diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 28dc7dbf3..484fe5c20 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9' + default: '8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10' jobs: pr: diff --git a/detection_rules/etc/api_schemas/8.10/8.10.base.json b/detection_rules/etc/api_schemas/8.10/8.10.base.json new file mode 100644 index 000000000..cd6f208af --- /dev/null +++ b/detection_rules/etc/api_schemas/8.10/8.10.base.json @@ -0,0 +1,453 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + } + }, + "required": [ + "author", + "description", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.10/8.10.eql.json b/detection_rules/etc/api_schemas/8.10/8.10.eql.json new file mode 100644 index 000000000..a1e618f98 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.10/8.10.eql.json @@ -0,0 +1,475 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.10/8.10.machine_learning.json b/detection_rules/etc/api_schemas/8.10/8.10.machine_learning.json new file mode 100644 index 000000000..ca88b1912 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.10/8.10.machine_learning.json @@ -0,0 +1,465 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "anomaly_threshold": { + "format": "integer", + "type": "number" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "license": { + "type": "string" + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "name", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.10/8.10.new_terms.json b/detection_rules/etc/api_schemas/8.10/8.10.new_terms.json new file mode 100644 index 000000000..de43ba609 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.10/8.10.new_terms.json @@ -0,0 +1,516 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "value": { + "description": "NewTermsFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "field", + "history_window_start", + "value" + ], + "type": "object" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "new_terms", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.10/8.10.query.json b/detection_rules/etc/api_schemas/8.10/8.10.query.json new file mode 100644 index 000000000..20d6284ce --- /dev/null +++ b/detection_rules/etc/api_schemas/8.10/8.10.query.json @@ -0,0 +1,465 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.10/8.10.threat_match.json b/detection_rules/etc/api_schemas/8.10/8.10.threat_match.json new file mode 100644 index 000000000..dcc339473 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.10/8.10.threat_match.json @@ -0,0 +1,556 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "concurrent_searches": { + "description": "PositiveInteger", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "items_per_search": { + "description": "PositiveInteger", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": "string" + }, + "threat_language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + }, + "value": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "field", + "type", + "value" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": "string" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.10/8.10.threshold.json b/detection_rules/etc/api_schemas/8.10/8.10.threshold.json new file mode 100644 index 000000000..0c5a10ad7 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.10/8.10.threshold.json @@ -0,0 +1,514 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "format": "integer", + "type": "number" + } + }, + "required": [ + "unit", + "value" + ], + "type": "object" + }, + "group_by": { + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "group_by" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": "string" + }, + "description": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "exceptions_list": { + "items": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "array" + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": "array" + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": "array" + }, + "from": { + "type": "string" + }, + "index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "interval": { + "description": "Interval", + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "language": { + "enum": [ + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": "string" + }, + "max_signals": { + "description": "MaxSignals", + "format": "integer", + "minimum": 1, + "type": "number" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "name": { + "description": "RuleName", + "pattern": "^[a-zA-Z0-9].+?[a-zA-Z0-9()]$", + "type": "string" + }, + "note": { + "description": "MarkdownField", + "type": "string" + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": "array" + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "integration": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "package": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "version": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "package", + "version" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "type": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs", + "name", + "type" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": "array" + }, + "risk_score": { + "description": "MaxSignals", + "format": "integer", + "maximum": 100, + "minimum": 1, + "type": "number" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "rule_id": { + "description": "UUIDString", + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": "string" + }, + "setup": { + "min_compat": "8.3", + "type": "string" + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": "string" + }, + "severity": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": "array" + }, + "tags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TacticURL", + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "TechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "description": "SubTechniqueURL", + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "id", + "name", + "reference" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": "array" + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "type": "array" + }, + "field": { + "description": "CardinalityFields", + "items": { + "description": "NonEmptyStr", + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "description": "ThresholdValue", + "format": "integer", + "minimum": 1, + "type": "number" + } + }, + "required": [ + "field", + "value" + ], + "type": "object" + }, + "throttle": { + "type": "string" + }, + "timeline_id": { + "description": "TimelineTemplateId", + "enum": [ + "db366523-f1c6-4c1f-8731-6ce5ed9e5717", + "91832785-286d-4ebe-b884-1a208d111a70", + "76e52245-7519-4251-91ab-262fb1a1728c", + "495ad7a7-316e-4544-8a0f-9c098daee76e", + "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c", + "e70679c2-6cde-4510-9764-4823df18f7db", + "300afc76-072d-4261-864d-4149714bf3f1", + "3e47ef71-ebfc-4520-975c-cb27fc090799", + "3e827bab-838a-469f-bd1e-5e19a2bff2fd", + "4434b91a-94ca-4a89-83cb-a37cdc0532b7" + ], + "enumNames": [], + "type": "string" + }, + "timeline_title": { + "description": "TimelineTemplateTitle", + "enum": [ + "Generic Endpoint Timeline", + "Generic Network Timeline", + "Generic Process Timeline", + "Generic Threat Match Timeline", + "Comprehensive File Timeline", + "Comprehensive Process Timeline", + "Comprehensive Network Timeline", + "Comprehensive Registry Timeline", + "Alerts Involving a Single User Timeline", + "Alerts Involving a Single Host Timeline" + ], + "enumNames": [], + "type": "string" + }, + "timestamp_override": { + "type": "string" + }, + "to": { + "type": "string" + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + } + }, + "required": [ + "author", + "description", + "language", + "name", + "query", + "risk_score", + "rule_id", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/master/master.eql.json b/detection_rules/etc/api_schemas/master/master.eql.json index 3e19494b0..a1e618f98 100644 --- a/detection_rules/etc/api_schemas/master/master.eql.json +++ b/detection_rules/etc/api_schemas/master/master.eql.json @@ -72,6 +72,10 @@ "enabled": { "type": "boolean" }, + "event_category_override": { + "min_compat": "8.0", + "type": "string" + }, "exceptions_list": { "items": { "type": [ @@ -401,6 +405,10 @@ "throttle": { "type": "string" }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": "string" + }, "timeline_id": { "description": "TimelineTemplateId", "enum": [ @@ -435,6 +443,10 @@ "enumNames": [], "type": "string" }, + "timestamp_field": { + "min_compat": "8.0", + "type": "string" + }, "timestamp_override": { "type": "string" }, diff --git a/detection_rules/etc/attack-technique-redirects.json b/detection_rules/etc/attack-technique-redirects.json index 303d1cd9a..cb0fad5a7 100644 --- a/detection_rules/etc/attack-technique-redirects.json +++ b/detection_rules/etc/attack-technique-redirects.json @@ -132,5 +132,5 @@ "T1536": "T1578.004", "T1547.011": "T1647" }, - "saved_date": "Thu Jun 29 11:03:14 2023" + "saved_date": "Mon Aug 14 13:11:43 2023" } \ No newline at end of file diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index 2e8e515a2..0f45ebeb7 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.9.0.json.gz b/detection_rules/etc/beats_schemas/v8.9.0.json.gz new file mode 100644 index 000000000..5023de30d Binary files /dev/null and b/detection_rules/etc/beats_schemas/v8.9.0.json.gz differ diff --git a/detection_rules/etc/deprecated_rules.json b/detection_rules/etc/deprecated_rules.json index b9433bacb..a878ce1ae 100644 --- a/detection_rules/etc/deprecated_rules.json +++ b/detection_rules/etc/deprecated_rules.json @@ -304,6 +304,11 @@ "rule_name": "SSH (Secure Shell) from the Internet", "stack_version": "7.14.0" }, + "eb6a3790-d52d-11ec-8ce9-f661ea17fbce": { + "deprecation_date": "2023/07/31", + "rule_name": "Suspicious Network Connection Attempt by Root", + "stack_version": "8.3" + }, "ee619805-54d7-4c56-ba6f-7717282ddd73": { "deprecation_date": "2022/05/09", "rule_name": "Linux Restricted Shell Breakout via crash Shell evasion", diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz index d9ee9d211..0487c2d84 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz index 3de29e974..302ffb97a 100644 Binary files a/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index 6b5facb54..30e6a9f0a 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index 3cb4b32b5..0a6163994 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index b18d41b64..ad0fefa6e 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index 6945c8a86..0cc0eecb2 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index 21aea38cf..2db1db747 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index 761be6e35..b36e8545d 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 866474ed2..39862b984 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index f425319a1..752519ca7 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz index 9917305e0..7e1a408ef 100644 Binary files a/detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz index d3c7c7b9d..d314d9f32 100644 Binary files a/detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz index b9e04b987..77dc0c728 100644 Binary files a/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz index 8bef9bbfb..80de6568c 100644 Binary files a/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz index c98736f99..2516b5df2 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz index 588610ae2..5d894abdc 100644 Binary files a/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz index a7743fde7..12dbd7760 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz index 37ed64485..b2662fa9d 100644 Binary files a/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz index f4404e316..66e34040f 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz index e16500412..a6fef6b8b 100644 Binary files a/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index a41d5f9fd..f70e740c0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 46c59b763..464894a2e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index e1f792a63..2ac587c9f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index 065b0b817..1365703cf 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index ee1175ead..77606d062 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 0a6756139..6d94053da 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index 09375f8b2..b8673c332 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index 76fadfd1e..4bd967f33 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index b74382c57..6351dfef7 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index d6053dbe5..3f60465eb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index e924a9435..78f9e41ad 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index 29c4ea8a1..24c462c84 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 11bb097c5..adf088e21 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index 5d319ac26..83f31313e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 3b40b3539..fcac8d2ad 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index c14870ac0..c4ec36b77 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index a8d6373e3..9658463b6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 37166e7c4..a3d46f7c9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index d1cd8c479..aab8fdc22 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 906b47825..20574a46d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 049431b90..006e7a11f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index 2c28c9b40..59f4d27e9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 84f9fc837..a87851d73 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index c025b4b54..cc72774c0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 30486f89a..9f37d1679 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index 51ecadb28..d413c0f58 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index 05855c7fd..061619d2a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index d0c4e7777..099ff17d0 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index 39165c9e0..0b08f4f8f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 9dc1821ba..968d91e23 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 24681d0d3..fd6726a10 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index ab867d7b3..aebfc87d9 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 7f652ad6d..c44ab279a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index 0a934bb71..8f064df90 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 8e4d45e8f..9d3927e7d 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index 72a5df4b1..9e1a90a63 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 71c05700c..7761018ca 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index bbd67cdbc..f1f4db85f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz new file mode 100644 index 000000000..225574773 Binary files /dev/null and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz new file mode 100644 index 000000000..cad7c9f5d Binary files /dev/null and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_8.10.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_8.10.0-dev/ecs_flat.json.gz deleted file mode 100644 index 1a21137a7..000000000 Binary files a/detection_rules/etc/ecs_schemas/master_8.10.0-dev/ecs_flat.json.gz and /dev/null differ diff --git a/detection_rules/etc/ecs_schemas/master_8.11.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_8.11.0-dev/ecs_flat.json.gz new file mode 100644 index 000000000..2dd7f75df Binary files /dev/null and b/detection_rules/etc/ecs_schemas/master_8.11.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index dfd098edb..123ebf917 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 539644532..33669f653 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 0302b5fa4..77d17936c 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -71,6 +71,7 @@ "file.Ext.entropy": "long", "file.size": "long", "file.Ext.original.name": "keyword", + "dll.Ext.device.product_id": "keyword", "dll.Ext.relative_file_creation_time": "double", "dll.Ext.relative_file_name_modify_time": "double", "process.Ext.relative_file_name_modify_time": "double", diff --git a/detection_rules/etc/packages.yml b/detection_rules/etc/packages.yml index 6ccd5d858..13d839034 100644 --- a/detection_rules/etc/packages.yml +++ b/detection_rules/etc/packages.yml @@ -4,12 +4,12 @@ package: maturity: - production log_deprecated: true - name: '8.10' + name: '8.11' registry_data: categories: - security conditions: - kibana.version: ^8.10.0 + kibana.version: ^8.11.0 description: Prebuilt detection rules for Elastic Security format_version: 1.0.0 icons: @@ -23,6 +23,5 @@ package: release: ga title: Prebuilt Security Detection Rules type: integration - version: 8.10.0-beta.0 + version: 8.11.0-beta.0 release: true - diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 4437f4a21..b9b1674a8 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -76,11 +76,16 @@ endgame: "8.4.0" "8.9.0": - beats: "8.8.2" - ecs: "8.8.0" + beats: "8.9.0" + ecs: "8.9.0" endgame: "8.4.0" "8.10.0": - beats: "8.8.2" - ecs: "8.8.0" + beats: "8.9.0" + ecs: "8.9.0" + endgame: "8.4.0" + +"8.11.0": + beats: "8.9.0" + ecs: "8.9.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index f032b8590..88392f610 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -44,9 +44,9 @@ "0171f283-ade7-4f87-9521-ac346c68cc9b": { "min_stack_version": "8.3", "rule_name": "Potential Network Scan Detected", - "sha256": "05f7ecbd3c668d2efc8876c68c247c96f2dfdfbb1d88da3feaf3127805145773", + "sha256": "22c367ac24c7772c54e861eaef3c3cc0d8677b1dbecc70626f38c6ba482f1eb2", "type": "threshold", - "version": 1 + "version": 2 }, "027ff9ea-85e7-42e3-99d2-bbb7069e02eb": { "min_stack_version": "8.3", @@ -193,9 +193,9 @@ "0787daa6-f8c5-453b-a4ec-048037f6c1cd": { "min_stack_version": "8.3", "rule_name": "Suspicious Proc Pseudo File System Enumeration", - "sha256": "245438059687e2254156b7de6af2bb96cd52b3263ad178486202c575da0a28c0", + "sha256": "c0e22bb1ec65c7fa009ef3abdf7d1a92ee28cc5bb7aeddb0c344a3b14793d6b3", "type": "threshold", - "version": 1 + "version": 2 }, "07b1ef73-1fde-4a49-a34a-5dd40011b076": { "min_stack_version": "8.3", @@ -309,6 +309,13 @@ "type": "query", "version": 107 }, + "0b803267-74c5-444d-ae29-32b5db2d562a": { + "min_stack_version": "8.3", + "rule_name": "Potential Shell via Wildcard Injection Detected", + "sha256": "b1357614dcd30402aba8ea62f30facd7b7d9ea27dd5f096002841eca233f64a8", + "type": "eql", + "version": 1 + }, "0c41e478-5263-4c69-8f9e-7dfd2c22da64": { "min_stack_version": "8.5", "rule_name": "Threat Intel IP Address Indicator Match", @@ -400,9 +407,9 @@ } }, "rule_name": "Potential Persistence Through Run Control Detected", - "sha256": "90257033fbffbd58406f4338624b55fa17e1373a9098dbbb6cb9413c7f2bf421", + "sha256": "5775d029f6a1d764e77e8eeaf6ec342b87708404184191c14ff48fb3b1b56dc8", "type": "new_terms", - "version": 104 + "version": 105 }, "0f616aee-8161-4120-857e-742366f5eeb3": { "rule_name": "PowerShell spawning Cmd", @@ -733,9 +740,9 @@ "17b0a495-4d9f-414c-8ad0-92f018b8e001": { "min_stack_version": "8.6", "rule_name": "New Systemd Service Created by Previously Unknown Process", - "sha256": "821af40f1849e4b35c093ac6e5fd204480f2c95bf6d36491978d7ab00b45bec0", + "sha256": "b58a3e067846aa68d0aaec50f2b50e30db0431f78fda376ed81fff2472bd0e33", "type": "new_terms", - "version": 2 + "version": 3 }, "17c7f6a5-5bc9-4e1f-92bf-13632d24384d": { "min_stack_version": "8.3", @@ -1050,6 +1057,13 @@ "type": "eql", "version": 103 }, + "2605aa59-29ac-4662-afad-8d86257c7c91": { + "min_stack_version": "8.3", + "rule_name": "Potential Suspicious DebugFS Root Device Access", + "sha256": "739ca4ff251f7d15397c5713f3e3a01880762163b87f43465f74fb4a63fadfed", + "type": "eql", + "version": 1 + }, "2636aa6c-88b5-4337-9c31-8d0192a8ef45": { "min_stack_version": "8.3", "rule_name": "Azure Blob Container Access Level Modification", @@ -1144,9 +1158,9 @@ "28738f9f-7427-4d23-bc69-756708b5f624": { "min_stack_version": "8.3", "rule_name": "Suspicious File Changes Activity Detected", - "sha256": "af6a4c763918f1b8c3b75c94da57150e6613f9b1c060b6253fc7dd08841c57dc", + "sha256": "4bd6246dc55fb0159c82faf0067c0e67b3915706692e70de0bcf8a3504c76afd", "type": "eql", - "version": 3 + "version": 4 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -1154,6 +1168,13 @@ "type": "eql", "version": 100 }, + "28d39238-0c01-420a-b77a-24e5a7378663": { + "min_stack_version": "8.3", + "rule_name": "Sudo Command Enumeration Detected", + "sha256": "f4e6de1f9d2e53ff482497bfa4e3c0063a657aa1b6d18f646644810a785b9c69", + "type": "eql", + "version": 1 + }, "29052c19-ff3e-42fd-8363-7be14d7c5469": { "min_stack_version": "8.3", "rule_name": "AWS Security Group Configuration Change Detection", @@ -1185,9 +1206,9 @@ "2a692072-d78d-42f3-a48a-775677d79c4e": { "min_stack_version": "8.3", "rule_name": "Potential Code Execution via Postgresql", - "sha256": "4a70cd9ce5cb0245001ed19046dc9211a007e0edb87d55d452e8623cd0aac76c", + "sha256": "90033dd971d1cf6b980023ac5ff9e523d374d3557e57c56b07f56371a39fe66a", "type": "eql", - "version": 1 + "version": 2 }, "2abda169-416b-4bb3-9a6b-f8d239fd78ba": { "min_stack_version": "8.4", @@ -1234,11 +1255,20 @@ "version": 105 }, "2d8043ed-5bda-4caf-801c-c1feb7410504": { - "min_stack_version": "8.3", + "min_stack_version": "8.6", + "previous": { + "8.3": { + "max_allowable_version": 203, + "rule_name": "Enumeration of Kernel Modules", + "sha256": "4b0264a513359d05b99ad58d22080e4a27d8a180acd51c3a29b5a0762338548b", + "type": "eql", + "version": 104 + } + }, "rule_name": "Enumeration of Kernel Modules", - "sha256": "4b0264a513359d05b99ad58d22080e4a27d8a180acd51c3a29b5a0762338548b", - "type": "eql", - "version": 104 + "sha256": "466b9b770f662323636376704d15a6f60f676574f2ed2fc6bc32e5704e01a92e", + "type": "new_terms", + "version": 204 }, "2dd480be-1263-4d9c-8672-172928f6789a": { "min_stack_version": "8.8", @@ -1727,9 +1757,9 @@ "40ddbcc8-6561-44d9-afc8-eefdbfe0cccd": { "min_stack_version": "8.3", "rule_name": "Suspicious Modprobe File Event", - "sha256": "9db38abed795d655cb74c1744a934743fbf685f4ae38cb42a28e35bd06eefda6", + "sha256": "a68ec783655e160ea9c0e727fa3aab19c685bc94530fc45ffd899978f6fe427e", "type": "eql", - "version": 1 + "version": 2 }, "416697ae-e468-4093-a93d-59661fa619ec": { "min_stack_version": "8.3", @@ -1860,9 +1890,9 @@ "474fd20e-14cc-49c5-8160-d9ab4ba16c8b": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through init.d Detected", - "sha256": "dd6ef74c2f597fe98525f1a4b7aa3bd93d9ac54189ab894724fcf6cb60216b69", + "sha256": "5e2d925fcea0ca293823207dfe02870ff91b21eb26845e86b5bc6466fb1122b1", "type": "new_terms", - "version": 3 + "version": 4 }, "475b42f0-61fb-4ef0-8a85-597458bfb0a1": { "min_stack_version": "8.8", @@ -1908,9 +1938,9 @@ "48b3d2e3-f4e8-41e6-95e6-9b2091228db3": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell", - "sha256": "4160ce7e268b88f30655beb514da1b0b3a021cb9a8e27e7f9ed7e8ecc9d9b943", + "sha256": "41621e6d7d8394535f33f86ce87b265bffc3b46341f0d41b5a3f0357a6e4f092", "type": "eql", - "version": 2 + "version": 3 }, "48b6edfc-079d-4907-b43c-baffa243270d": { "min_stack_version": "8.3", @@ -1984,6 +2014,13 @@ "type": "query", "version": 102 }, + "4a99ac6f-9a54-4ba5-a64f-6eb65695841b": { + "min_stack_version": "8.3", + "rule_name": "Potential Unauthorized Access via Wildcard Injection Detected", + "sha256": "25c1fc8f3f3cca5abd90f51407ee6536b09f5cc094959427100ff8bb43061d1e", + "type": "eql", + "version": 1 + }, "4aa58ac6-4dc0-4d18-b713-f58bf8bd015c": { "min_stack_version": "8.3", "rule_name": "Potential Cross Site Scripting (XSS)", @@ -1994,9 +2031,9 @@ "4b1a807a-4e7b-414e-8cea-24bf580f6fc5": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Parent Process", - "sha256": "ecf2ad4447f990f031623c2e5c49b67f36162c078eed8b08f82bd1aee9386f19", + "sha256": "ac72fcaf522c3071580ab0a89bf5819d2048d75227f322493c72329288bfb551", "type": "eql", - "version": 2 + "version": 3 }, "4b438734-3793-4fda-bd42-ceeada0be8f9": { "min_stack_version": "8.3", @@ -2029,9 +2066,9 @@ "4d4c35f4-414e-4d0c-bb7e-6db7c80a6957": { "min_stack_version": "8.3", "rule_name": "Kernel Load or Unload via Kexec Detected", - "sha256": "c58ed6e2277c2938844908a89695fa82660c307bc9dc206f10a52e4fa077b9a0", + "sha256": "7445969cb5c322e8c467c61ee4ce21952f59c4781a3f141b739a0ae03dd6f849", "type": "eql", - "version": 1 + "version": 2 }, "4d50a94f-2844-43fa-8395-6afbd5e1c5ef": { "min_stack_version": "8.3", @@ -2064,9 +2101,9 @@ "4ec47004-b34a-42e6-8003-376a123ea447": { "min_stack_version": "8.3", "rule_name": "Suspicious Process Spawned from MOTD Detected", - "sha256": "5139744307f51062a9ebcb5e41e71d315b4e3229b2c5ffc5055e8fb3b03113ab", + "sha256": "742936018bd86bd0d2eb9c8e3cbc7e8942f260b71df03057a49f68aced7f08fd", "type": "eql", - "version": 3 + "version": 4 }, "4ed493fc-d637-4a36-80ff-ac84937e5461": { "min_stack_version": "8.3", @@ -2148,9 +2185,9 @@ "52376a86-ee86-4967-97ae-1a05f55816f0": { "min_stack_version": "8.3", "rule_name": "Linux Restricted Shell Breakout via Linux Binary(s)", - "sha256": "08e086437b7c505630da7f3f2859efadfd8944d262f1bddb19d4c71766cb0cbe", + "sha256": "e8d3570c3c3e5a9f33eb69cec7d5b6b851442af3ed9086d002b181885dd60663", "type": "eql", - "version": 106 + "version": 107 }, "52aaab7b-b51c-441a-89ce-4387b3aea886": { "min_stack_version": "8.3", @@ -2188,9 +2225,9 @@ "53617418-17b4-4e9c-8a2c-8deb8086ca4b": { "min_stack_version": "8.6", "rule_name": "Suspicious Network Activity to the Internet by Previously Unknown Executable", - "sha256": "cc2b8ad9a1c68c231ac8da4148a361fff3e24137602de968abb2415576051a04", + "sha256": "4fd4e498803b69a046d3bc3c1a4b93610e961b6f34f057cd8de12a67c6d69833", "type": "new_terms", - "version": 1 + "version": 2 }, "536997f7-ae73-447d-a12d-bff1e8f5f0a0": { "min_stack_version": "8.3", @@ -2416,6 +2453,13 @@ "type": "query", "version": 104 }, + "5b06a27f-ad72-4499-91db-0c69667bffa5": { + "min_stack_version": "8.3", + "rule_name": "SUID/SGUID Enumeration Detected", + "sha256": "1d29dbe53e81b188976bc7d37092e85352e9bfc9aae131f8bb0f82e4fba6be85", + "type": "eql", + "version": 1 + }, "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8": { "min_stack_version": "8.3", "rule_name": "Suspicious PrintSpooler Service Executable File Creation", @@ -3078,9 +3122,9 @@ "7592c127-89fb-4209-a8f6-f9944dfd7e02": { "min_stack_version": "8.3", "rule_name": "Suspicious Sysctl File Event", - "sha256": "f79fc847a2fd5595520dba9ec67e770ad628d3c141e6befef5c8622a55a1e0be", + "sha256": "66246357a6e2baf18f6692bf5ec006c4c8b46cccb03f13a768a516a0a44e7bab", "type": "eql", - "version": 1 + "version": 2 }, "75ee75d8-c180-481c-ba88-ee50129a6aef": { "min_stack_version": "8.3", @@ -3136,9 +3180,9 @@ "76e4d92b-61c1-4a95-ab61-5fd94179a1ee": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Child Process", - "sha256": "3b9bc91ffaa95b00ba8e0c54e58e351b8f6fa8addd6495da87d40f769842bef9", + "sha256": "90ba412e5f74a327e2a562946201aeb6cd21309a6f0a6bab7976fad99953c6d2", "type": "eql", - "version": 2 + "version": 3 }, "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f": { "min_stack_version": "8.3", @@ -3171,9 +3215,9 @@ "781f8746-2180-4691-890c-4c96d11ca91d": { "min_stack_version": "8.3", "rule_name": "Potential Network Sweep Detected", - "sha256": "73eee30fa3997742747ac2b5413ee70cc35e4b3be16faa7c79e268a16425ba79", + "sha256": "dac06daad2d64130cbe33805c45aa9bdba206772051f496081644a309db32cd2", "type": "threshold", - "version": 1 + "version": 2 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "min_stack_version": "8.4", @@ -3328,16 +3372,16 @@ "7fb500fa-8e24-4bd1-9480-2a819352602c": { "min_stack_version": "8.6", "rule_name": "New Systemd Timer Created", - "sha256": "14bff79015fcfa0af510ff8bc2fa92e58f9d904df7111251aa7a29b6ad7012cb", + "sha256": "a5a770edc33a8e7e8eebd70dcddd0bb6c09432602b530e9813de3ade870ae6b1", "type": "new_terms", - "version": 3 + "version": 4 }, "80084fa9-8677-4453-8680-b891d3c0c778": { "min_stack_version": "8.3", "rule_name": "Enumeration of Kernel Modules via Proc", - "sha256": "85407f5506904f8e8283e034a04965db0ab6ea86ce1ef257b575653b6cae7362", + "sha256": "907f1a257b0bc6e60a9f9ebb695ef97418f1e573e4e9bb00842961b0b9d15343", "type": "eql", - "version": 1 + "version": 2 }, "809b70d3-e2c3-455e-af1b-2626a5a1a276": { "min_stack_version": "8.3", @@ -3490,6 +3534,13 @@ "type": "query", "version": 100 }, + "884e87cc-c67b-4c90-a4ed-e1e24a940c82": { + "min_stack_version": "8.6", + "rule_name": "Potential Suspicious Clipboard Activity Detected", + "sha256": "81b067ba7ca440551c5427488fd426f9df51ca8b72ff6e3db6e1a99f324eb05e", + "type": "new_terms", + "version": 1 + }, "88671231-6626-4e1b-abb7-6e361a171fbb": { "min_stack_version": "8.3", "rule_name": "Microsoft 365 Global Administrator Role Assigned", @@ -3504,6 +3555,13 @@ "type": "eql", "version": 103 }, + "88fdcb8c-60e5-46ee-9206-2663adf1b1ce": { + "min_stack_version": "8.3", + "rule_name": "Potential Sudo Hijacking Detected", + "sha256": "ebc6754248c6b7a7634e86d08ec0161e3f109569c788248ac2889d1e047c7973", + "type": "eql", + "version": 1 + }, "891cb88e-441a-4c3e-be2d-120d99fe7b0d": { "min_stack_version": "8.3", "rule_name": "Suspicious WMI Image Load from MS Office", @@ -3538,6 +3596,13 @@ "type": "query", "version": 103 }, + "8a024633-c444-45c0-a4fe-78128d8c1ab6": { + "min_stack_version": "8.3", + "rule_name": "Suspicious Symbolic Link Created", + "sha256": "cf1e2262983765f27b55ba8f50491c865dfcdfa5215405a7e223cf7a3262b3d9", + "type": "eql", + "version": 1 + }, "8a1b0278-0f9a-487d-96bd-d4833298e87a": { "min_stack_version": "8.3", "rule_name": "Setuid / Setgid Bit Set via chmod", @@ -3865,9 +3930,9 @@ "96d11d31-9a79-480f-8401-da28b194608f": { "min_stack_version": "8.6", "rule_name": "Potential Persistence Through MOTD File Creation Detected", - "sha256": "04f950f0c2870438d1ef39c6947b3e29ad786ef500ebae62b06ff0745e04b2ac", + "sha256": "91d5e62be561b9ba2b9288ad52f5e43bdf1fedcaadcc2790f9cbb44b0a98cff9", "type": "new_terms", - "version": 3 + "version": 4 }, "96e90768-c3b7-4df6-b5d9-6237f8bc36a8": { "min_stack_version": "8.3", @@ -3940,9 +4005,9 @@ "97fc44d3-8dae-4019-ae83-298c3015600f": { "min_stack_version": "8.3", "rule_name": "Startup or Run Key Registry Modification", - "sha256": "08f158f696c1ad30a048f41e0fe2528ee7c7cf0a0190972f42a4b09f2e4f85ba", + "sha256": "13109617be252430a0af0c782ba9695a2e18e9c1256827904312ede390a858eb", "type": "eql", - "version": 107 + "version": 108 }, "980b70a0-c820-11ed-8799-f661ea17fbcc": { "min_stack_version": "8.4", @@ -4596,9 +4661,9 @@ "aebaa51f-2a91-4f6a-850b-b601db2293f4": { "min_stack_version": "8.6", "rule_name": "Shared Object Created or Changed by Previously Unknown Process", - "sha256": "f706ae26f9260495a126a7f40d212be6abce91fe0ba59eb0ada7ce78056a69b7", + "sha256": "c5e37ab11a7a0973e1393da0d06ecdfd39fe601bda795ce4e5311844da29ece3", "type": "new_terms", - "version": 1 + "version": 2 }, "afcce5ad-65de-4ed2-8516-5e093d3ac99a": { "min_stack_version": "8.3", @@ -4607,6 +4672,13 @@ "type": "eql", "version": 104 }, + "afe6b0eb-dd9d-4922-b08a-1910124d524d": { + "min_stack_version": "8.3", + "rule_name": "Potential Privilege Escalation via Container Misconfiguration", + "sha256": "f30c5c2d2f9049cb02b7024588b254a4c42ec91b0ac7ac9139ff3a4594de5cdd", + "type": "eql", + "version": 1 + }, "b0046934-486e-462f-9487-0d4cf9e429c6": { "min_stack_version": "8.3", "rule_name": "Timestomping using Touch Command", @@ -4868,9 +4940,9 @@ "bbaa96b9-f36c-4898-ace2-581acb00a409": { "min_stack_version": "8.3", "rule_name": "Potential SYN-Based Network Scan Detected", - "sha256": "e3fa0192e162477e7c0432616bc59efd5cbfa01e8b3a70e8fe7cc9977b7a7249", + "sha256": "a2fa63d2505d8c71652f2a4e23c141d1682d9ff045c088e18b89c6e85508516d", "type": "threshold", - "version": 1 + "version": 2 }, "bbd1a775-8267-41fa-9232-20e5582596ac": { "min_stack_version": "8.3", @@ -5232,9 +5304,9 @@ "c8935a8b-634a-4449-98f7-bb24d3b2c0af": { "min_stack_version": "8.3", "rule_name": "Potential Linux Ransomware Note Creation Detected", - "sha256": "96682e9b9640c83fb004fefdfadefa0499ffaee2f18b224c2a919c0be924579c", + "sha256": "04cafeaaf4f851803bb0fe3eeaf313e600c55078140ffc472b47faa850bbf3b0", "type": "eql", - "version": 3 + "version": 4 }, "c8b150f0-0164-475b-a75e-74b47800a9ff": { "min_stack_version": "8.3", @@ -5253,9 +5325,9 @@ "c9482bfa-a553-4226-8ea2-4959bd4f7923": { "min_stack_version": "8.3", "rule_name": "Potential Masquerading as Communication Apps", - "sha256": "c5f7d275928258df63c614f5bb01560d06bb745be25420b100d1caeb9e57a53b", + "sha256": "407f97d6402f538a62f3547c4036a01df2a4cf493bf5845da4235b85dcb890fd", "type": "eql", - "version": 1 + "version": 2 }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "min_stack_version": "8.3", @@ -5296,9 +5368,9 @@ } }, "rule_name": "Abnormal Process ID or Lock File Created", - "sha256": "d76db814f07cf25a8e686f720a3a92b86455db0f2209dc2a12e1f31d5444e096", + "sha256": "cb7ecdd09505eeb2f0952f5a029fae4a911a4a4c7f92fde6d6e49924b3a5b9a3", "type": "new_terms", - "version": 207 + "version": 208 }, "cad4500a-abd7-4ef3-b5d3-95524de7cfe1": { "min_stack_version": "8.4", @@ -5569,6 +5641,13 @@ "type": "machine_learning", "version": 102 }, + "d55436a8-719c-445f-92c4-c113ff2f9ba5": { + "min_stack_version": "8.3", + "rule_name": "Potential Privilege Escalation via UID INT_MAX Bug Detected", + "sha256": "a838854fa6bc595bb96ed3c2a78e96949041fac6d4f0a4cd707798843927f84b", + "type": "eql", + "version": 1 + }, "d563aaba-2e72-462b-8658-3e5ea22db3a6": { "min_stack_version": "8.3", "rule_name": "Privilege Escalation via Windir Environment Variable", @@ -5711,9 +5790,9 @@ "da87eee1-129c-4661-a7aa-57d0b9645fad": { "min_stack_version": "8.3", "rule_name": "Suspicious Service was Installed in the System", - "sha256": "5efb26e2d2ec42884669c1bb7a75c13a7cd1f715a01e5791488eb2adfc2cceed", + "sha256": "21882fe93edaef610a0b27aef9155e98576d28411bb1deb9914a0163f9f81694", "type": "eql", - "version": 7 + "version": 8 }, "da986d2c-ffbf-4fd6-af96-a88dbf68f386": { "rule_name": "Linux Restricted Shell Breakout via the gcc command", @@ -6224,6 +6303,13 @@ "type": "query", "version": 102 }, + "eb44611f-62a8-4036-a5ef-587098be6c43": { + "min_stack_version": "8.3", + "rule_name": "PowerShell Script with Webcam Video Capture Capabilities", + "sha256": "4fd30c5b6cde137af4b4bfbe6147e6b9b22ee92011d517f81f11bfd501ecd62d", + "type": "query", + "version": 1 + }, "eb610e70-f9e6-4949-82b9-f1c5bcd37c39": { "min_stack_version": "8.3", "rule_name": "PowerShell Kerberos Ticket Request", @@ -6659,9 +6745,9 @@ "fa3a59dc-33c3-43bf-80a9-e8437a922c7f": { "min_stack_version": "8.3", "rule_name": "Potential Reverse Shell via Suspicious Binary", - "sha256": "5d9ce6aa99975f3eafa06c77784d69acbaaa12c0c46b9f5b90d0f7b304651724", + "sha256": "79fc6be5da75fc9eaeafbb39e968ff4bc2967ffc934dddb84427c0a39050e79c", "type": "eql", - "version": 2 + "version": 3 }, "fa488440-04cc-41d7-9279-539387bf2a17": { "min_stack_version": "8.3", @@ -6748,9 +6834,9 @@ "ff10d4d8-fea7-422d-afb1-e5a2702369a9": { "min_stack_version": "8.6", "rule_name": "Cron Job Created or Changed by Previously Unknown Process", - "sha256": "e08ba3629f77b0f14dbb69c9ff288225c03c60802a7db963793ba77fe92c4383", + "sha256": "3050a1275d1edfd0cb61b4d07a4b3d7bd48a60653e19fa96aceda436a2380fed", "type": "new_terms", - "version": 2 + "version": 3 }, "ff4599cb-409f-4910-a239-52e4e6f532ff": { "min_stack_version": "8.7", @@ -6772,5 +6858,12 @@ "sha256": "6ea6272c4b6fd3f4e7e5dfdd1e521af24e89ac9633ee8ee964f52fa09e28d068", "type": "query", "version": 104 + }, + "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { + "min_stack_version": "8.3", + "rule_name": "Potential Sudo Token Manipulation via Process Injection", + "sha256": "f843662389115d2d135ceb3967be8b8614e5967be904f046447eeb9ebdc65100", + "type": "eql", + "version": 1 } } \ No newline at end of file diff --git a/detection_rules/rule.py b/detection_rules/rule.py index d3c3879da..177f51dd1 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -645,6 +645,7 @@ class NewTermsRuleData(QueryRuleData): kql_validator.validate(self, meta) feature_min_stack = Version.parse('8.4.0') feature_min_stack_extended_fields = Version.parse('8.6.0') + current_package_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True) # validate history window start field exists and is correct assert self.new_terms.history_window_start, \ @@ -657,11 +658,9 @@ class NewTermsRuleData(QueryRuleData): f"{self.new_terms.field} should be 'new_terms_fields' for new_terms rule type" # ecs validation - min_stack_version = meta.get("min_stack_version") - if min_stack_version is None: - min_stack_version = Version.parse(load_current_package_version(), optional_minor_and_patch=True) - else: - min_stack_version = Version.parse(min_stack_version) + min_stack_version = Version.parse(meta.get("min_stack_version")) if meta.get("min_stack_version") else None + min_stack_version = current_package_version if min_stack_version is None or min_stack_version < \ + current_package_version else min_stack_version assert min_stack_version >= feature_min_stack, \ f"New Terms rule types only compatible with {feature_min_stack}+" @@ -1002,30 +1001,33 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): current_stack_version = load_current_package_version() if self.check_restricted_field_version(field_name): - if isinstance(self.data, QueryRuleData) and self.data.language != 'lucene': - package_integrations = self.get_packaged_integrations(self.data, self.metadata, packages_manifest) + if (isinstance(self.data, QueryRuleData) or isinstance(self.data, MachineLearningRuleData)): + if (self.data.get('language') is not None and self.data.get('language') != 'lucene') or \ + self.data.get('type') == 'machine_learning': + package_integrations = self.get_packaged_integrations(self.data, self.metadata, + packages_manifest) - if not package_integrations: - return + if not package_integrations: + return - for package in package_integrations: - package["version"] = find_least_compatible_version( - package=package["package"], - integration=package["integration"], - current_stack_version=current_stack_version, - packages_manifest=packages_manifest) + for package in package_integrations: + package["version"] = find_least_compatible_version( + package=package["package"], + integration=package["integration"], + current_stack_version=current_stack_version, + packages_manifest=packages_manifest) - # if integration is not a policy template remove - if package["version"]: - policy_templates = packages_manifest[ - package["package"]][package["version"].strip("^")]["policy_templates"] - if package["integration"] not in policy_templates: - del package["integration"] + # if integration is not a policy template remove + if package["version"]: + policy_templates = packages_manifest[ + package["package"]][package["version"].strip("^")]["policy_templates"] + if package["integration"] not in policy_templates: + del package["integration"] - # remove duplicate entries - package_integrations = list({json.dumps(d, sort_keys=True): - d for d in package_integrations}.values()) - obj.setdefault("related_integrations", package_integrations) + # remove duplicate entries + package_integrations = list({json.dumps(d, sort_keys=True): + d for d in package_integrations}.values()) + obj.setdefault("related_integrations", package_integrations) def _convert_add_required_fields(self, obj: dict) -> None: """Add restricted field required_fields to the obj, derived from the query AST.""" @@ -1124,7 +1126,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): rule_integrations = meta.get("integration", []) if rule_integrations: for integration in rule_integrations: - if integration in definitions.NON_DATASET_PACKAGES: + if integration in definitions.NON_DATASET_PACKAGES or isinstance(data, MachineLearningRuleData): packaged_integrations.append({"package": integration, "integration": None}) for value in sorted(datasets): diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index 6afdda4c5..05fdefcc4 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -256,6 +256,12 @@ def migrate_to_8_9(version: Version, api_contents: dict) -> dict: return strip_additional_properties(version, api_contents) +@migrate("8.10") +def migrate_to_8_10(version: Version, api_contents: dict) -> dict: + """Default migration for 8.10.""" + return strip_additional_properties(version, api_contents) + + def downgrade(api_contents: dict, target_version: str, current_version: Optional[str] = None) -> dict: """Downgrade a rule to a target stack version.""" from ..packaging import current_stack_version diff --git a/kibana/connector.py b/kibana/connector.py index 55aa3d0c4..ff1275316 100644 --- a/kibana/connector.py +++ b/kibana/connector.py @@ -91,6 +91,11 @@ class Kibana(object): body = json.dumps(data) response = self.session.request(method, url, params=params, data=body, **kwargs) + + if response.status_code != 200: + # retry once + response = self.session.request(method, url, params=params, data=body, **kwargs) + if error: try: response.raise_for_status() @@ -168,8 +173,9 @@ class Kibana(object): def add_cookie(self, cookie): """Add cookie to be used for auth (such as from an SSO session).""" - # the request to /api/status will also add the cookie to the cookie jar upon a successful response - self.session.headers['cookie'] = cookie + # https://www.elastic.co/guide/en/kibana/7.10/security-settings-kb.html#security-session-and-cookie-settings + self.session.headers['sid'] = cookie + self.session.cookies.set('sid', cookie) self.status = self.get('/api/status') self.authenticated = True diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index b3f833246..76e9531a4 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -64,7 +64,7 @@ references = [ risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" severity = "high" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index f03de066b..122c6d031 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index 7c51046db..9311bb1be 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ references = [ risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" severity = "high" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] type = "eql" query = ''' diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index a70670387..920423823 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 59b6b5f77..8a06da032 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -57,12 +57,7 @@ references = [ risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" severity = "high" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Credential Access", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 5517b1b40..58860e787 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -71,12 +71,7 @@ references = [ risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" severity = "medium" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 559417274..10553afe9 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -69,12 +69,7 @@ references = [ risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" severity = "low" -tags = [ - "Use Case: Identity and Access Audit", - "Data Source: Okta", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", -] +tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 2cd034832..4d461de63 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index 566636821..344e04661 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic", "Austin Songer"] @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] +tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 81d5cc46a..23b2763a4 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index c9cfc03bf..cb4fb8ff1 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index c89f3ee46..a79da174c 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] +tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 8c6044884..757b1664c 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index b6604a9e4..43d92a099 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 8a1f8a970..c68d24c04 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 535ec4df8..449a6ff3e 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index fe67011bb..7d5f0f82d 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 5ff295ae4..108d1f6a6 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 3239c4169..5a7340a19 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 840a6e9bb..208bb5ed2 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index 067f3c66f..70948500d 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index 6c2d56fc7..3520d541d 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 144f87ae7..2885596e7 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 3594d5bc0..4ef68ed70 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index 907ebfd13..ed009b873 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index b17481a08..8dde1a9c8 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 25 diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index 78dd2101b..d92e316c9 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 7d5cc31b4..13dc66315 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 6c6dd7f8f..8ef069586 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index cb71b9e52..9d4ac076c 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index ca7fca546..62b9e5aa4 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 7b80e48e6..8246bb110 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 6595b4e46..d8d0e3fb3 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index d6ae498c1..686ef15bb 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index d7fabf32b..ffd6ad723 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b5b3997b0..b5289e0ad 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index ef0fe996f..22fb46f58 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/05" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 586a13ca5..6679f4147 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/05" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 57cceb316..b1e96b676 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index f31032bb0..c27a15a5c 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 281b50b98..4dcc51b2f 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index fb78f53cc..875c9fe09 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/05" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 30e06c92a..7e7d8b459 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/05" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 13adcd989..338892739 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index d432c97b9..75f0ca416 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index d2e156a9b..a5e44c9f7 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index fd95220d8..93bfc627f 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 8359c61e3..b326a14ac 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index f3ab471ea..dd5bcb424 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index 48f3ffe2d..f6c915343 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 131dd0754..301458aae 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index eb0f58161..93d94089a 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 443c2340f..9aa047528 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 10f43cbc1..03c4d43ef 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index 74fff7e13..bab6a4656 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ name = "IPSEC NAT Traversal Port Activity" risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" severity = "low" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 1d460d272..080ddea6a 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 4fd9b1e3d..5d3f3fa03 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index afd295d9a..5d980ddde 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index adb6ed821..a90903ee3 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] +tags = ["Tactic: Command and Control", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index 091203ffc..03c15e746 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index 7a43eecdb..0fd6a76c3 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 9cb466a12..8660b2b1c 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/17" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "high" -tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] +tags = ["Tactic: Initial Access", "Domain: Endpoint", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 8752a6e53..4bac504b5 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/05" +updated_date = "2023/08/21" [rule] author = ["Elastic"] @@ -90,11 +90,11 @@ event.category:process and host.os.type:windows and powershell.file.script_block_text : (GetAsyncKeyState or NtUserGetAsyncKeyState or GetKeyboardState or "Get-Keystrokes") or powershell.file.script_block_text : ( (SetWindowsHookA or SetWindowsHookW or SetWindowsHookEx or SetWindowsHookExA or NtUserSetWindowsHookEx) and - (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL") + (GetForegroundWindow or GetWindowTextA or GetWindowTextW or "WM_KEYBOARD_LL" or "WH_MOUSE_LL") ) ) and not user.id : "S-1-5-18" and not powershell.file.script_block_text : ( - "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + "sentinelbreakpoints" and "Set-PSBreakpoint" ) ''' diff --git a/rules/windows/credential_access_posh_kerb_ticket_dump.toml b/rules/windows/credential_access_posh_kerb_ticket_dump.toml new file mode 100644 index 000000000..1eea7bc0f --- /dev/null +++ b/rules/windows/credential_access_posh_kerb_ticket_dump.toml @@ -0,0 +1,99 @@ +[metadata] +creation_date = "2023/07/26" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/26" + +[rule] +author = ["Elastic"] +description = """ +Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an +attacker's attempt to acquire credentials for lateral movement. +""" +from = "now-9m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell Kerberos Ticket Dump" +note = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +references = [ + "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1", +] +risk_score = 47 +rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56" +severity = "medium" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + "LsaCallAuthenticationPackage" and + ( + "KerbRetrieveEncodedTicketMessage" or + "KerbQueryTicketCacheMessage" or + "KerbQueryTicketCacheExMessage" or + "KerbQueryTicketCacheEx2Message" or + "KerbRetrieveTicketMessage" or + "KerbDecryptDataMessage" + ) + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1003" +name = "OS Credential Dumping" +reference = "https://attack.mitre.org/techniques/T1003/" + +[[rule.threat.technique]] +id = "T1558" +name = "Steal or Forge Kerberos Tickets" +reference = "https://attack.mitre.org/techniques/T1558/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1059" +name = "Command and Scripting Interpreter" +reference = "https://attack.mitre.org/techniques/T1059/" +[[rule.threat.technique.subtechnique]] +id = "T1059.001" +name = "PowerShell" +reference = "https://attack.mitre.org/techniques/T1059/001/" + + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" + diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index e95cd00a2..c494b0995 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/21" [rule] author = ["Elastic"] @@ -73,22 +73,14 @@ tags = [ "Tactic: Credential Access", "Resources: Investigation Guide", ] +timestamp_override = "event.ingested" type = "eql" query = ''' -sequence by host.id, user.id with maxspan=1m - [authentication where - event.outcome == "success" and event.action == "logged-in" and - winlog.logon.type == "Network" and not user.name == "ANONYMOUS LOGON" and - not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] - [file where event.action == "creation" and process.name : "svchost.exe" and +file where host.os.type == "windows" and + event.action == "creation" and process.name : "svchost.exe" and file.Ext.header_bytes : "72656766*" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and file.size >= 30000 and - not file.path : - ("?:\\Windows\\system32\\HKEY_LOCAL_MACHINE_SOFTWARE_Microsoft_*.registry", - "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat.LOG?", - "?:\\Users\\*\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat", - "?:\\Users\\*\\ntuser.dat.LOG?", - "?:\\Users\\*\\NTUSER.DAT")] + file.path : ("?:\\Windows\\system32\\*.tmp", "?:\\WINDOWS\\Temp\\*.tmp") ''' diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 7d949a628..69297a080 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/12" [rule] author = ["Elastic"] @@ -29,7 +29,8 @@ process where host.os.type == "windows" and event.type == "start" and ( ((process.name: "net.exe" or process.pe.original_file_name == "net.exe" or (process.name : "net1.exe" and not process.parent.name : "net.exe")) and process.args : ("start", "use") and process.args_count == 2) or ((process.name: "sc.exe" or process.pe.original_file_name == "sc.exe") and process.args: ("query", "q*")) or - ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") + ((process.name: "tasklist.exe" or process.pe.original_file_name == "tasklist.exe") and process.args: "/svc") or + (process.name : "psservice.exe" or process.pe.original_file_name == "psservice.exe") ) and not user.id : "S-1-5-18" ''' diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index ab07e8197..62c89c7e4 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/15" [transform] [[transform.osquery]] @@ -134,7 +134,7 @@ registry where host.os.type == "windows" and registry.data.strings != null and not ( /* Logitech G Hub */ ( - process.code_signature.trusted == true and process.code_signature.subject_name : "Logitech Inc" and + process.code_signature.trusted == true and process.code_signature.subject_name == "Logitech Inc" and process.name : "lghub_agent.exe" and registry.data.strings : ( "\"?:\\Program Files\\LGHUB\\lghub.exe\" --background" ) @@ -142,7 +142,7 @@ registry where host.os.type == "windows" and registry.data.strings != null and /* Google Drive File Stream, Chrome, and Google Update */ ( - process.code_signature.trusted == true and process.code_signature.subject_name : "Google LLC" and + process.code_signature.trusted == true and process.code_signature.subject_name == "Google LLC" and ( process.name : "GoogleDriveFS.exe" and registry.data.strings : ( "\"?:\\Program Files\\Google\\Drive File Stream\\*\\GoogleDriveFS.exe\" --startup_mode" @@ -161,7 +161,7 @@ registry where host.os.type == "windows" and registry.data.strings != null and /* MS Programs */ ( - process.code_signature.trusted == true and process.code_signature.subject_name : ("Microsoft Windows", "Microsoft Corporation") and + process.code_signature.trusted == true and process.code_signature.subject_name in ("Microsoft Windows", "Microsoft Corporation") and ( process.name : "msedge.exe" and registry.data.strings : ( "\"?:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window --win-session-start /prefetch:5" @@ -190,15 +190,16 @@ registry where host.os.type == "windows" and registry.data.strings != null and /* Slack */ ( - process.code_signature.trusted == true and process.code_signature.subject_name : "Slack Technologies, Inc." and - process.name : "slack.exe" and registry.data.strings : ( + process.code_signature.trusted == true and process.code_signature.subject_name in ( + "Slack Technologies, Inc.", "Slack Technologies, LLC" + ) and process.name : "slack.exe" and registry.data.strings : ( "\"?:\\Users\\*\\AppData\\Local\\slack\\slack.exe\" --process-start-args --startup" ) ) or /* WebEx */ ( - process.code_signature.trusted == true and process.code_signature.subject_name : ("Cisco WebEx LLC", "Cisco Systems, Inc.") and + process.code_signature.trusted == true and process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.name : "WebexHost.exe" and registry.data.strings : ( "\"?:\\Users\\*\\AppData\\Local\\WebEx\\WebexHost.exe\" /daemon /runFrom=autorun" ) diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 5640bdd05..df47b515e 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/21" [rule] author = ["Elastic"] @@ -27,24 +27,17 @@ risk_score = 73 rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" severity = "high" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] +timestamp_override = "event.ingested" type = "eql" query = ''' -sequence by winlog.computer_name with maxspan=5m - - [authentication where event.action == "logged-in" and - winlog.logon.type == "Network" and event.outcome == "success" and - not user.name == "ANONYMOUS LOGON" and not winlog.event_data.SubjectUserName : "*$" and - not user.domain == "NT AUTHORITY" and source.ip != "127.0.0.1" and source.ip !="::1"] by winlog.event_data.TargetLogonId - - [iam where event.action == "changed-computer-account" and +iam where event.action == "changed-computer-account" and user.id : ("S-1-5-21-*", "S-1-12-1-*") and /* if DnsHostName value equal a DC DNS hostname then it's highly suspicious */ winlog.event_data.DnsHostName : "??*" and /* exclude FPs where DnsHostName starts with the ComputerName that was changed */ not startswith~(winlog.event_data.DnsHostName, substring(winlog.event_data.TargetUserName, 0, length(winlog.event_data.TargetUserName) - 1)) - ] by winlog.event_data.SubjectLogonId ''' diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index 1adc09548..4d4138c3b 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/08/22" [rule] author = ["Elastic"] @@ -49,12 +49,39 @@ process where host.os.type == "windows" and event.action == "start" and "?:\\Windows\\System32\\Wermgr.exe", "?:\\Windows\\SysWOW64\\Wermgr.exe", "?:\\Windows\\SoftwareDistribution\\Download\\Install\\securityhealthsetup.exe") and + /* Logon Utilities */ + not (process.parent.executable : "?:\\Windows\\System32\\Utilman.exe" and + process.executable : ("?:\\Windows\\System32\\osk.exe", + "?:\\Windows\\System32\\Narrator.exe", + "?:\\Windows\\System32\\Magnify.exe")) and not process.parent.executable : "?:\\Windows\\System32\\AtBroker.exe" and not (process.code_signature.subject_name in ("philandro Software GmbH", "Freedom Scientific Inc.", "TeamViewer Germany GmbH", "Projector.is, Inc.", - "TeamViewer GmbH", "Cisco WebEx LLC", "Dell Inc") and process.code_signature.trusted == true) + "TeamViewer GmbH", "Cisco WebEx LLC", "Dell Inc") and process.code_signature.trusted == true) and + + /* AM_Delta_Patch Windows Update */ + not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and + process.parent.executable : ("?:\\Windows\\System32\\wuauclt.exe", + "?:\\Windows\\SysWOW64\\wuauclt.exe", + "?:\\Windows\\UUS\\Packages\\Preview\\*\\wuaucltcore.exe", + "?:\\Windows\\UUS\\amd64\\wuauclt.exe", + "?:\\Windows\\UUS\\amd64\\wuaucltcore.exe", + "?:\\ProgramData\\Microsoft\\Windows\\UUS\\*\\wuaucltcore.exe")) and + not (process.executable : ("?:\\Windows\\System32\\MpSigStub.exe", "?:\\Windows\\SysWOW64\\MpSigStub.exe") and process.parent.executable == null) and + + /* Other third party SW */ + not process.parent.executable : + ("?:\\Program Files (x86)\\HEAT Software\\HEAT Remote\\HEATRemoteServer.exe", + "?:\\Program Files (x86)\\VisualCron\\VisualCronService.exe", + "?:\\Program Files\\BinaryDefense\\Vision\\Agent\\bds-vision-agent-app.exe", + "?:\\Program Files\\Tablet\\Wacom\\WacomHost.exe", + "?:\\Program Files (x86)\\LogMeIn\\x64\\LogMeIn.exe", + "?:\\Program Files (x86)\\EMC Captiva\\Captiva Cloud Runtime\\Emc.Captiva.WebCaptureRunner.exe", + "?:\\Program Files\\Freedom Scientific\\*.exe", + "?:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\*\\remoting_host.exe", + "?:\\Program Files (x86)\\GoToAssist Remote Support Customer\\*\\g2ax_comm_customer.exe") ''' diff --git a/rules_building_block/defense_evasion_dll_hijack.toml b/rules_building_block/defense_evasion_dll_hijack.toml new file mode 100644 index 000000000..775d0428e --- /dev/null +++ b/rules_building_block/defense_evasion_dll_hijack.toml @@ -0,0 +1,65 @@ +[metadata] +creation_date = "2023/07/12" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies digitally signed (trusted) processes loading unsigned DLLs. Attackers may plant their payloads into the +application folder and invoke the legitimate application to execute the payload, masking actions they perform under a +legitimate, trusted, and potentially elevated system or software process. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Unsigned DLL Loaded by a Trusted Process" +risk_score = 21 +rule_id = "c20cd758-07b1-46a1-b03f-fa66158258b8" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +library where host.os.type == "windows" and + (dll.Ext.relative_file_creation_time <= 500 or + dll.Ext.relative_file_name_modify_time <= 500 or + dll.Ext.device.product_id : ("Virtual DVD-ROM", "Virtual Disk")) and dll.hash.sha256 != null and + process.code_signature.status :"trusted" and not dll.code_signature.status : ("trusted", "errorExpired", "errorCode_endpoint*") and + /* DLL loaded from the process.executable current directory */ + endswith~(substring(dll.path, 0, length(dll.path) - (length(dll.name) + 1)), substring(process.executable, 0, length(process.executable) - (length(process.name) + 1))) + and not user.id : "S-1-5-18" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1574" +name = "Hijack Execution Flow" +reference = "https://attack.mitre.org/techniques/T1574/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.001" +name = "DLL Search Order Hijacking" +reference = "https://attack.mitre.org/techniques/T1574/001/" + +[[rule.threat.technique.subtechnique]] +id = "T1574.002" +name = "DLL Side-Loading" +reference = "https://attack.mitre.org/techniques/T1574/002/" + + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_file_permission_modification.toml b/rules_building_block/defense_evasion_file_permission_modification.toml new file mode 100644 index 000000000..a31055733 --- /dev/null +++ b/rules_building_block/defense_evasion_file_permission_modification.toml @@ -0,0 +1,56 @@ +[metadata] +creation_date = "2023/07/12" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies the change of permissions/ownership of files/folders through built-in Windows utilities. Threat actors may +require permission modification of files/folders to change, modify or delete them. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "File and Directory Permissions Modification" +risk_score = 21 +rule_id = "bc9e4f5a-e263-4213-a2ac-1edf9b417ada" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where event.type == "start" and host.os.type == "windows" and +( + ((process.name: "icacls.exe" or process.pe.original_file_name == "iCACLS.EXE") and process.args: ("*:F", "/reset", "/setowner", "*grant*")) or + ((process.name: "cacls.exe" or process.pe.original_file_name == "CACLS.EXE") and process.args: ("/g", "*:f")) or + ((process.name: "takeown.exe" or process.pe.original_file_name == "takeown.exe") and process.args: ("/F")) or + ((process.name: "attrib.exe" or process.pe.original_file_name== "ATTRIB.EXE") and process.args: "-r") +) and not user.id : "S-1-5-18" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1222" +name = "File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/" + +[[rule.threat.technique.subtechnique]] +id = "T1222.001" +name = "Windows File and Directory Permissions Modification" +reference = "https://attack.mitre.org/techniques/T1222/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" diff --git a/rules_building_block/defense_evasion_masquerading_communication_apps.toml b/rules_building_block/defense_evasion_masquerading_communication_apps.toml index 3dfa116d3..78f7133ac 100644 --- a/rules_building_block/defense_evasion_masquerading_communication_apps.toml +++ b/rules_building_block/defense_evasion_masquerading_communication_apps.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/30" +updated_date = "2023/08/15" bypass_bbr_timing = true [rule] @@ -32,42 +32,59 @@ process where host.os.type == "windows" and ( /* Slack */ (process.name : "slack.exe" and not - (process.code_signature.subject_name : "Slack Technologies, Inc." and process.code_signature.trusted == true) + (process.code_signature.subject_name in ( + "Slack Technologies, Inc.", + "Slack Technologies, LLC" + ) and process.code_signature.trusted == true) ) or /* WebEx */ (process.name : "WebexHost.exe" and not - (process.code_signature.subject_name : ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true) + (process.code_signature.subject_name in ("Cisco WebEx LLC", "Cisco Systems, Inc.") and process.code_signature.trusted == true) ) or /* Teams */ (process.name : "Teams.exe" and not - (process.code_signature.subject_name : "Microsoft Corporation" and process.code_signature.trusted == true) + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) ) or /* Discord */ (process.name : "Discord.exe" and not - (process.code_signature.subject_name : "Discord Inc." and process.code_signature.trusted == true) + (process.code_signature.subject_name == "Discord Inc." and process.code_signature.trusted == true) ) or /* RocketChat */ (process.name : "Rocket.Chat.exe" and not - (process.code_signature.subject_name : "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true) + (process.code_signature.subject_name == "Rocket.Chat Technologies Corp." and process.code_signature.trusted == true) ) or /* Mattermost */ (process.name : "Mattermost.exe" and not - (process.code_signature.subject_name : "Mattermost, Inc." and process.code_signature.trusted == true) + (process.code_signature.subject_name == "Mattermost, Inc." and process.code_signature.trusted == true) ) or /* WhatsApp */ (process.name : "WhatsApp.exe" and not - (process.code_signature.subject_name : "WhatsApp LLC" and process.code_signature.trusted == true) + (process.code_signature.subject_name in ( + "WhatsApp LLC", + "WhatsApp, Inc", + "24803D75-212C-471A-BC57-9EF86AB91435" + ) and process.code_signature.trusted == true) ) or /* Zoom */ (process.name : "Zoom.exe" and not - (process.code_signature.subject_name : "Zoom Video Communications, Inc." and process.code_signature.trusted == true) + (process.code_signature.subject_name == "Zoom Video Communications, Inc." and process.code_signature.trusted == true) + ) or + + /* Outlook */ + (process.name : "outlook.exe" and not + (process.code_signature.subject_name == "Microsoft Corporation" and process.code_signature.trusted == true) + ) or + + /* Thunderbird */ + (process.name : "thunderbird.exe" and not + (process.code_signature.subject_name == "Mozilla Corporation" and process.code_signature.trusted == true) ) ) ''' diff --git a/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml new file mode 100644 index 000000000..835f72aef --- /dev/null +++ b/rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml @@ -0,0 +1,71 @@ +[metadata] +creation_date = "2023/08/20" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/08/20" +bypass_bbr_timing = true + +[rule] +author = ["Elastic"] +description = """ +Identifies suspicious instances of default system32 executables, either unsigned or signed with non-MS certificates. +This could indicate the attempt to masquerade as system executables or backdoored and resigned legitimate executables. +""" +from = "now-9m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Potential Masquerading as System32 Executable" +risk_score = 21 +rule_id = "79ce2c96-72f7-44f9-88ef-60fa1ac2ce47" +severity = "low" +tags = ["Domain: Endpoint", "Data Source: Elastic Defend", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Rule Type: BBR"] +timestamp_override = "event.ingested" +building_block_type = "default" +type = "eql" + +query = ''' +process where event.type == "start" and process.code_signature.status : "*" and + process.name: ( + "agentactivationruntimestarter.exe", "agentservice.exe", "aitstatic.exe", "alg.exe", "apphostregistrationverifier.exe", "appidcertstorecheck.exe", "appidpolicyconverter.exe", "appidtel.exe", "applicationframehost.exe", "applysettingstemplatecatalog.exe", "applytrustoffline.exe", "approvechildrequest.exe", "appvclient.exe", "appvdllsurrogate.exe", "appvnice.exe", "appvshnotify.exe", "arp.exe", "assignedaccessguard.exe", "at.exe", "atbroker.exe", "attrib.exe", "audiodg.exe", "auditpol.exe", "authhost.exe", "autochk.exe", "autoconv.exe", "autofmt.exe", "axinstui.exe", "baaupdate.exe", "backgroundtaskhost.exe", "backgroundtransferhost.exe", "bcdboot.exe", "bcdedit.exe", "bdechangepin.exe", "bdehdcfg.exe", "bdeuisrv.exe", "bdeunlock.exe", "bioiso.exe", "bitlockerdeviceencryption.exe", "bitlockerwizard.exe", "bitlockerwizardelev.exe", "bitsadmin.exe", "bootcfg.exe", "bootim.exe", "bootsect.exe", "bridgeunattend.exe", "browserexport.exe", "browser_broker.exe", "bthudtask.exe", "bytecodegenerator.exe", "cacls.exe", "calc.exe", "camerasettingsuihost.exe", "castsrv.exe", "certenrollctrl.exe", "certreq.exe", "certutil.exe", "change.exe", "changepk.exe", "charmap.exe", "checknetisolation.exe", "chglogon.exe", "chgport.exe", "chgusr.exe", "chkdsk.exe", "chkntfs.exe", "choice.exe", "cidiag.exe", "cipher.exe", "cleanmgr.exe", "cliconfg.exe", "clip.exe", "clipup.exe", "cloudexperiencehostbroker.exe", "cloudnotifications.exe", "cmd.exe", "cmdkey.exe", "cmdl32.exe", "cmmon32.exe", "cmstp.exe", "cofire.exe", "colorcpl.exe", "comp.exe", "compact.exe", "compattelrunner.exe", "compmgmtlauncher.exe", "comppkgsrv.exe", "computerdefaults.exe", "conhost.exe", "consent.exe", "control.exe", "convert.exe", "convertvhd.exe", "coredpussvr.exe", "credentialenrollmentmanager.exe", "credentialuibroker.exe", "credwiz.exe", "cscript.exe", "csrss.exe", "ctfmon.exe", "cttune.exe", "cttunesvr.exe", "custominstallexec.exe", "customshellhost.exe", "dashost.exe", "dataexchangehost.exe", "datastorecachedumptool.exe", "dccw.exe", "dcomcnfg.exe", "ddodiag.exe", "defrag.exe", "deploymentcsphelper.exe", "desktopimgdownldr.exe", "devicecensus.exe", "devicecredentialdeployment.exe", "deviceeject.exe", "deviceenroller.exe", "devicepairingwizard.exe", "deviceproperties.exe", "dfdwiz.exe", "dfrgui.exe", "dialer.exe", "directxdatabaseupdater.exe", "diskpart.exe", "diskperf.exe", "diskraid.exe", "disksnapshot.exe", "dism.exe", "dispdiag.exe", "displayswitch.exe", "djoin.exe", "dllhost.exe", "dllhst3g.exe", "dmcertinst.exe", "dmcfghost.exe", "dmclient.exe", "dmnotificationbroker.exe", "dmomacpmo.exe", "dnscacheugc.exe", "doskey.exe", "dpapimig.exe", "dpiscaling.exe", "dpnsvr.exe", "driverquery.exe", "drvinst.exe", "dsmusertask.exe", "dsregcmd.exe", "dstokenclean.exe", "dusmtask.exe", "dvdplay.exe", "dwm.exe", "dwwin.exe", "dxdiag.exe", "dxgiadaptercache.exe", "dxpserver.exe", "eap3host.exe", "easeofaccessdialog.exe", "easinvoker.exe", "easpolicymanagerbrokerhost.exe", "edpcleanup.exe", "edpnotify.exe", "eduprintprov.exe", "efsui.exe", "ehstorauthn.exe", "eoaexperiences.exe", "esentutl.exe", "eudcedit.exe", "eventcreate.exe", "eventvwr.exe", "expand.exe", "extrac32.exe", "fc.exe", "fclip.exe", "fhmanagew.exe", "filehistory.exe", "find.exe", "findstr.exe", "finger.exe", "fixmapi.exe", "fltmc.exe", "fodhelper.exe", "fondue.exe", "fontdrvhost.exe", "fontview.exe", "forfiles.exe", "fsavailux.exe", "fsiso.exe", "fsquirt.exe", "fsutil.exe", "ftp.exe", "fvenotify.exe", "fveprompt.exe", "gamebarpresencewriter.exe", "gamepanel.exe", "genvalobj.exe", "getmac.exe", "gpresult.exe", "gpscript.exe", "gpupdate.exe", "grpconv.exe", "hdwwiz.exe", "help.exe", "hostname.exe", "hvax64.exe", "hvix64.exe", "hvsievaluator.exe", "icacls.exe", "icsentitlementhost.exe", "icsunattend.exe", "ie4uinit.exe", "ie4ushowie.exe", "iesettingsync.exe", "ieunatt.exe", "iexpress.exe", "immersivetpmvscmgrsvr.exe", "infdefaultinstall.exe", "inputswitchtoasthandler.exe", "iotstartup.exe", "ipconfig.exe", "iscsicli.exe", "iscsicpl.exe", "isoburn.exe", "klist.exe", "ksetup.exe", "ktmutil.exe", "label.exe", "languagecomponentsinstallercomhandler.exe", "launchtm.exe", "launchwinapp.exe", "legacynetuxhost.exe", "licensemanagershellext.exe", "licensingdiag.exe", "licensingui.exe", "locationnotificationwindows.exe", "locator.exe", "lockapphost.exe", "lockscreencontentserver.exe", "lodctr.exe", "logagent.exe", "logman.exe", "logoff.exe", "logonui.exe", "lpkinstall.exe", "lpksetup.exe", "lpremove.exe", "lsaiso.exe", "lsass.exe", "magnify.exe", "makecab.exe", "manage-bde.exe", "mavinject.exe", "mbaeparsertask.exe", "mblctr.exe", "mbr2gpt.exe", "mcbuilder.exe", "mdeserver.exe", "mdmagent.exe", "mdmappinstaller.exe", "mdmdiagnosticstool.exe", "mdres.exe", "mdsched.exe", "mfpmp.exe", "microsoft.uev.cscunpintool.exe", "microsoft.uev.synccontroller.exe", "microsoftedgebchost.exe", "microsoftedgecp.exe", "microsoftedgedevtools.exe", "microsoftedgesh.exe", "mmc.exe", "mmgaserver.exe", "mobsync.exe", "mountvol.exe", "mousocoreworker.exe", "mpnotify.exe", "mpsigstub.exe", "mrinfo.exe", "mschedexe.exe", "msconfig.exe", "msdt.exe", "msdtc.exe", "msfeedssync.exe", "msg.exe", "mshta.exe", "msiexec.exe", "msinfo32.exe", "mspaint.exe", "msra.exe", "msspellcheckinghost.exe", "mstsc.exe", "mtstocom.exe", "muiunattend.exe", "multidigimon.exe", "musnotification.exe", "musnotificationux.exe", "musnotifyicon.exe", "narrator.exe", "nbtstat.exe", "ndadmin.exe", "ndkping.exe", "net.exe", "net1.exe", "netbtugc.exe", "netcfg.exe", "netcfgnotifyobjecthost.exe", "netevtfwdr.exe", "nethost.exe", "netiougc.exe", "netplwiz.exe", "netsh.exe", "netstat.exe", "newdev.exe", "ngciso.exe", "nltest.exe", "notepad.exe", "nslookup.exe", "ntoskrnl.exe", "ntprint.exe", "odbcad32.exe", "odbcconf.exe", "ofdeploy.exe", "omadmclient.exe", "omadmprc.exe", "openfiles.exe", "openwith.exe", "optionalfeatures.exe", "osk.exe", "pacjsworker.exe", "packagedcwalauncher.exe", "packageinspector.exe", "passwordonwakesettingflyout.exe", "pathping.exe", "pcalua.exe", "pcaui.exe", "pcwrun.exe", "perfmon.exe", "phoneactivate.exe", "pickerhost.exe", "pinenrollmentbroker.exe", "ping.exe", "pkgmgr.exe", "pktmon.exe", "plasrv.exe", "pnpunattend.exe", "pnputil.exe", "poqexec.exe", "pospaymentsworker.exe", "powercfg.exe", "presentationhost.exe", "presentationsettings.exe", "prevhost.exe", "printbrmui.exe", "printfilterpipelinesvc.exe", "printisolationhost.exe", "printui.exe", "proquota.exe", "provlaunch.exe", "provtool.exe", "proximityuxhost.exe", "prproc.exe", "psr.exe", "pwlauncher.exe", "qappsrv.exe", "qprocess.exe", "query.exe", "quser.exe", "qwinsta.exe", "rasautou.exe", "rasdial.exe", "raserver.exe", "rasphone.exe", "rdpclip.exe", "rdpinit.exe", "rdpinput.exe", "rdpsa.exe", "rdpsaproxy.exe", "rdpsauachelper.exe", "rdpshell.exe", "rdpsign.exe", "rdrleakdiag.exe", "reagentc.exe", "recdisc.exe", "recover.exe", "recoverydrive.exe", "refsutil.exe", "reg.exe", "regedt32.exe", "regini.exe", "register-cimprovider.exe", "regsvr32.exe", "rekeywiz.exe", "relog.exe", "relpost.exe", "remoteapplifetimemanager.exe", "remoteposworker.exe", "repair-bde.exe", "replace.exe", "reset.exe", "resetengine.exe", "resmon.exe", "rmactivate.exe", "rmactivate_isv.exe", "rmactivate_ssp.exe", "rmactivate_ssp_isv.exe", "rmclient.exe", "rmttpmvscmgrsvr.exe", "robocopy.exe", "route.exe", "rpcping.exe", "rrinstaller.exe", "rstrui.exe", "runas.exe", "rundll32.exe", "runexehelper.exe", "runlegacycplelevated.exe", "runonce.exe", "runtimebroker.exe", "rwinsta.exe", "sc.exe", "schtasks.exe", "scriptrunner.exe", "sdbinst.exe", "sdchange.exe", "sdclt.exe", "sdiagnhost.exe", "searchfilterhost.exe", "searchindexer.exe", "searchprotocolhost.exe", "secedit.exe", "secinit.exe", "securekernel.exe", "securityhealthhost.exe", "securityhealthservice.exe", "securityhealthsystray.exe", "sensordataservice.exe", "services.exe", "sessionmsg.exe", "sethc.exe", "setspn.exe", "settingsynchost.exe", "setupcl.exe", "setupugc.exe", "setx.exe", "sfc.exe", "sgrmbroker.exe", "sgrmlpac.exe", "shellappruntime.exe", "shrpubw.exe", "shutdown.exe", "sigverif.exe", "sihclient.exe", "sihost.exe", "slidetoshutdown.exe", "slui.exe", "smartscreen.exe", "smss.exe", "sndvol.exe", "snippingtool.exe", "snmptrap.exe", "sort.exe", "spaceagent.exe", "spaceman.exe", "spatialaudiolicensesrv.exe", "spectrum.exe", "spoolsv.exe", "sppextcomobj.exe", "sppsvc.exe", "srdelayed.exe", "srtasks.exe", "stordiag.exe", "subst.exe", "svchost.exe", "sxstrace.exe", "syncappvpublishingserver.exe", "synchost.exe", "sysreseterr.exe", "systeminfo.exe", "systempropertiesadvanced.exe", "systempropertiescomputername.exe", "systempropertiesdataexecutionprevention.exe", "systempropertieshardware.exe", "systempropertiesperformance.exe", "systempropertiesprotection.exe", "systempropertiesremote.exe", "systemreset.exe", "systemsettingsadminflows.exe", "systemsettingsbroker.exe", "systemsettingsremovedevice.exe", "systemuwplauncher.exe", "systray.exe", "tabcal.exe", "takeown.exe", "tapiunattend.exe", "tar.exe", "taskhostw.exe", "taskkill.exe", "tasklist.exe", "taskmgr.exe", "tcblaunch.exe", "tcmsetup.exe", "tcpsvcs.exe", "thumbnailextractionhost.exe", "tieringengineservice.exe", "timeout.exe", "tokenbrokercookies.exe", "tpminit.exe", "tpmtool.exe", "tpmvscmgr.exe", "tpmvscmgrsvr.exe", "tracerpt.exe", "tracert.exe", "tscon.exe", "tsdiscon.exe", "tskill.exe", "tstheme.exe", "tswbprxy.exe", "ttdinject.exe", "tttracer.exe", "typeperf.exe", "tzsync.exe", "tzutil.exe", "ucsvc.exe", "uevagentpolicygenerator.exe", "uevappmonitor.exe", "uevtemplatebaselinegenerator.exe", "uevtemplateconfigitemgenerator.exe", "uimgrbroker.exe", "unlodctr.exe", "unregmp2.exe", "upfc.exe", "upgraderesultsui.exe", "upnpcont.exe", "upprinterinstaller.exe", "useraccountbroker.exe", "useraccountcontrolsettings.exe", "userinit.exe", "usoclient.exe", "utcdecoderhost.exe", "utilman.exe", "vaultcmd.exe", "vds.exe", "vdsldr.exe", "verclsid.exe", "verifier.exe", "verifiergui.exe", "vssadmin.exe", "vssvc.exe", "w32tm.exe", "waasmedicagent.exe", "waitfor.exe", "wallpaperhost.exe", "wbadmin.exe", "wbengine.exe", "wecutil.exe", "werfault.exe", "werfaultsecure.exe", "wermgr.exe", "wevtutil.exe", "wextract.exe", "where.exe", "whoami.exe", "wiaacmgr.exe", "wiawow64.exe", "wifitask.exe", "wimserv.exe", "winbiodatamodeloobe.exe", "windows.media.backgroundplayback.exe", "windows.warp.jitservice.exe", "windowsactiondialog.exe", "windowsupdateelevatedinstaller.exe", "wininit.exe", "winload.exe", "winlogon.exe", "winresume.exe", "winrs.exe", "winrshost.exe", "winrtnetmuahostserver.exe", "winsat.exe", "winver.exe", "wkspbroker.exe", "wksprt.exe", "wlanext.exe", "wlrmdr.exe", "wmpdmc.exe", "workfolders.exe", "wowreg32.exe", "wpcmon.exe", "wpctok.exe", "wpdshextautoplay.exe", "wpnpinst.exe", "wpr.exe", "write.exe", "wscadminui.exe", "wscollect.exe", "wscript.exe", "wsl.exe", "wsmanhttpconfig.exe", "wsmprovhost.exe", "wsqmcons.exe", "wsreset.exe", "wuapihost.exe", "wuauclt.exe", "wudfcompanionhost.exe", "wudfhost.exe", "wusa.exe", "wwahost.exe", "xblgamesavetask.exe", "xcopy.exe", "xwizard.exe", "aggregatorhost.exe", "diskusage.exe", "dtdump.exe", "ism.exe", "ndkperfcmd.exe", "ntkrla57.exe", "securekernella57.exe", "spaceutil.exe", "configure-smremoting.exe", "dcgpofix.exe", "dcpromo.exe", "dimc.exe", "diskshadow.exe", "drvcfg.exe", "escunattend.exe", "iashost.exe", "ktpass.exe", "lbfoadmin.exe", "netdom.exe", "rdspnf.exe", "rsopprov.exe", "sacsess.exe", "servermanager.exe", "servermanagerlauncher.exe", "setres.exe", "tsecimp.exe", "vssuirun.exe", "webcache.exe", "win32calc.exe", "certoc.exe", "sdndiagnosticstask.exe", "xpsrchvw.exe" + ) and + not ( + process.code_signature.subject_name in ( + "Microsoft Windows", + "Microsoft Corporation", + "Microsoft Windows Publisher" + ) and process.code_signature.trusted == true + ) and not process.code_signature.status: ("errorCode_endpoint*", "errorUntrustedRoot", "errorChaining") and + not + ( + process.executable: ( + "?:\\Program Files\\Git\\usr\\bin\\hostname.exe", + "?:\\Windows\\Temp\\{*}\\taskkill.exe", + "?:\\Users\\*\\AppData\\Local\\Temp\\{*}\\taskkill.exe", + "?:\\$WINDOWS.~BT\\NewOS\\Windows\\System32\\ie4ushowIE.exe", + "?:\\Program Files\\Git\\usr\\bin\\find.exe" + ) + ) and + not + ( + (process.name: "ucsvc.exe" and process.code_signature.subject_name == "Wellbia.com Co., Ltd." and process.code_signature.status: "trusted") or + (process.name: "pnputil.exe" and process.code_signature.subject_name: "Lenovo" and process.code_signature.status: "trusted") + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules_building_block/discovery_internet_capabilities.toml b/rules_building_block/discovery_internet_capabilities.toml new file mode 100644 index 000000000..187003d3e --- /dev/null +++ b/rules_building_block/discovery_internet_capabilities.toml @@ -0,0 +1,51 @@ +[metadata] +creation_date = "2023/07/12" +integration = ["endpoint"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of built-in tools attackers can use to check for Internet connectivity on compromised systems. These +results may be used to determine communication capabilities with C2 servers, or to identify routes, redirectors, and +proxy servers. +""" +from = "now-119m" +interval = "60m" +index = ["logs-endpoint.events.*"] +language = "eql" +license = "Elastic License v2" +name = "Discovery of Internet Capabilities via Built-in Tools" +risk_score = 21 +rule_id = "7f89afef-9fc5-4e7b-bf16-75ffdf27f8db" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "eql" +building_block_type = "default" + +query = ''' +process where host.os.type == "windows" and event.type == "start" and + process.name : ("ping.exe", "tracert.exe", "pathping.exe") and + not process.args : ("127.0.0.1", "::1", "0.0.0.0", "192.168.*") +''' + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1016" +name = "System Network Configuration Discovery" +reference = "https://attack.mitre.org/techniques/T1016/" +[[rule.threat.technique.subtechnique]] +id = "T1016.001" +name = "Internet Connection Discovery" +reference = "https://attack.mitre.org/techniques/T1016/001/" + + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/discovery_posh_password_policy.toml b/rules_building_block/discovery_posh_password_policy.toml new file mode 100644 index 000000000..e71108428 --- /dev/null +++ b/rules_building_block/discovery_posh_password_policy.toml @@ -0,0 +1,94 @@ +[metadata] +creation_date = "2023/07/12" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM +to perform lateral movement using built-in tools. +""" +from = "now-119m" +interval = "60m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell Script with Password Policy Discovery Capabilities" +note = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +risk_score = 21 +rule_id = "fe25d5bc-01fa-494a-95ff-535c29cc4c96" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "query" +building_block_type = "default" + +query = ''' +event.category: "process" and host.os.type:windows and +( + powershell.file.script_block_text: ( + "Get-ADDefaultDomainPasswordPolicy" or + "Get-ADFineGrainedPasswordPolicy" or + "Get-ADUserResultantPasswordPolicy" or + "Get-DomainPolicy" or + "Get-GPPPassword" or + "Get-PassPol" + ) + or + powershell.file.script_block_text: ( + ("defaultNamingContext" or "ActiveDirectory.DirectoryContext" or "ActiveDirectory.DirectorySearcher") and + ( + ( + ".MinLengthPassword" or + ".MinPasswordAge" or + ".MaxPasswordAge" + ) or + ( + "minPwdAge" or + "maxPwdAge" or + "minPwdLength" + ) or + ( + "msDS-PasswordSettings" + ) + ) + ) +) and not powershell.file.script_block_text : ( + "sentinelbreakpoints" and "Set-PSBreakpoint" and "PowerSploitIndicators" + ) + and not user.id : "S-1-5-18" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1201" +name = "Password Policy Discovery" +reference = "https://attack.mitre.org/techniques/T1201/" + +[rule.threat.tactic] +id = "TA0007" +name = "Discovery" +reference = "https://attack.mitre.org/tactics/TA0007/" diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml new file mode 100644 index 000000000..3aff00994 --- /dev/null +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -0,0 +1,76 @@ +[metadata] +creation_date = "2023/07/12" +integration = ["windows"] +maturity = "production" +min_stack_comments = "New fields added: required_fields, related_integrations, setup" +min_stack_version = "8.3.0" +updated_date = "2023/07/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies the use of Cmdlets and methods related to remote execution activities using WinRM. Attackers can abuse WinRM +to perform lateral movement using built-in tools. +""" +from = "now-119m" +interval = "60m" +index = ["winlogbeat-*", "logs-windows.*"] +language = "kuery" +license = "Elastic License v2" +name = "PowerShell Script with Remote Execution Capabilities via WinRM" +note = """## Setup + +The 'PowerShell Script Block Logging' logging policy must be enabled. +Steps to implement the logging policy with Advanced Audit Configuration: + +``` +Computer Configuration > +Administrative Templates > +Windows PowerShell > +Turn on PowerShell Script Block Logging (Enable) +``` + +Steps to implement the logging policy via registry: + +``` +reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 +``` +""" +references = [ + "https://attack.mitre.org/techniques/T1021/006/", + "https://github.com/cobbr/SharpSploit/blob/master/SharpSploit/LateralMovement/PowerShellRemoting.cs", + "https://github.com/BC-SECURITY/Empire/blob/main/empire/server/modules/powershell/lateral_movement/invoke_psremoting.py" +] +risk_score = 21 +rule_id = "0abf0c5b-62dd-48d2-ac4e-6b43fe3a6e83" +severity = "low" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: PowerShell Logs", "Rule Type: BBR"] +timestamp_override = "event.ingested" +type = "query" +building_block_type = "default" + +query = ''' +event.category:process and host.os.type:windows and + powershell.file.script_block_text : ( + ("Invoke-WmiMethod" or "Invoke-Command" or "Enter-PSSession") and "ComputerName" + ) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1021" +name = "Remote Services" +reference = "https://attack.mitre.org/techniques/T1021/" +[[rule.threat.technique.subtechnique]] +id = "T1021.006" +name = "Windows Remote Management" +reference = "https://attack.mitre.org/techniques/T1021/006/" + + + +[rule.threat.tactic] +id = "TA0008" +name = "Lateral Movement" +reference = "https://attack.mitre.org/tactics/TA0008/" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 333e363a4..f99192d00 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -424,6 +424,18 @@ class TestRuleTags(BaseRuleTest): if invalid: self.fail(f'Rules with invalid tags:\n{invalid}') + def test_no_duplicate_tags(self): + """Ensure no rules have duplicate tags.""" + invalid = [] + + for rule in self.all_rules: + rule_tags = rule.contents.data.tags + if len(rule_tags) != len(set(rule_tags)): + invalid.append(self.rule_str(rule)) + + if invalid: + self.fail(f'Rules with duplicate tags:\n{invalid}') + class TestRuleTimelines(BaseRuleTest): """Test timelines in rules are valid."""