rare_process_by_host_linux.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -22,7 +22,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_process_by_host_linux_ecs" name = "Unusual Process For a Linux Host" -note = """### Investigating an Unusual Linux Process ### +note = """## Triage and analysis + +### Investigating an Unusual Linux Process Detection alerts from this rule indicate the presence of a Linux process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index d34815d0e..7affa37bc 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -22,7 +22,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_process_by_host_windows_ecs" name = "Unusual Process For a Windows Host" -note = """### Investigating an Unusual Windows Process ### +note = """## Triage and analysis + +### Investigating an Unusual Windows Process Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for the host it ran on. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 562e800c5..738ac202a 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -19,7 +19,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_network_activity_ecs" name = "Unusual Windows Network Activity" -note = """### Investigating Unusual Network Activity ### +note = """## Triage and analysis + +### Investigating Unusual Network Activity Detection alerts from this rule indicate the presence of network activity from a Windows process for which network activity is very unusual. Here are some possible avenues of investigation: - Consider the IP addresses, protocol and ports. Are these used by normal but infrequent network workflows? Are they expected or unexpected? - If the destination IP address is remote or external, does it associate with an expected domain, organization or geography? Note: avoid interacting directly with suspected malicious IP addresses. diff --git a/rules/ml/ml_windows_anomalous_process_all_hosts.toml b/rules/ml/ml_windows_anomalous_process_all_hosts.toml index 67b04d13a..e641bdc2e 100644 --- a/rules/ml/ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/ml_windows_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -22,7 +22,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_process_all_hosts_ecs" name = "Anomalous Process For a Windows Population" -note = """### Investigating an Unusual Windows Process ### +note = """## Triage and analysis + +### Investigating an Unusual Windows Process Detection alerts from this rule indicate the presence of a Windows process that is rare and unusual for all of the Windows hosts for which Winlogbeat data is available. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? - Examine the history of execution. If this process manifested only very recently, it might be part of a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. diff --git a/rules/ml/ml_windows_anomalous_user_name.toml b/rules/ml/ml_windows_anomalous_user_name.toml index 8f9e00b2a..a92ab6fa0 100644 --- a/rules/ml/ml_windows_anomalous_user_name.toml +++ b/rules/ml/ml_windows_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -27,7 +27,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "windows_anomalous_user_name_ecs" name = "Unusual Windows Username" -note = """### Investigating an Unusual Windows User ### +note = """## Triage and analysis + +### Investigating an Unusual Windows User Detection alerts from this rule indicate activity for a Windows user name that is rare and unusual. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is this program part of an expected workflow for the user who ran this program on this host? Could this be related to occasional troubleshooting or support activity? - Examine the history of user activity. If this user manifested only very recently, it might be a service account for a new software package. If it has a consistent cadence - for example if it runs monthly or quarterly - it might be part of a monthly or quarterly business process. diff --git a/rules/ml/ml_windows_rare_user_type10_remote_login.toml b/rules/ml/ml_windows_rare_user_type10_remote_login.toml index 7b9496862..28d7330af 100644 --- a/rules/ml/ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/ml_windows_rare_user_type10_remote_login.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] anomaly_threshold = 50 @@ -22,7 +22,9 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "windows_rare_user_type10_remote_login" name = "Unusual Windows Remote User" -note = """### Investigating an Unusual Windows User ### +note = """## Triage and analysis + +### Investigating an Unusual Windows User Detection alerts from this rule indicate activity for a rare and unusual Windows RDP (remote desktop) user. Here are some possible avenues of investigation: - Consider the user as identified by the username field. Is the user part of a group who normally logs into Windows hosts using RDP (remote desktop protocol)? Is this logon activity part of an expected workflow for the user? - Consider the source of the login. If the source is remote, could this be related to occasional troubleshooting or support activity by a vendor or an employee working remotely?""" diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 098c5b163..2574574c9 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["packetbeat-*"] language = "lucene" license = "Elastic License v2" name = "Cobalt Strike Command and Control Beacon" -note = "This activity has been observed in FIN7 campaigns." +note = """## Threat intel + +This activity has been observed in FIN7 campaigns.""" references = [ "https://blog.morphisec.com/fin7-attacks-restaurant-industry", "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index 08d29614f..6a9110369 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/05" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -16,7 +16,9 @@ index = ["filebeat-*", "packetbeat-*"] language = "kuery" license = "Elastic License v2" name = "Default Cobalt Strike Team Server Certificate" -note = "While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly." +note = """## Threat intel + +While Cobalt Strike is intended to be used for penetration tests and IR training, it is frequently used by actual threat actors (TA) such as APT19, APT29, APT32, APT41, FIN6, DarkHydrus, CopyKittens, Cobalt Group, Leviathan, and many other unnamed criminal TAs. This rule uses high-confidence atomic indicators, alerts should be investigated rapidly.""" references = [ "https://attack.mitre.org/software/S0154/", "https://www.cobaltstrike.com/help-setup-collaboration", diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 651f96362..b8186fe02 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["packetbeat-*"] language = "lucene" license = "Elastic License v2" name = "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" -note = "This activity has been observed in FIN7 campaigns." +note = """## Threat intel + +This activity has been observed in FIN7 campaigns.""" references = [ "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://www.justice.gov/opa/press-release/file/1084361/download", diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index 997140ac3..92cb6a267 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["packetbeat-*"] language = "lucene" license = "Elastic License v2" name = "Possible FIN7 DGA Command and Control Behavior" -note = "In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`." +note = """## Triage and analysis + +In the event this rule identifies benign domains in your environment, the `destination.domain` field in the rule can be modified to include those domains. Example: `...AND NOT destination.domain:(zoom.us OR benign.domain1 OR benign.domain2)`.""" references = [ "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html", ] diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index ff1d311b0..963bf0cdf 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["packetbeat-*"] language = "lucene" license = "Elastic License v2" name = "Halfbaked Command and Control Beacon" -note = "This activity has been observed in FIN7 campaigns." +note = """## Threat intel + +This activity has been observed in FIN7 campaigns.""" references = [ "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html", "https://attack.mitre.org/software/S0151/", diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index 67add3a73..46b7afd2a 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/11" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["packetbeat-*"] language = "lucene" license = "Elastic License v2" name = "Inbound Connection to an Unsecure Elasticsearch Node" -note = "This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation." +note = """## Config + +This rule requires the addition of port `9200` and `send_all_headers` to the `HTTP` protocol configuration in `packetbeat.yml`. See the References section for additional configuration documentation.""" references = [ "https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-security.html", "https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-http-options.html#_send_all_headers", diff --git a/rules/okta/attempt_to_deactivate_okta_network_zone.toml b/rules/okta/attempt_to_deactivate_okta_network_zone.toml index 675fffccc..c74e881ae 100644 --- a/rules/okta/attempt_to_deactivate_okta_network_zone.toml +++ b/rules/okta/attempt_to_deactivate_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Network Zone" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/attempt_to_delete_okta_network_zone.toml b/rules/okta/attempt_to_delete_okta_network_zone.toml index 1eb72f549..fe7d9566a 100644 --- a/rules/okta/attempt_to_delete_okta_network_zone.toml +++ b/rules/okta/attempt_to_delete_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Network Zone" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 6335d9f64..11c726c5a 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -13,7 +13,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempted Bypass of Okta MFA" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 5736bb9e5..a63b5e210 100644 --- a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempts to Brute Force an Okta User Account" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml index ae457b4b9..6d680bbeb 100644 --- a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Okta Brute Force or Password Spraying Attack" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index d1307d30a..fc883bca4 100644 --- a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -22,7 +22,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "High Number of Okta User Password Reset or Unlock Attempts" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml index ad3b9155d..a4ab0edb7 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Revoke Okta API Token" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/okta/impact_possible_okta_dos_attack.toml index 5760c1db2..70dba7fc3 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/okta/impact_possible_okta_dos_attack.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -13,7 +13,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Possible Okta DoS Attack" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 2915d5d30..f10b8ce35 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Suspicious Activity Reported by Okta User" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_attempt_to_deactivate_okta_application.toml b/rules/okta/okta_attempt_to_deactivate_okta_application.toml index f2696c835..2f5079f06 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_application.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Application" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml index 75e8d5852..8ac981f57 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml index 5df33d4c4..4cc4e65c0 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate an Okta Policy Rule" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_attempt_to_delete_okta_application.toml b/rules/okta/okta_attempt_to_delete_okta_application.toml index 767e62790..ff67f8fda 100644 --- a/rules/okta/okta_attempt_to_delete_okta_application.toml +++ b/rules/okta/okta_attempt_to_delete_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Application" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/okta/okta_attempt_to_delete_okta_policy.toml index 1a56d4a84..bd23ac267 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Policy" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml index a955aaaab..e05dd74c4 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Delete an Okta Policy Rule" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_attempt_to_modify_okta_application.toml b/rules/okta/okta_attempt_to_modify_okta_application.toml index 5833179a0..e47270407 100644 --- a/rules/okta/okta_attempt_to_modify_okta_application.toml +++ b/rules/okta/okta_attempt_to_modify_okta_application.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Application" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Apps.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml index fe6b29d28..cb600ff35 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Network Zone" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/network/network-zones.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/okta/okta_attempt_to_modify_okta_policy.toml index 73f654a8c..bac0fbf24 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Policy" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml index f619a99a5..cdfe2be03 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Modify an Okta Policy Rule" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index d4f089170..b81bfbeba 100644 --- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/01" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Modification or Removal of an Okta Application Sign-On Policy" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/App_Based_Signon.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml index 6338b5f78..1c43d8e0d 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Threat Detected by Okta ThreatInsight" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index d11f1905d..77db946d6 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Administrator Privileges Assigned to an Okta Group" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml index 3c08c1030..39c137944 100644 --- a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Administrator Role Assigned to an Okta User" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://help.okta.com/en/prod/Content/Topics/Security/administrators-admin-comparison.htm", "https://developer.okta.com/docs/reference/api/system-log/", diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/okta/persistence_attempt_to_create_okta_api_token.toml index 8443ad327..4d548ca2c 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Create Okta API Token" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 84c101c2c..cf36f40ce 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -19,7 +19,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Deactivate MFA for an Okta User Account" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 3ec7624a4..e956ab402 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Attempt to Reset MFA Factors for an Okta User Account" -note = "The Okta Fleet integration or Filebeat module must be enabled to use this rule." +note = """## Config + +The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = [ "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index a4c30cbcb..a5d97a3f6 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -11,7 +11,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Remote File Download via MpCmdRun" -note = """### Investigating Remote File Download via MpCmdRun +note = """## Triage and analysis + +### Investigating Remote File Download via MpCmdRun Verify details such as the parent process, URL reputation, and downloaded file details. Additionally, `MpCmdRun` logs this information in the Appdata Temp folder in `MpCmdRun.log`.""" references = [ "https://twitter.com/mohammadaskar2/status/1301263551638761477", diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index ceb783b1d..057125674 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "SUNBURST Command and Control Activity" -note = "The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized." +note = """## Triage and analysis + +The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.""" references = [ "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", ] diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index cf420cb54..ce6cb1eef 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/13" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Creation or Modification of Domain Backup DPAPI private key" -note = "### Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys." +note = """## Triage and analysis + +Domain DPAPI Backup keys are stored on domain controllers and can be dumped remotely with tools such as Mimikatz. The resulting .pvk private key can be used to decrypt ANY domain user masterkeys, which then can be used to decrypt any secrets protected by those keys.""" references = [ "https://www.dsinternals.com/en/retrieving-dpapi-backup-keys-from-active-directory/", "https://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/", diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 9fe9360d5..a18ca86a8 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/07" maturity = "development" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["logs-endpoint.events.*"] language = "eql" license = "Elastic License v2" name = "Mimikatz Powershell Module Activity Detected" -note = "This rule identifies an adversary attempt to collect, decrypt, and/or use cached credentials. Alerts from this rule should be prioritized because an adversary has an initial foothold onto an endpoint." +note = """## Triage and analysis + +This rule identifies an adversary attempt to collect, decrypt, and/or use cached credentials. Alerts from this rule should be prioritized because an adversary has an initial foothold onto an endpoint.""" references = ["https://attack.mitre.org/software/S0002/"] risk_score = 99 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index 3011335a8..4c0b5d855 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/12/23" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Windows Defender Disabled via Registry Modification" -note = "Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized" +note = """## Triage and analysis + +Detections should be investigated to identify if the hosts and users are authorized to use this tool. As this rule detects post-exploitation process activity, investigations into this should be prioritized""" references = ["https://thedfirreport.com/2020/12/13/defender-control/"] risk_score = 21 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index fd77e917f..c84fe0f38 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Potential Secure File Deletion via SDelete Utility" -note = "Verify process details such as command line and hash to confirm this activity legitimacy." +note = """## Triage and analysis + +Verify process details such as command line and hash to confirm this activity legitimacy.""" risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 175b2c837..e514d0036 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "AdFind Command Activity" -note = "`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment." +note = """## Triage and analysis + +`AdFind.exe` is a legitimate domain query tool. Rule alerts should be investigated to identify if the user has a role that would explain using this tool and that it is being run from an expected directory and endpoint. Leverage the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment.""" references = [ "http://www.joeware.net/freetools/tools/adfind/", "https://thedfirreport.com/2020/05/08/adfind-recon/", diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index 5aaeb7207..c7032c583 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/30" maturity = "production" -updated_date = "2021/03/09" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Execution from Unusual Directory - Command Line" -note = "This is related to the Process Execution from an Unusual Directory rule" +note = """## Triage and analysis + +This is related to the `Process Execution from an Unusual Directory rule`.""" risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" severity = "medium" diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 8d5fade1a..99742ed56 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/10/28" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Execution via local SxS Shared Module" -note = "The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory." +note = """## Triage and analysis + +The SxS DotLocal folder is a legitimate feature that can be abused to hijack standard modules loading order by forcing an executable on the same application.exe.local folder to load a malicious DLL module from the same directory.""" references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection"] risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 3a450ad1c..5447a9f6a 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/04" maturity = "production" -updated_date = "2021/03/09" +updated_date = "2021/05/10" [rule] author = ["Elastic", "Austin Songer"] @@ -26,6 +26,7 @@ language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Writing Suspicious Files" note = """## Triage and analysis + Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines). Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index e32f85ded..54e017150 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -21,7 +21,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual Child Process of dns.exe" -note = """### Investigating Unusual Child Process +note = """## Triage and analysis + +### Investigating Unusual Child Process Detection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: - Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe). - Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe. diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 44735485d..b387f7b7c 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Unusual File Modification by dns.exe" -note = """### Investigating Unusual File Write +note = """## Triage and analysis + +### Investigating Unusual File Write Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation: - Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. - Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.""" diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index 0d6ac7593..f41e4eb0d 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -20,7 +20,9 @@ index = ["packetbeat-*", "filebeat-*"] language = "kuery" license = "Elastic License v2" name = "Abnormally Large DNS Response" -note = """### Investigating Large DNS Responses +note = """## Triage and analysis + +### Investigating Large DNS Responses Detection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation: - Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert. - Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 32e13cb84..f65f157a0 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -11,7 +11,9 @@ index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Remote Scheduled Task Creation" -note = "Decode the base64 encoded tasks actions registry value to investigate the task configured action." +note = """## Triage and analysis + +Decode the base64 encoded tasks actions registry value to investigate the task configured action.""" risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 5d60f68e0..0012119fe 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/15" maturity = "production" -updated_date = "2021/03/15" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious Startup Shell Folder Modification" -note = "Verify file creation events in the new Windows Startup folder location." +note = """## Triage and analysis + +Verify file creation events in the new Windows Startup folder location.""" risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index 156714965..97b2ef7ed 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/11/29" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -15,7 +15,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Scheduled Task Created by a Windows Script" -note = "Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action." +note = """## Triage and analysis + +Decode the base64 encoded Tasks Actions registry value to investigate the task's configured action.""" risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 2716f4550..a735a5ebf 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/14" maturity = "production" -updated_date = "2021/04/14" +updated_date = "2021/05/10" [rule] author = ["Elastic"] @@ -14,7 +14,9 @@ index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Suspicious PrintSpooler SPL File Created" -note = "Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched." +note = """## Threat intel + +Refer to CVEs, CVE-2020-1048 and CVE-2020-1337 for further information on the vulnerability and exploit. Verify that the relevant system is patched.""" references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-and-got-CVE-2020-1337"] risk_score = 73 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa"