security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:elastic/detection-rules

Browse Source
This commit is contained in:
Mika Ayenson
2023-08-24 10:34:28 -05:00
parent f589ad4a4b c72ec4da90
commit 7ad30125fd
161 changed files with 4397 additions and 242 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/lock-versions.yml
+1 -1
View File
@@ -6,7 +6,7 @@ on:
description: 'List of branches to lock versions (ordered, comma separated)'
required: true
# 7.17 was intentionally skipped because it was added late and was bug fix only
default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9'
default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10'
jobs:
pr:
detection_rules/etc/api_schemas/8.10/8.10.base.json
+453
View File
@@ -0,0 +1,453 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query",
"saved_query",
"machine_learning",
"eql",
"threshold",
"threat_match",
"new_terms"
],
"enumNames": [],
"type": "string"
}
},
"required": [
"author",
"description",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.10/8.10.eql.json
+475
View File
@@ -0,0 +1,475 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"event_category_override": {
"min_compat": "8.0",
"type": "string"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"eql"
],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"tiebreaker_field": {
"min_compat": "8.0",
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_field": {
"min_compat": "8.0",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"eql"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.10/8.10.machine_learning.json
+465
View File
@@ -0,0 +1,465 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"anomaly_threshold": {
"format": "integer",
"type": "number"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"license": {
"type": "string"
},
"machine_learning_job_id": {
"anyOf": [
{
"type": "string"
},
{
"items": {
"type": "string"
},
"type": "array"
}
]
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"machine_learning"
],
"type": "string"
}
},
"required": [
"anomaly_threshold",
"author",
"description",
"machine_learning_job_id",
"name",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.10/8.10.new_terms.json
+516
View File
@@ -0,0 +1,516 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"new_terms": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"history_window_start": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"value": {
"description": "NewTermsFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"minItems": 1,
"type": "array"
}
},
"required": [
"field",
"history_window_start",
"value"
],
"type": "object"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"new_terms"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"new_terms",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.10/8.10.query.json
+465
View File
@@ -0,0 +1,465 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"query"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.10/8.10.threat_match.json
+556
View File
@@ -0,0 +1,556 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"concurrent_searches": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"items_per_search": {
"description": "PositiveInteger",
"format": "integer",
"minimum": 1,
"type": "number"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threat_filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"threat_index": {
"items": {
"type": "string"
},
"type": "array"
},
"threat_indicator_path": {
"type": "string"
},
"threat_language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"threat_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"entries": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"enum": [
"mapping"
],
"type": "string"
},
"value": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"field",
"type",
"value"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"entries"
],
"type": "object"
},
"type": "array"
},
"threat_query": {
"type": "string"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threat_match"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threat_index",
"threat_mapping",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/8.10/8.10.threshold.json
+514
View File
@@ -0,0 +1,514 @@
{
"$schema": "http://json-schema.org/draft-04/schema#",
"additionalProperties": false,
"properties": {
"actions": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"alert_suppression": {
"additionalProperties": false,
"properties": {
"duration": {
"additionalProperties": false,
"properties": {
"unit": {
"enum": [
"s",
"m",
"h"
],
"enumNames": [],
"type": "string"
},
"value": {
"format": "integer",
"type": "number"
}
},
"required": [
"unit",
"value"
],
"type": "object"
},
"group_by": {
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": "array"
}
},
"required": [
"group_by"
],
"type": "object"
},
"author": {
"items": {
"type": "string"
},
"type": "array"
},
"building_block_type": {
"enum": [
"default"
],
"type": "string"
},
"description": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"exceptions_list": {
"items": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "array"
},
"false_positives": {
"items": {
"type": "string"
},
"type": "array"
},
"filters": {
"items": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"type": "array"
},
"from": {
"type": "string"
},
"index": {
"items": {
"type": "string"
},
"type": "array"
},
"interval": {
"description": "Interval",
"pattern": "^\\d+[mshd]$",
"type": "string"
},
"language": {
"enum": [
"kuery",
"lucene"
],
"enumNames": [],
"type": "string"
},
"license": {
"type": "string"
},
"max_signals": {
"description": "MaxSignals",
"format": "integer",
"minimum": 1,
"type": "number"
},
"meta": {
"additionalProperties": {
"type": [
"string",
"number",
"object",
"array",
"boolean"
]
},
"type": "object"
},
"name": {
"description": "RuleName",
"pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$",
"type": "string"
},
"note": {
"description": "MarkdownField",
"type": "string"
},
"query": {
"type": "string"
},
"references": {
"items": {
"type": "string"
},
"type": "array"
},
"related_integrations": {
"items": {
"additionalProperties": false,
"properties": {
"integration": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"package": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"version": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"package",
"version"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"required_fields": {
"items": {
"additionalProperties": false,
"properties": {
"ecs": {
"type": "boolean"
},
"name": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"type": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
}
},
"required": [
"ecs",
"name",
"type"
],
"type": "object"
},
"min_compat": "8.3",
"type": "array"
},
"risk_score": {
"description": "MaxSignals",
"format": "integer",
"maximum": 100,
"minimum": 1,
"type": "number"
},
"risk_score_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"rule_id": {
"description": "UUIDString",
"pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$",
"type": "string"
},
"rule_name_override": {
"type": "string"
},
"setup": {
"min_compat": "8.3",
"type": "string"
},
"severity": {
"enum": [
"low",
"medium",
"high",
"critical"
],
"enumNames": [],
"type": "string"
},
"severity_mapping": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"operator": {
"enum": [
"equals"
],
"type": "string"
},
"severity": {
"type": "string"
},
"value": {
"type": "string"
}
},
"required": [
"field"
],
"type": "object"
},
"type": "array"
},
"tags": {
"items": {
"type": "string"
},
"type": "array"
},
"threat": {
"items": {
"additionalProperties": false,
"properties": {
"framework": {
"enum": [
"MITRE ATT&CK"
],
"type": "string"
},
"tactic": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TacticURL",
"pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"technique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "TechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$",
"type": "string"
},
"subtechnique": {
"items": {
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"name": {
"type": "string"
},
"reference": {
"description": "SubTechniqueURL",
"pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$",
"type": "string"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"id",
"name",
"reference"
],
"type": "object"
},
"type": "array"
}
},
"required": [
"framework",
"tactic"
],
"type": "object"
},
"type": "array"
},
"threshold": {
"additionalProperties": false,
"properties": {
"cardinality": {
"items": {
"additionalProperties": false,
"properties": {
"field": {
"type": "string"
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"type": "array"
},
"field": {
"description": "CardinalityFields",
"items": {
"description": "NonEmptyStr",
"minLength": 1,
"type": "string"
},
"maxItems": 3,
"type": "array"
},
"value": {
"description": "ThresholdValue",
"format": "integer",
"minimum": 1,
"type": "number"
}
},
"required": [
"field",
"value"
],
"type": "object"
},
"throttle": {
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
"db366523-f1c6-4c1f-8731-6ce5ed9e5717",
"91832785-286d-4ebe-b884-1a208d111a70",
"76e52245-7519-4251-91ab-262fb1a1728c",
"495ad7a7-316e-4544-8a0f-9c098daee76e",
"4d4c0b59-ea83-483f-b8c1-8c360ee53c5c",
"e70679c2-6cde-4510-9764-4823df18f7db",
"300afc76-072d-4261-864d-4149714bf3f1",
"3e47ef71-ebfc-4520-975c-cb27fc090799",
"3e827bab-838a-469f-bd1e-5e19a2bff2fd",
"4434b91a-94ca-4a89-83cb-a37cdc0532b7"
],
"enumNames": [],
"type": "string"
},
"timeline_title": {
"description": "TimelineTemplateTitle",
"enum": [
"Generic Endpoint Timeline",
"Generic Network Timeline",
"Generic Process Timeline",
"Generic Threat Match Timeline",
"Comprehensive File Timeline",
"Comprehensive Process Timeline",
"Comprehensive Network Timeline",
"Comprehensive Registry Timeline",
"Alerts Involving a Single User Timeline",
"Alerts Involving a Single Host Timeline"
],
"enumNames": [],
"type": "string"
},
"timestamp_override": {
"type": "string"
},
"to": {
"type": "string"
},
"type": {
"enum": [
"threshold"
],
"type": "string"
}
},
"required": [
"author",
"description",
"language",
"name",
"query",
"risk_score",
"rule_id",
"severity",
"threshold",
"type"
],
"type": "object"
}
detection_rules/etc/api_schemas/master/master.eql.json
+12
View File
@@ -72,6 +72,10 @@
"enabled": {
"type": "boolean"
},
"event_category_override": {
"min_compat": "8.0",
"type": "string"
},
"exceptions_list": {
"items": {
"type": [
@@ -401,6 +405,10 @@
"throttle": {
"type": "string"
},
"tiebreaker_field": {
"min_compat": "8.0",
"type": "string"
},
"timeline_id": {
"description": "TimelineTemplateId",
"enum": [
@@ -435,6 +443,10 @@
"enumNames": [],
"type": "string"
},
"timestamp_field": {
"min_compat": "8.0",
"type": "string"
},
"timestamp_override": {
"type": "string"
},
detection_rules/etc/attack-technique-redirects.json
+1 -1
View File
@@ -132,5 +132,5 @@
"T1536": "T1578.004",
"T1547.011": "T1647"
},
"saved_date": "Thu Jun 29 11:03:14 2023"
"saved_date": "Mon Aug 14 13:11:43 2023"
}
detection_rules/etc/beats_schemas/main.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/beats_schemas/v8.9.0.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/deprecated_rules.json
+5
View File
@@ -304,6 +304,11 @@
"rule_name": "SSH (Secure Shell) from the Internet",
"stack_version": "7.14.0"
},
"eb6a3790-d52d-11ec-8ce9-f661ea17fbce": {
"deprecation_date": "2023/07/31",
"rule_name": "Suspicious Network Connection Attempt by Root",
"stack_version": "8.3"
},
"ee619805-54d7-4c56-ba6f-7717282ddd73": {
"deprecation_date": "2022/05/09",
"rule_name": "Linux Restricted Shell Breakout via crash Shell evasion",
detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_8.10.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/ecs_schemas/master_8.11.0-dev/ecs_flat.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-manifests.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/integration-schemas.json.gz
BIN
View File
Binary file not shown.
detection_rules/etc/non-ecs-schema.json
+1
View File
@@ -71,6 +71,7 @@
"file.Ext.entropy": "long",
"file.size": "long",
"file.Ext.original.name": "keyword",
"dll.Ext.device.product_id": "keyword",
"dll.Ext.relative_file_creation_time": "double",
"dll.Ext.relative_file_name_modify_time": "double",
"process.Ext.relative_file_name_modify_time": "double",
detection_rules/etc/packages.yml
+3 -4
View File
@@ -4,12 +4,12 @@ package:
maturity:
- production
log_deprecated: true
name: '8.10'
name: '8.11'
registry_data:
categories:
- security
conditions:
kibana.version: ^8.10.0
kibana.version: ^8.11.0
description: Prebuilt detection rules for Elastic Security
format_version: 1.0.0
icons:
@@ -23,6 +23,5 @@ package:
release: ga
title: Prebuilt Security Detection Rules
type: integration
version: 8.10.0-beta.0
version: 8.11.0-beta.0
release: true
detection_rules/etc/stack-schema-map.yaml
+9 -4
View File
@@ -76,11 +76,16 @@
endgame: "8.4.0"
"8.9.0":
beats: "8.8.2"
ecs: "8.8.0"
beats: "8.9.0"
ecs: "8.9.0"
endgame: "8.4.0"
"8.10.0":
beats: "8.8.2"
ecs: "8.8.0"
beats: "8.9.0"
ecs: "8.9.0"
endgame: "8.4.0"
"8.11.0":
beats: "8.9.0"
ecs: "8.9.0"
endgame: "8.4.0"
detection_rules/etc/version.lock.json
+155 -62
View File
@@ -44,9 +44,9 @@
"0171f283-ade7-4f87-9521-ac346c68cc9b": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Scan Detected",
"sha256": "05f7ecbd3c668d2efc8876c68c247c96f2dfdfbb1d88da3feaf3127805145773",
"sha256": "22c367ac24c7772c54e861eaef3c3cc0d8677b1dbecc70626f38c6ba482f1eb2",
"type": "threshold",
"version": 1
"version": 2
},
"027ff9ea-85e7-42e3-99d2-bbb7069e02eb": {
"min_stack_version": "8.3",
@@ -193,9 +193,9 @@
"0787daa6-f8c5-453b-a4ec-048037f6c1cd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Proc Pseudo File System Enumeration",
"sha256": "245438059687e2254156b7de6af2bb96cd52b3263ad178486202c575da0a28c0",
"sha256": "c0e22bb1ec65c7fa009ef3abdf7d1a92ee28cc5bb7aeddb0c344a3b14793d6b3",
"type": "threshold",
"version": 1
"version": 2
},
"07b1ef73-1fde-4a49-a34a-5dd40011b076": {
"min_stack_version": "8.3",
@@ -309,6 +309,13 @@
"type": "query",
"version": 107
},
"0b803267-74c5-444d-ae29-32b5db2d562a": {
"min_stack_version": "8.3",
"rule_name": "Potential Shell via Wildcard Injection Detected",
"sha256": "b1357614dcd30402aba8ea62f30facd7b7d9ea27dd5f096002841eca233f64a8",
"type": "eql",
"version": 1
},
"0c41e478-5263-4c69-8f9e-7dfd2c22da64": {
"min_stack_version": "8.5",
"rule_name": "Threat Intel IP Address Indicator Match",
@@ -400,9 +407,9 @@
}
},
"rule_name": "Potential Persistence Through Run Control Detected",
"sha256": "90257033fbffbd58406f4338624b55fa17e1373a9098dbbb6cb9413c7f2bf421",
"sha256": "5775d029f6a1d764e77e8eeaf6ec342b87708404184191c14ff48fb3b1b56dc8",
"type": "new_terms",
"version": 104
"version": 105
},
"0f616aee-8161-4120-857e-742366f5eeb3": {
"rule_name": "PowerShell spawning Cmd",
@@ -733,9 +740,9 @@
"17b0a495-4d9f-414c-8ad0-92f018b8e001": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Service Created by Previously Unknown Process",
"sha256": "821af40f1849e4b35c093ac6e5fd204480f2c95bf6d36491978d7ab00b45bec0",
"sha256": "b58a3e067846aa68d0aaec50f2b50e30db0431f78fda376ed81fff2472bd0e33",
"type": "new_terms",
"version": 2
"version": 3
},
"17c7f6a5-5bc9-4e1f-92bf-13632d24384d": {
"min_stack_version": "8.3",
@@ -1050,6 +1057,13 @@
"type": "eql",
"version": 103
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious DebugFS Root Device Access",
"sha256": "739ca4ff251f7d15397c5713f3e3a01880762163b87f43465f74fb4a63fadfed",
"type": "eql",
"version": 1
},
"2636aa6c-88b5-4337-9c31-8d0192a8ef45": {
"min_stack_version": "8.3",
"rule_name": "Azure Blob Container Access Level Modification",
@@ -1144,9 +1158,9 @@
"28738f9f-7427-4d23-bc69-756708b5f624": {
"min_stack_version": "8.3",
"rule_name": "Suspicious File Changes Activity Detected",
"sha256": "af6a4c763918f1b8c3b75c94da57150e6613f9b1c060b6253fc7dd08841c57dc",
"sha256": "4bd6246dc55fb0159c82faf0067c0e67b3915706692e70de0bcf8a3504c76afd",
"type": "eql",
"version": 3
"version": 4
},
"28896382-7d4f-4d50-9b72-67091901fd26": {
"rule_name": "Suspicious Process from Conhost",
@@ -1154,6 +1168,13 @@
"type": "eql",
"version": 100
},
"28d39238-0c01-420a-b77a-24e5a7378663": {
"min_stack_version": "8.3",
"rule_name": "Sudo Command Enumeration Detected",
"sha256": "f4e6de1f9d2e53ff482497bfa4e3c0063a657aa1b6d18f646644810a785b9c69",
"type": "eql",
"version": 1
},
"29052c19-ff3e-42fd-8363-7be14d7c5469": {
"min_stack_version": "8.3",
"rule_name": "AWS Security Group Configuration Change Detection",
@@ -1185,9 +1206,9 @@
"2a692072-d78d-42f3-a48a-775677d79c4e": {
"min_stack_version": "8.3",
"rule_name": "Potential Code Execution via Postgresql",
"sha256": "4a70cd9ce5cb0245001ed19046dc9211a007e0edb87d55d452e8623cd0aac76c",
"sha256": "90033dd971d1cf6b980023ac5ff9e523d374d3557e57c56b07f56371a39fe66a",
"type": "eql",
"version": 1
"version": 2
},
"2abda169-416b-4bb3-9a6b-f8d239fd78ba": {
"min_stack_version": "8.4",
@@ -1234,11 +1255,20 @@
"version": 105
},
"2d8043ed-5bda-4caf-801c-c1feb7410504": {
"min_stack_version": "8.3",
"min_stack_version": "8.6",
"previous": {
"8.3": {
"max_allowable_version": 203,
"rule_name": "Enumeration of Kernel Modules",
"sha256": "4b0264a513359d05b99ad58d22080e4a27d8a180acd51c3a29b5a0762338548b",
"type": "eql",
"version": 104
}
},
"rule_name": "Enumeration of Kernel Modules",
"sha256": "4b0264a513359d05b99ad58d22080e4a27d8a180acd51c3a29b5a0762338548b",
"type": "eql",
"version": 104
"sha256": "466b9b770f662323636376704d15a6f60f676574f2ed2fc6bc32e5704e01a92e",
"type": "new_terms",
"version": 204
},
"2dd480be-1263-4d9c-8672-172928f6789a": {
"min_stack_version": "8.8",
@@ -1727,9 +1757,9 @@
"40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Modprobe File Event",
"sha256": "9db38abed795d655cb74c1744a934743fbf685f4ae38cb42a28e35bd06eefda6",
"sha256": "a68ec783655e160ea9c0e727fa3aab19c685bc94530fc45ffd899978f6fe427e",
"type": "eql",
"version": 1
"version": 2
},
"416697ae-e468-4093-a93d-59661fa619ec": {
"min_stack_version": "8.3",
@@ -1860,9 +1890,9 @@
"474fd20e-14cc-49c5-8160-d9ab4ba16c8b": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through init.d Detected",
"sha256": "dd6ef74c2f597fe98525f1a4b7aa3bd93d9ac54189ab894724fcf6cb60216b69",
"sha256": "5e2d925fcea0ca293823207dfe02870ff91b21eb26845e86b5bc6466fb1122b1",
"type": "new_terms",
"version": 3
"version": 4
},
"475b42f0-61fb-4ef0-8a85-597458bfb0a1": {
"min_stack_version": "8.8",
@@ -1908,9 +1938,9 @@
"48b3d2e3-f4e8-41e6-95e6-9b2091228db3": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell",
"sha256": "4160ce7e268b88f30655beb514da1b0b3a021cb9a8e27e7f9ed7e8ecc9d9b943",
"sha256": "41621e6d7d8394535f33f86ce87b265bffc3b46341f0d41b5a3f0357a6e4f092",
"type": "eql",
"version": 2
"version": 3
},
"48b6edfc-079d-4907-b43c-baffa243270d": {
"min_stack_version": "8.3",
@@ -1984,6 +2014,13 @@
"type": "query",
"version": 102
},
"4a99ac6f-9a54-4ba5-a64f-6eb65695841b": {
"min_stack_version": "8.3",
"rule_name": "Potential Unauthorized Access via Wildcard Injection Detected",
"sha256": "25c1fc8f3f3cca5abd90f51407ee6536b09f5cc094959427100ff8bb43061d1e",
"type": "eql",
"version": 1
},
"4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": {
"min_stack_version": "8.3",
"rule_name": "Potential Cross Site Scripting (XSS)",
@@ -1994,9 +2031,9 @@
"4b1a807a-4e7b-414e-8cea-24bf580f6fc5": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Parent Process",
"sha256": "ecf2ad4447f990f031623c2e5c49b67f36162c078eed8b08f82bd1aee9386f19",
"sha256": "ac72fcaf522c3071580ab0a89bf5819d2048d75227f322493c72329288bfb551",
"type": "eql",
"version": 2
"version": 3
},
"4b438734-3793-4fda-bd42-ceeada0be8f9": {
"min_stack_version": "8.3",
@@ -2029,9 +2066,9 @@
"4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": {
"min_stack_version": "8.3",
"rule_name": "Kernel Load or Unload via Kexec Detected",
"sha256": "c58ed6e2277c2938844908a89695fa82660c307bc9dc206f10a52e4fa077b9a0",
"sha256": "7445969cb5c322e8c467c61ee4ce21952f59c4781a3f141b739a0ae03dd6f849",
"type": "eql",
"version": 1
"version": 2
},
"4d50a94f-2844-43fa-8395-6afbd5e1c5ef": {
"min_stack_version": "8.3",
@@ -2064,9 +2101,9 @@
"4ec47004-b34a-42e6-8003-376a123ea447": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Process Spawned from MOTD Detected",
"sha256": "5139744307f51062a9ebcb5e41e71d315b4e3229b2c5ffc5055e8fb3b03113ab",
"sha256": "742936018bd86bd0d2eb9c8e3cbc7e8942f260b71df03057a49f68aced7f08fd",
"type": "eql",
"version": 3
"version": 4
},
"4ed493fc-d637-4a36-80ff-ac84937e5461": {
"min_stack_version": "8.3",
@@ -2148,9 +2185,9 @@
"52376a86-ee86-4967-97ae-1a05f55816f0": {
"min_stack_version": "8.3",
"rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)",
"sha256": "08e086437b7c505630da7f3f2859efadfd8944d262f1bddb19d4c71766cb0cbe",
"sha256": "e8d3570c3c3e5a9f33eb69cec7d5b6b851442af3ed9086d002b181885dd60663",
"type": "eql",
"version": 106
"version": 107
},
"52aaab7b-b51c-441a-89ce-4387b3aea886": {
"min_stack_version": "8.3",
@@ -2188,9 +2225,9 @@
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
"rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable",
"sha256": "cc2b8ad9a1c68c231ac8da4148a361fff3e24137602de968abb2415576051a04",
"sha256": "4fd4e498803b69a046d3bc3c1a4b93610e961b6f34f057cd8de12a67c6d69833",
"type": "new_terms",
"version": 1
"version": 2
},
"536997f7-ae73-447d-a12d-bff1e8f5f0a0": {
"min_stack_version": "8.3",
@@ -2416,6 +2453,13 @@
"type": "query",
"version": 104
},
"5b06a27f-ad72-4499-91db-0c69667bffa5": {
"min_stack_version": "8.3",
"rule_name": "SUID/SGUID Enumeration Detected",
"sha256": "1d29dbe53e81b188976bc7d37092e85352e9bfc9aae131f8bb0f82e4fba6be85",
"type": "eql",
"version": 1
},
"5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": {
"min_stack_version": "8.3",
"rule_name": "Suspicious PrintSpooler Service Executable File Creation",
@@ -3078,9 +3122,9 @@
"7592c127-89fb-4209-a8f6-f9944dfd7e02": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Sysctl File Event",
"sha256": "f79fc847a2fd5595520dba9ec67e770ad628d3c141e6befef5c8622a55a1e0be",
"sha256": "66246357a6e2baf18f6692bf5ec006c4c8b46cccb03f13a768a516a0a44e7bab",
"type": "eql",
"version": 1
"version": 2
},
"75ee75d8-c180-481c-ba88-ee50129a6aef": {
"min_stack_version": "8.3",
@@ -3136,9 +3180,9 @@
"76e4d92b-61c1-4a95-ab61-5fd94179a1ee": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Child Process",
"sha256": "3b9bc91ffaa95b00ba8e0c54e58e351b8f6fa8addd6495da87d40f769842bef9",
"sha256": "90ba412e5f74a327e2a562946201aeb6cd21309a6f0a6bab7976fad99953c6d2",
"type": "eql",
"version": 2
"version": 3
},
"76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": {
"min_stack_version": "8.3",
@@ -3171,9 +3215,9 @@
"781f8746-2180-4691-890c-4c96d11ca91d": {
"min_stack_version": "8.3",
"rule_name": "Potential Network Sweep Detected",
"sha256": "73eee30fa3997742747ac2b5413ee70cc35e4b3be16faa7c79e268a16425ba79",
"sha256": "dac06daad2d64130cbe33805c45aa9bdba206772051f496081644a309db32cd2",
"type": "threshold",
"version": 1
"version": 2
},
"785a404b-75aa-4ffd-8be5-3334a5a544dd": {
"min_stack_version": "8.4",
@@ -3328,16 +3372,16 @@
"7fb500fa-8e24-4bd1-9480-2a819352602c": {
"min_stack_version": "8.6",
"rule_name": "New Systemd Timer Created",
"sha256": "14bff79015fcfa0af510ff8bc2fa92e58f9d904df7111251aa7a29b6ad7012cb",
"sha256": "a5a770edc33a8e7e8eebd70dcddd0bb6c09432602b530e9813de3ade870ae6b1",
"type": "new_terms",
"version": 3
"version": 4
},
"80084fa9-8677-4453-8680-b891d3c0c778": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Kernel Modules via Proc",
"sha256": "85407f5506904f8e8283e034a04965db0ab6ea86ce1ef257b575653b6cae7362",
"sha256": "907f1a257b0bc6e60a9f9ebb695ef97418f1e573e4e9bb00842961b0b9d15343",
"type": "eql",
"version": 1
"version": 2
},
"809b70d3-e2c3-455e-af1b-2626a5a1a276": {
"min_stack_version": "8.3",
@@ -3490,6 +3534,13 @@
"type": "query",
"version": 100
},
"884e87cc-c67b-4c90-a4ed-e1e24a940c82": {
"min_stack_version": "8.6",
"rule_name": "Potential Suspicious Clipboard Activity Detected",
"sha256": "81b067ba7ca440551c5427488fd426f9df51ca8b72ff6e3db6e1a99f324eb05e",
"type": "new_terms",
"version": 1
},
"88671231-6626-4e1b-abb7-6e361a171fbb": {
"min_stack_version": "8.3",
"rule_name": "Microsoft 365 Global Administrator Role Assigned",
@@ -3504,6 +3555,13 @@
"type": "eql",
"version": 103
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Hijacking Detected",
"sha256": "ebc6754248c6b7a7634e86d08ec0161e3f109569c788248ac2889d1e047c7973",
"type": "eql",
"version": 1
},
"891cb88e-441a-4c3e-be2d-120d99fe7b0d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WMI Image Load from MS Office",
@@ -3538,6 +3596,13 @@
"type": "query",
"version": 103
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Symbolic Link Created",
"sha256": "cf1e2262983765f27b55ba8f50491c865dfcdfa5215405a7e223cf7a3262b3d9",
"type": "eql",
"version": 1
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
"rule_name": "Setuid / Setgid Bit Set via chmod",
@@ -3865,9 +3930,9 @@
"96d11d31-9a79-480f-8401-da28b194608f": {
"min_stack_version": "8.6",
"rule_name": "Potential Persistence Through MOTD File Creation Detected",
"sha256": "04f950f0c2870438d1ef39c6947b3e29ad786ef500ebae62b06ff0745e04b2ac",
"sha256": "91d5e62be561b9ba2b9288ad52f5e43bdf1fedcaadcc2790f9cbb44b0a98cff9",
"type": "new_terms",
"version": 3
"version": 4
},
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.3",
@@ -3940,9 +4005,9 @@
"97fc44d3-8dae-4019-ae83-298c3015600f": {
"min_stack_version": "8.3",
"rule_name": "Startup or Run Key Registry Modification",
"sha256": "08f158f696c1ad30a048f41e0fe2528ee7c7cf0a0190972f42a4b09f2e4f85ba",
"sha256": "13109617be252430a0af0c782ba9695a2e18e9c1256827904312ede390a858eb",
"type": "eql",
"version": 107
"version": 108
},
"980b70a0-c820-11ed-8799-f661ea17fbcc": {
"min_stack_version": "8.4",
@@ -4596,9 +4661,9 @@
"aebaa51f-2a91-4f6a-850b-b601db2293f4": {
"min_stack_version": "8.6",
"rule_name": "Shared Object Created or Changed by Previously Unknown Process",
"sha256": "f706ae26f9260495a126a7f40d212be6abce91fe0ba59eb0ada7ce78056a69b7",
"sha256": "c5e37ab11a7a0973e1393da0d06ecdfd39fe601bda795ce4e5311844da29ece3",
"type": "new_terms",
"version": 1
"version": 2
},
"afcce5ad-65de-4ed2-8516-5e093d3ac99a": {
"min_stack_version": "8.3",
@@ -4607,6 +4672,13 @@
"type": "eql",
"version": 104
},
"afe6b0eb-dd9d-4922-b08a-1910124d524d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via Container Misconfiguration",
"sha256": "f30c5c2d2f9049cb02b7024588b254a4c42ec91b0ac7ac9139ff3a4594de5cdd",
"type": "eql",
"version": 1
},
"b0046934-486e-462f-9487-0d4cf9e429c6": {
"min_stack_version": "8.3",
"rule_name": "Timestomping using Touch Command",
@@ -4868,9 +4940,9 @@
"bbaa96b9-f36c-4898-ace2-581acb00a409": {
"min_stack_version": "8.3",
"rule_name": "Potential SYN-Based Network Scan Detected",
"sha256": "e3fa0192e162477e7c0432616bc59efd5cbfa01e8b3a70e8fe7cc9977b7a7249",
"sha256": "a2fa63d2505d8c71652f2a4e23c141d1682d9ff045c088e18b89c6e85508516d",
"type": "threshold",
"version": 1
"version": 2
},
"bbd1a775-8267-41fa-9232-20e5582596ac": {
"min_stack_version": "8.3",
@@ -5232,9 +5304,9 @@
"c8935a8b-634a-4449-98f7-bb24d3b2c0af": {
"min_stack_version": "8.3",
"rule_name": "Potential Linux Ransomware Note Creation Detected",
"sha256": "96682e9b9640c83fb004fefdfadefa0499ffaee2f18b224c2a919c0be924579c",
"sha256": "04cafeaaf4f851803bb0fe3eeaf313e600c55078140ffc472b47faa850bbf3b0",
"type": "eql",
"version": 3
"version": 4
},
"c8b150f0-0164-475b-a75e-74b47800a9ff": {
"min_stack_version": "8.3",
@@ -5253,9 +5325,9 @@
"c9482bfa-a553-4226-8ea2-4959bd4f7923": {
"min_stack_version": "8.3",
"rule_name": "Potential Masquerading as Communication Apps",
"sha256": "c5f7d275928258df63c614f5bb01560d06bb745be25420b100d1caeb9e57a53b",
"sha256": "407f97d6402f538a62f3547c4036a01df2a4cf493bf5845da4235b85dcb890fd",
"type": "eql",
"version": 1
"version": 2
},
"c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": {
"min_stack_version": "8.3",
@@ -5296,9 +5368,9 @@
}
},
"rule_name": "Abnormal Process ID or Lock File Created",
"sha256": "d76db814f07cf25a8e686f720a3a92b86455db0f2209dc2a12e1f31d5444e096",
"sha256": "cb7ecdd09505eeb2f0952f5a029fae4a911a4a4c7f92fde6d6e49924b3a5b9a3",
"type": "new_terms",
"version": 207
"version": 208
},
"cad4500a-abd7-4ef3-b5d3-95524de7cfe1": {
"min_stack_version": "8.4",
@@ -5569,6 +5641,13 @@
"type": "machine_learning",
"version": 102
},
"d55436a8-719c-445f-92c4-c113ff2f9ba5": {
"min_stack_version": "8.3",
"rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected",
"sha256": "a838854fa6bc595bb96ed3c2a78e96949041fac6d4f0a4cd707798843927f84b",
"type": "eql",
"version": 1
},
"d563aaba-2e72-462b-8658-3e5ea22db3a6": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Windir Environment Variable",
@@ -5711,9 +5790,9 @@
"da87eee1-129c-4661-a7aa-57d0b9645fad": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Service was Installed in the System",
"sha256": "5efb26e2d2ec42884669c1bb7a75c13a7cd1f715a01e5791488eb2adfc2cceed",
"sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694",
"type": "eql",
"version": 7
"version": 8
},
"da986d2c-ffbf-4fd6-af96-a88dbf68f386": {
"rule_name": "Linux Restricted Shell Breakout via the gcc command",
@@ -6224,6 +6303,13 @@
"type": "query",
"version": 102
},
"eb44611f-62a8-4036-a5ef-587098be6c43": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Script with Webcam Video Capture Capabilities",
"sha256": "4fd30c5b6cde137af4b4bfbe6147e6b9b22ee92011d517f81f11bfd501ecd62d",
"type": "query",
"version": 1
},
"eb610e70-f9e6-4949-82b9-f1c5bcd37c39": {
"min_stack_version": "8.3",
"rule_name": "PowerShell Kerberos Ticket Request",
@@ -6659,9 +6745,9 @@
"fa3a59dc-33c3-43bf-80a9-e8437a922c7f": {
"min_stack_version": "8.3",
"rule_name": "Potential Reverse Shell via Suspicious Binary",
"sha256": "5d9ce6aa99975f3eafa06c77784d69acbaaa12c0c46b9f5b90d0f7b304651724",
"sha256": "79fc6be5da75fc9eaeafbb39e968ff4bc2967ffc934dddb84427c0a39050e79c",
"type": "eql",
"version": 2
"version": 3
},
"fa488440-04cc-41d7-9279-539387bf2a17": {
"min_stack_version": "8.3",
@@ -6748,9 +6834,9 @@
"ff10d4d8-fea7-422d-afb1-e5a2702369a9": {
"min_stack_version": "8.6",
"rule_name": "Cron Job Created or Changed by Previously Unknown Process",
"sha256": "e08ba3629f77b0f14dbb69c9ff288225c03c60802a7db963793ba77fe92c4383",
"sha256": "3050a1275d1edfd0cb61b4d07a4b3d7bd48a60653e19fa96aceda436a2380fed",
"type": "new_terms",
"version": 2
"version": 3
},
"ff4599cb-409f-4910-a239-52e4e6f532ff": {
"min_stack_version": "8.7",
@@ -6772,5 +6858,12 @@
"sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068",
"type": "query",
"version": 104
},
"ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": {
"min_stack_version": "8.3",
"rule_name": "Potential Sudo Token Manipulation via Process Injection",
"sha256": "f843662389115d2d135ceb3967be8b8614e5967be904f046447eeb9ebdc65100",
"type": "eql",
"version": 1
}
}
detection_rules/rule.py
+28 -26
View File
@@ -645,6 +645,7 @@ class NewTermsRuleData(QueryRuleData):
kql_validator.validate(self, meta)
feature_min_stack = Version.parse('8.4.0')
feature_min_stack_extended_fields = Version.parse('8.6.0')
current_package_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True)
# validate history window start field exists and is correct
assert self.new_terms.history_window_start, \
@@ -657,11 +658,9 @@ class NewTermsRuleData(QueryRuleData):
f"{self.new_terms.field} should be 'new_terms_fields' for new_terms rule type"
# ecs validation
min_stack_version = meta.get("min_stack_version")
if min_stack_version is None:
min_stack_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True)
else:
min_stack_version = Version.parse(min_stack_version)
min_stack_version = Version.parse(meta.get("min_stack_version")) if meta.get("min_stack_version") else None
min_stack_version = current_package_version if min_stack_version is None or min_stack_version < \
current_package_version else min_stack_version
assert min_stack_version >= feature_min_stack, \
f"New Terms rule types only compatible with {feature_min_stack}+"
@@ -1002,30 +1001,33 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
current_stack_version = load_current_package_version()
if self.check_restricted_field_version(field_name):
if isinstance(self.data, QueryRuleData) and self.data.language != 'lucene':
package_integrations = self.get_packaged_integrations(self.data, self.metadata, packages_manifest)
if (isinstance(self.data, QueryRuleData) or isinstance(self.data, MachineLearningRuleData)):
if (self.data.get('language') is not None and self.data.get('language') != 'lucene') or \
self.data.get('type') == 'machine_learning':
package_integrations = self.get_packaged_integrations(self.data, self.metadata,
packages_manifest)
if not package_integrations:
return
if not package_integrations:
return
for package in package_integrations:
package["version"] = find_least_compatible_version(
package=package["package"],
integration=package["integration"],
current_stack_version=current_stack_version,
packages_manifest=packages_manifest)
for package in package_integrations:
package["version"] = find_least_compatible_version(
package=package["package"],
integration=package["integration"],
current_stack_version=current_stack_version,
packages_manifest=packages_manifest)
# if integration is not a policy template remove
if package["version"]:
policy_templates = packages_manifest[
package["package"]][package["version"].strip("^")]["policy_templates"]
if package["integration"] not in policy_templates:
del package["integration"]
# if integration is not a policy template remove
if package["version"]:
policy_templates = packages_manifest[
package["package"]][package["version"].strip("^")]["policy_templates"]
if package["integration"] not in policy_templates:
del package["integration"]
# remove duplicate entries
package_integrations = list({json.dumps(d, sort_keys=True):
d for d in package_integrations}.values())
obj.setdefault("related_integrations", package_integrations)
# remove duplicate entries
package_integrations = list({json.dumps(d, sort_keys=True):
d for d in package_integrations}.values())
obj.setdefault("related_integrations", package_integrations)
def _convert_add_required_fields(self, obj: dict) -> None:
"""Add restricted field required_fields to the obj, derived from the query AST."""
@@ -1124,7 +1126,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
rule_integrations = meta.get("integration", [])
if rule_integrations:
for integration in rule_integrations:
if integration in definitions.NON_DATASET_PACKAGES:
if integration in definitions.NON_DATASET_PACKAGES or isinstance(data, MachineLearningRuleData):
packaged_integrations.append({"package": integration, "integration": None})
for value in sorted(datasets):
detection_rules/schemas/__init__.py
+6
View File
@@ -256,6 +256,12 @@ def migrate_to_8_9(version: Version, api_contents: dict) -> dict:
return strip_additional_properties(version, api_contents)
@migrate("8.10")
def migrate_to_8_10(version: Version, api_contents: dict) -> dict:
"""Default migration for 8.10."""
return strip_additional_properties(version, api_contents)
def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict:
"""Downgrade a rule to a target stack version."""
from ..packaging import current_stack_version
kibana/connector.py
+8 -2
View File
@@ -91,6 +91,11 @@ class Kibana(object):
body = json.dumps(data)
response = self.session.request(method, url, params=params, data=body, **kwargs)
if response.status_code != 200:
# retry once
response = self.session.request(method, url, params=params, data=body, **kwargs)
if error:
try:
response.raise_for_status()
@@ -168,8 +173,9 @@ class Kibana(object):
def add_cookie(self, cookie):
"""Add cookie to be used for auth (such as from an SSO session)."""
# the request to /api/status will also add the cookie to the cookie jar upon a successful response
self.session.headers['cookie'] = cookie
# https://www.elastic.co/guide/en/kibana/7.10/security-settings-kb.html#security-session-and-cookie-settings
self.session.headers['sid'] = cookie
self.session.cookies.set('sid', cookie)
self.status = self.get('/api/status')
self.authenticated = True
rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -64,7 +64,7 @@ references = [
risk_score = 73
rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0"
severity = "high"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
tags = ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic", "@BenB196", "Austin Songer"]
@@ -63,7 +63,7 @@ references = [
risk_score = 47
rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
type = "threshold"
query = '''
rules/integrations/okta/credential_access_mfa_push_brute_force.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -61,7 +61,7 @@ references = [
risk_score = 73
rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
severity = "high"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
type = "eql"
query = '''
rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -63,7 +63,7 @@ references = [
risk_score = 47
rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
type = "threshold"
query = '''
rules/integrations/okta/credential_access_user_impersonation_access.toml
+2 -7
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -57,12 +57,7 @@ references = [
risk_score = 73
rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911"
severity = "high"
tags = [
"Use Case: Identity and Access Audit",
"Data Source: Okta",
"Use Case: Identity and Access Audit",
"Tactic: Credential Access",
]
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
+2 -7
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -71,12 +71,7 @@ references = [
risk_score = 47
rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0"
severity = "medium"
tags = [
"Use Case: Identity and Access Audit",
"Data Source: Okta",
"Use Case: Identity and Access Audit",
"Tactic: Defense Evasion",
]
tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
+2 -7
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/30"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -69,12 +69,7 @@ references = [
risk_score = 21
rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19"
severity = "low"
tags = [
"Use Case: Identity and Access Audit",
"Data Source: Okta",
"Use Case: Identity and Access Audit",
"Tactic: Defense Evasion",
]
tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
+1 -1
View File
@@ -63,7 +63,7 @@ references = [
risk_score = 47
rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"]
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"]
type = "threshold"
query = '''
rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -24,7 +24,7 @@ references = [
risk_score = 21
rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613"
severity = "low"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Initial Access"]
tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
risk_score = 21
rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8"
severity = "low"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
risk_score = 21
rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181"
severity = "low"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/08/17"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
risk_score = 47
rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50
rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50
rules/ml/command_and_control_ml_packetbeat_rare_urls.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50
rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml
+2 -1
View File
@@ -1,9 +1,10 @@
[metadata]
creation_date = "2020/03/25"
integration = ["endpoint", "network_traffic"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/07/27"
[rule]
anomaly_threshold = 50

Some files were not shown because too many files have changed in this diff Show More