security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:elastic/detection-rules

Browse Source
This commit is contained in:
Mika Ayenson
2023-11-29 08:10:41 -06:00
parent 62b0afcdc6 bc39c20eaf
commit 802a869db0
78 changed files with 2749 additions and 369 deletions
Download Patch File Download Diff File Expand all files Collapse all files
detection_rules/etc/version.lock.json
+214 -137
View File
@@ -99,9 +99,9 @@
"02ea4563-ec10-4974-b7de-12e65aa4f9b3": {
"min_stack_version": "8.3",
"rule_name": "Dumping Account Hashes via Built-In Commands",
"sha256": "7a5170b3aaae9d499bfda31675011334d8bc6f2ce992414981042ce2563e0efe",
"sha256": "6995ce3fd849830e0591d6419fc8b53d604990cd30316594c1a70f032d3115a1",
"type": "query",
"version": 104
"version": 105
},
"03024bd9-d23f-4ec1-8674-3cf1a21e130b": {
"min_stack_version": "8.3",
@@ -269,23 +269,23 @@
"080bc66a-5d56-4d1f-8071-817671716db9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Browser Child Process",
"sha256": "9170960c7d48e8e84833ee33402dc9fc313e3f5fc219be8eebf6c3fef43b13d6",
"sha256": "c250a73408b1392c937770c4ced1fb28a2703649fe04cdb78b0e5b7b4cf63ec8",
"type": "eql",
"version": 104
"version": 105
},
"082e3f8c-6f80-485c-91eb-5b112cb79b28": {
"min_stack_version": "8.3",
"rule_name": "Launch Agent Creation or Modification and Immediate Loading",
"sha256": "c0576e652d149dba1c8803419d6a632c9e994ab1037dbd4d33c61e67e376b878",
"sha256": "3e3611a0cd7131c9e8caba18a69dab717a16cf76442be2888fb39623e7a310bf",
"type": "eql",
"version": 104
"version": 105
},
"083fa162-e790-4d85-9aeb-4fea04188adb": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Hidden Child Process of Launchd",
"sha256": "24161e1b97e4d175337171d4edb04ae53af62b618e97bfadae325175a6a804b9",
"sha256": "102bf6dbf633ea578191b0cba7f03a80e733a63b307a563d2287868c832d13c4",
"type": "query",
"version": 104
"version": 105
},
"0859355c-0f08-4b43-8ff5-7d2a4789fc08": {
"min_stack_version": "8.4",
@@ -310,9 +310,9 @@
"092b068f-84ac-485d-8a55-7dd9e006715f": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Launch Agent or Daemon",
"sha256": "bffb87c25d97a23ef42d1aad12239934aaa88f15fbf46680f22c595a801286da",
"sha256": "a1faf99442ff04d9e895ed0ef988840ddea9fafcb839a00391dd27152099ecf8",
"type": "eql",
"version": 105
"version": 106
},
"09443c92-46b3-45a4-8f25-383b028b258d": {
"min_stack_version": "8.3",
@@ -517,9 +517,9 @@
"0ff84c42-873d-41a2-a4ed-08d74d352d01": {
"min_stack_version": "8.3",
"rule_name": "Privilege Escalation via Root Crontab File Modification",
"sha256": "e840e03f40e5ac088e2f850f08c2b1286f607a659a430a7051e44d31213c7a22",
"sha256": "667a8075ceb2fd14308a5c021811d4dadc06be89300c4eb74d8fc02268962810",
"type": "query",
"version": 104
"version": 105
},
"10754992-28c7-4472-be5b-f3770fd04f2d": {
"rule_name": "Linux Restricted Shell Breakout via awk Commands",
@@ -530,9 +530,9 @@
"10a500bb-a28f-418e-ba29-ca4c8d1a9f2f": {
"min_stack_version": "8.3",
"rule_name": "WebProxy Settings Modification",
"sha256": "264c4b78490cec9fae3de080bd655b5a1c53ff31c54b5704c76834b583f0516b",
"sha256": "8d0a544fd454889ae996a250c40de6b79ca174a55887fc883a6c0f1d6fb672b4",
"type": "query",
"version": 104
"version": 105
},
"11013227-0301-4a8c-b150-4db924484475": {
"min_stack_version": "8.3",
@@ -783,9 +783,9 @@
"15dacaa0-5b90-466b-acab-63435a59701a": {
"min_stack_version": "8.3",
"rule_name": "Virtual Private Network Connection Attempt",
"sha256": "2fddf303d95fc9181afbdf53833cd1e53d7499cd79cd616b07838eab1dc5f378",
"sha256": "91a1712e57b935ca9c222118c8d99f2ca99aa936eea6677ad83d308946976166",
"type": "eql",
"version": 105
"version": 106
},
"16280f1e-57e6-4242-aa21-bb4d16f13b2f": {
"min_stack_version": "8.3",
@@ -804,9 +804,9 @@
"16904215-2c95-4ac8-bf5c-12354e047192": {
"min_stack_version": "8.3",
"rule_name": "Potential Kerberos Attack via Bifrost",
"sha256": "0c96bfd65d7b122ff4af72519d72f2fc9837dcb1d9189a96e7c51301cf0ebcc5",
"sha256": "62f4c4c7d614af2f638274d716d37e705bfa849a15b241efb9a779e1eea0b8c0",
"type": "query",
"version": 104
"version": 105
},
"169f3a93-efc7-4df2-94d6-0d9438c310d1": {
"min_stack_version": "8.9",
@@ -1060,6 +1060,13 @@
"type": "eql",
"version": 106
},
"1ceb05c4-7d25-11ee-9562-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Okta Sign-In Events via Third-Party IdP",
"sha256": "3ad26713290c41884722d25cf2fee14ada4dfd908e0a162454e983458948145c",
"type": "query",
"version": 1
},
"1d276579-3380-4095-ad38-e596a01bc64f": {
"min_stack_version": "8.3",
"rule_name": "Remote File Download via Script Interpreter",
@@ -1205,9 +1212,9 @@
"20457e4f-d1de-4b92-ae69-142e27a4342a": {
"min_stack_version": "8.3",
"rule_name": "Access of Stored Browser Credentials",
"sha256": "3d1c5ae1b6b6134946ceb0fab3b028b7757a3cae9213e83e12d2ef7fb4af7498",
"sha256": "3e3f5aec51ac2d4bed5a22f8ab0e6bc87db4da5c76f3e93dd107ed6f15e2c5a2",
"type": "eql",
"version": 105
"version": 106
},
"205b52c4-9c28-4af4-8979-935f3278d61a": {
"min_stack_version": "8.3",
@@ -1345,6 +1352,13 @@
"type": "new_terms",
"version": 1
},
"260486ee-7d98-11ee-9599-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "New Okta Authentication Behavior Detected",
"sha256": "44887f3eb626b80c75a0110be4b26d1ce66bf37892a7bab818d90f36023aae1c",
"type": "query",
"version": 1
},
"2605aa59-29ac-4662-afad-8d86257c7c91": {
"min_stack_version": "8.3",
"rule_name": "Potential Suspicious DebugFS Root Device Access",
@@ -1516,6 +1530,13 @@
"type": "new_terms",
"version": 209
},
"29b53942-7cd4-11ee-b70e-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "New Okta Identity Provider (IdP) Added by Admin",
"sha256": "ed5ee5cca37901181403052c73c15575a768c00863a860235c68fae83f550ce1",
"type": "query",
"version": 1
},
"29ef5686-9b93-433e-91b5-683911094698": {
"min_stack_version": "8.6",
"rule_name": "Unusual Discovery Signal Alert with Unusual Process Command Line",
@@ -1655,6 +1676,13 @@
"type": "eql",
"version": 1
},
"2e56e1bc-867a-11ee-b13e-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Okta User Sessions Started from Different Geolocations",
"sha256": "3beda1aaafd667d3d07527a51968311e2237f960536219febd320c0b5ea7a0cc",
"type": "threshold",
"version": 1
},
"2e580225-2a58-48ef-938b-572933be06fe": {
"min_stack_version": "8.3",
"rule_name": "Halfbaked Command and Control Beacon",
@@ -1665,9 +1693,9 @@
"2edc8076-291e-41e9-81e4-e3fcbc97ae5e": {
"min_stack_version": "8.3",
"rule_name": "Creation of a Hidden Local User Account",
"sha256": "7def1140f5946506db0986d62813b2d07f78ddedf08032f5bb4d2e74b12db501",
"sha256": "de2e56710056a8b6da9dc0876399c464d483cd8d86b9960d864a3012ab56e30e",
"type": "eql",
"version": 107
"version": 108
},
"2f0bae2d-bf20-4465-be86-1311addebaa3": {
"min_stack_version": "8.3",
@@ -1835,9 +1863,9 @@
"35330ba2-c859-4c98-8b7f-c19159ea0e58": {
"min_stack_version": "8.3",
"rule_name": "Execution via Electron Child Process Node.js Module",
"sha256": "190febf9658cb01dd1a472ea2d24563052fffcf60417fbc65be5593e38ad92f5",
"sha256": "b91e01cbd654f79bb65cb81f07f055521e97ddb636f27bcb5c55ba7c599d55f0",
"type": "query",
"version": 104
"version": 105
},
"3535c8bb-3bd5-40f4-ae32-b7cd589d5372": {
"min_stack_version": "8.3",
@@ -1949,9 +1977,9 @@
"37f638ea-909d-4f94-9248-edd21e4a9906": {
"min_stack_version": "8.3",
"rule_name": "Finder Sync Plugin Registered and Enabled",
"sha256": "e43423649f4196e3471200c4baac5b465e0a667b3d1dbe95b7870b76ecd1410b",
"sha256": "b41ece736909738d8ea437111abfff24846ce37e0dbf28c436ad918ae7056fc5",
"type": "eql",
"version": 104
"version": 105
},
"3805c3dc-f82c-4f8d-891e-63c24d3102b0": {
"min_stack_version": "8.10",
@@ -1979,9 +2007,9 @@
"38948d29-3d5d-42e3-8aec-be832aaaf8eb": {
"min_stack_version": "8.3",
"rule_name": "Prompt for Credentials with OSASCRIPT",
"sha256": "7838d2f36bacd85c4a8333291f41d0755a4918b3a06ea5b7d88eb8a7e29dd8fc",
"sha256": "8ad731c423f1a7a201eea63221fa6f1c19645b46b39421558ced549ddda00f7d",
"type": "eql",
"version": 105
"version": 106
},
"38e5acdd-5f20-4d99-8fe4-f0a1a592077f": {
"min_stack_version": "8.3",
@@ -2136,9 +2164,9 @@
"3e3d15c6-1509-479a-b125-21718372157e": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Emond Child Process",
"sha256": "1a46d0e2338b7c09dad075c99009e807ddc32b686924dbd5102dde8cc4736bde",
"sha256": "712b5f698a3cdac28ddf24ce2c91dff930454f6cb82e79b2c623129ba42ac23b",
"type": "eql",
"version": 104
"version": 105
},
"3e441bdb-596c-44fd-8628-2cfdf4516ada": {
"min_stack_version": "8.3",
@@ -2266,9 +2294,9 @@
"41b638a1-8ab6-4f8e-86d9-466317ef2db5": {
"min_stack_version": "8.3",
"rule_name": "Potential Hidden Local User Account Creation",
"sha256": "8ddd47175f4b4ad6fa50a8ffba06037d5e67ddc829c8b6b6c09ec633b9aa2690",
"sha256": "473f098ef25c7659b7ec2c953c7fe83d29d17210bae3f18a76e7aabe5ef9aa31",
"type": "query",
"version": 104
"version": 105
},
"420e5bb4-93bf-40a3-8f4a-4cc1af90eca1": {
"min_stack_version": "8.8",
@@ -2421,9 +2449,9 @@
"47f76567-d58a-4fed-b32b-21f571e28910": {
"min_stack_version": "8.3",
"rule_name": "Apple Script Execution followed by Network Connection",
"sha256": "a59f49a0c0dd5d025e9c45e099c22c750b446326578357bac6d938f54780c991",
"sha256": "0707726336298da0eacdb012ecfd3d5a1d4db190cc8b010ea63e32319a591bd7",
"type": "eql",
"version": 104
"version": 105
},
"483c4daf-b0c6-49e0-adf3-0bfa93231d6b": {
"min_stack_version": "8.3",
@@ -2456,16 +2484,16 @@
"48d7f54d-c29e-4430-93a9-9db6b5892270": {
"min_stack_version": "8.3",
"rule_name": "Unexpected Child Process of macOS Screensaver Engine",
"sha256": "50e43811992464777ede6c447f47e0331e4022df0f013c9e69d644081c56d93a",
"sha256": "9a234c8cffcb67324557459f70bc5644b48f12b78ddc226765d69211e2034ced",
"type": "eql",
"version": 105
"version": 106
},
"48ec9452-e1fd-4513-a376-10a1a26d2c83": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Periodic Tasks",
"sha256": "124568f19d6974b48f94c4143a09f425889761f827bdf17b97618850fbf315ae",
"sha256": "3c035219a5681c2514f111063f313c5e3108fc0d98ca2ab089aa72eb6f519951",
"type": "query",
"version": 104
"version": 105
},
"48f657ee-de4f-477c-aa99-ed88ee7af97a": {
"min_stack_version": "8.3",
@@ -2614,9 +2642,9 @@
"4da13d6e-904f-4636-81d8-6ab14b4e6ae9": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Disable Gatekeeper",
"sha256": "2150ef27f2f7aa9e92efd14249439bdf38da42604f587b12651f9360dbe5512e",
"sha256": "8d66b86897c0f7e9f90e2ab46d46d6734db7e1fd64cdf5c5c9926e164ccef324",
"type": "query",
"version": 104
"version": 105
},
"4de76544-f0e5-486a-8f84-eae0b6063cdc": {
"min_stack_version": "8.3",
@@ -2676,6 +2704,13 @@
"type": "eql",
"version": 107
},
"50887ba8-7ff7-11ee-a038-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Users with the Same Device Token Hash",
"sha256": "0cabbcb4f30f4ce25d1efd6d385f10b02ca0ef7cc2d8bac313e45e83abdfa175",
"type": "threshold",
"version": 1
},
"51176ed2-2d90-49f2-9f3d-17196428b169": {
"min_stack_version": "8.3",
"rule_name": "Windows System Information Discovery",
@@ -2784,9 +2819,9 @@
"530178da-92ea-43ce-94c2-8877a826783d": {
"min_stack_version": "8.3",
"rule_name": "Suspicious CronTab Creation or Modification",
"sha256": "378735996cb788f18b470bb893059276f28497684fbee14dc8952ad9914f76da",
"sha256": "27807c0b1bbc5c951feb992b0d6326af2b457c21ea661e1cc745995c25745e21",
"type": "eql",
"version": 104
"version": 105
},
"53617418-17b4-4e9c-8a2c-8deb8086ca4b": {
"min_stack_version": "8.6",
@@ -2898,16 +2933,16 @@
"565c2b44-7a21-4818-955f-8d4737967d2e": {
"min_stack_version": "8.3",
"rule_name": "Potential Admin Group Account Addition",
"sha256": "5c52523f38fbd7d58ecbaae23c282b59df7964d107d8378355c7232d2c20abbd",
"sha256": "8bc8501a6ddd8f64743ca0b9449b6827723b051c90177dc1d95977ec71d638f3",
"type": "query",
"version": 104
"version": 105
},
"565d6ca5-75ba-4c82-9b13-add25353471c": {
"min_stack_version": "8.3",
"rule_name": "Dumping of Keychain Content via Security Command",
"sha256": "56cdf3c97b7ed30414d2fc5ed2cdb95c0779392ef7347954cf3f3e6be61600e7",
"sha256": "b61fe6deed081a783eadb490bf3de817c38a34b3369fb4393f17e1e058370e7d",
"type": "eql",
"version": 105
"version": 106
},
"5663b693-0dea-4f2e-8275-f1ae5ff2de8e": {
"min_stack_version": "8.3",
@@ -3063,9 +3098,9 @@
"5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc": {
"min_stack_version": "8.3",
"rule_name": "Remote SSH Login Enabled via systemsetup Command",
"sha256": "0f1d99638bad179a4fc6aa5eded3dd7c702cca3bb64d3391795079f2ec31258f",
"sha256": "0468696a45e242d7e3e71b093c8c41a2a2e0318d204b64572529c03774829201",
"type": "query",
"version": 104
"version": 105
},
"5aee924b-6ceb-4633-980e-1bde8cdb40c5": {
"min_stack_version": "8.3",
@@ -3184,9 +3219,9 @@
"5d0265bf-dea9-41a9-92ad-48a8dcd05080": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Login or Logout Hook",
"sha256": "5cd203eee04afdcba2fde9accdf21b565daaa0b4045828ae0000738b5bb25a43",
"sha256": "4b664dd5877d1ea41aa62988945b0551c37d895fe86546e544ee732f93985f78",
"type": "eql",
"version": 105
"version": 106
},
"5d1d6907-0747-4d5d-9b24-e4a18853dc0a": {
"min_stack_version": "8.3",
@@ -3198,9 +3233,9 @@
"5d9f8cfc-0d03-443e-a167-2b0597ce0965": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Automator Workflows Execution",
"sha256": "7c02503c215c5f50cc47a690a3caf0da786994efdfcfd87afa318aacea1154b2",
"sha256": "2f1b66054ac5bbc100d284a9f0ceda0c965b47881c9787c1945b8e466f298324",
"type": "eql",
"version": 104
"version": 105
},
"5e161522-2545-11ed-ac47-f661ea17fbce": {
"min_stack_version": "8.4",
@@ -3279,6 +3314,13 @@
"type": "eql",
"version": 109
},
"621e92b6-7e54-11ee-bdc0-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Sessions Detected for a Single User",
"sha256": "061bd86219770d199904efabae4bb62bbc5897cdef6b8d1e517cae8670d3398e",
"type": "threshold",
"version": 1
},
"622ecb68-fa81-4601-90b5-f8cd661e4520": {
"min_stack_version": "8.3",
"rule_name": "Incoming DCOM Lateral Movement via MSHTA",
@@ -3289,9 +3331,9 @@
"62a70f6f-3c37-43df-a556-f64fa475fba2": {
"min_stack_version": "8.3",
"rule_name": "Account Configured with Never-Expiring Password",
"sha256": "4878a18822a0f4ab3c6536a39b0055899b9fa296cc1629aa3d8a99d767235d30",
"sha256": "bff6971b2108d22178fe7e1ba59610ea438646b4c81a203c7c85e90f0b42b640",
"type": "query",
"version": 107
"version": 108
},
"62b68eb2-1e47-4da7-85b6-8f478db5b272": {
"min_stack_version": "8.3",
@@ -3338,9 +3380,9 @@
"6482255d-f468-45ea-a5b3-d3a7de1331ae": {
"min_stack_version": "8.3",
"rule_name": "Modification of Safari Settings via Defaults Command",
"sha256": "9f94576d0bdd988636ba37fb9ff9911924d47880457e60f8a281664394a503bd",
"sha256": "df8fdd419ba042425bba4c2b32c414ac9dc05e1980edd08bc04fc4e8d18ead19",
"type": "query",
"version": 104
"version": 105
},
"64cfca9e-0f6f-4048-8251-9ec56a055e9e": {
"min_stack_version": "8.3",
@@ -3374,9 +3416,9 @@
"661545b4-1a90-4f45-85ce-2ebd7c6a15d0": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Mount SMB Share via Command Line",
"sha256": "4b0aa397b2a5a31b54907a49393ecd97e46a33ceedcd629218f8f7175ccb86b4",
"sha256": "d6221b6ee2915a7b34ad8447f034179710da43b944bec0968235b097e3823ad1",
"type": "eql",
"version": 105
"version": 106
},
"6641a5af-fb7e-487a-adc4-9e6503365318": {
"min_stack_version": "8.5",
@@ -3416,9 +3458,9 @@
"66da12b1-ac83-40eb-814c-07ed1d82b7b9": {
"min_stack_version": "8.3",
"rule_name": "Suspicious macOS MS Office Child Process",
"sha256": "f1cea9ea6da3199934e1644e4efa06da30f02a8e11d48724001e6152a64ad6ce",
"sha256": "de9510393c24ff3e139c05854ab2ae53078fd1a040209a8d32e2a781b4429df5",
"type": "eql",
"version": 104
"version": 105
},
"670b3b5a-35e5-42db-bd36-6c5b9b4b7313": {
"min_stack_version": "8.3",
@@ -3719,9 +3761,9 @@
"6e9b351e-a531-4bdc-b73e-7034d6eed7ff": {
"min_stack_version": "8.3",
"rule_name": "Enumeration of Users or Groups via Built-in Commands",
"sha256": "4bcdfcf964b59e07e704d0ae1768231f6895fdeaf16019ec2530b3fd1e908b6a",
"sha256": "470df0c6e17a6b76b3d5dfe11b58055120699d9a00c0cfbb61259400adbc757a",
"type": "eql",
"version": 105
"version": 106
},
"6ea41894-66c3-4df7-ad6b-2c5074eb3df8": {
"min_stack_version": "8.3",
@@ -3756,6 +3798,13 @@
"type": "query",
"version": 100
},
"6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "First Occurrence of Okta User Session Started via Proxy",
"sha256": "4a61b8effbf32d622b658833f4b222d18ac656a1cddd5bf60629bebf6292ec7f",
"type": "new_terms",
"version": 1
},
"6f435062-b7fc-4af9-acea-5b1ead65c5a5": {
"min_stack_version": "8.4",
"previous": {
@@ -3827,9 +3876,9 @@
"70fa1af4-27fd-4f26-bd03-50b6af6b9e24": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Unload Elastic Endpoint Security Kernel Extension",
"sha256": "ae6e77c0abc663eb2873c37d6321d6ae8da6355d89e5ebb728b742b16d2d14fb",
"sha256": "72795d027c2e5d95512a10ba9093cc08010fd8b0ca59bb63a4d890ebb975b67c",
"type": "query",
"version": 104
"version": 105
},
"7164081a-3930-11ed-a261-0242ac120002": {
"min_stack_version": "8.4",
@@ -3914,9 +3963,9 @@
"7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1": {
"min_stack_version": "8.3",
"rule_name": "Modification of Environment Variable via Launchctl",
"sha256": "face2669be6ce58d7dc8b07bc4b200577cdf0bd21facb3d5266facb5df28a6dc",
"sha256": "3db7bef640680a74100f7cb2389b8fa17b1bafa853c727820f3049d568ba79bf",
"type": "query",
"version": 104
"version": 105
},
"745b0119-0560-43ba-860a-7235dd8cee8d": {
"min_stack_version": "8.3",
@@ -4343,9 +4392,9 @@
"827f8d8f-4117-4ae4-b551-f56d54b9da6b": {
"min_stack_version": "8.3",
"rule_name": "Apple Scripting Execution with Administrator Privileges",
"sha256": "9674dc1bd6cc5c17c8038a4e71b92f2737ef72aa1601bbf05b06fe0d5fb2136e",
"sha256": "f9e2397c95b2c307f8a7ed2bf1151fe7306a38ee6b45dce9ef9531b8e455486f",
"type": "eql",
"version": 105
"version": 106
},
"835c0622-114e-40b5-a346-f843ea5d01f1": {
"min_stack_version": "8.3",
@@ -4519,9 +4568,9 @@
"88817a33-60d3-411f-ba79-7c905d865b2a": {
"min_stack_version": "8.3",
"rule_name": "Sublime Plugin or Application Script Modification",
"sha256": "2440310a8c23cbde04e7ac92d579c678d852f3426d6349638199d49af0a46c85",
"sha256": "5c0fc7dd81e04f3fbd1c5c472f0bd727ad065924ec0d714e5bc13c4b6b3e45ff",
"type": "eql",
"version": 105
"version": 106
},
"88fdcb8c-60e5-46ee-9206-2663adf1b1ce": {
"min_stack_version": "8.6",
@@ -4569,9 +4618,9 @@
"89fa6cb7-6b53-4de2-b604-648488841ab8": {
"min_stack_version": "8.3",
"rule_name": "Persistence via DirectoryService Plugin Modification",
"sha256": "456c1af4f588c9d3fc039ba183fe378b0d32a8920c785254b0550fdd4329374b",
"sha256": "abc0977e48e577f93d91ddb156280eb131accdb697133ac9f8e895d66e7ead14",
"type": "query",
"version": 104
"version": 105
},
"8a024633-c444-45c0-a4fe-78128d8c1ab6": {
"min_stack_version": "8.3",
@@ -4580,6 +4629,13 @@
"type": "eql",
"version": 4
},
"8a0fbd26-867f-11ee-947c-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Potential Okta MFA Bombing via Push Notifications",
"sha256": "3f33c3e7817f1f2970238c916629c2827ae0b7b46a7c0152797aba33b835fa4b",
"type": "eql",
"version": 1
},
"8a1b0278-0f9a-487d-96bd-d4833298e87a": {
"min_stack_version": "8.3",
"rule_name": "Setuid / Setgid Bit Set via chmod",
@@ -4784,9 +4840,9 @@
"9092cd6c-650f-4fa3-8a8a-28256c7489c9": {
"min_stack_version": "8.3",
"rule_name": "Keychain Password Retrieval via Command Line",
"sha256": "5fd3c8920f816415b48c716e7a2374f0fd76b507f2f5d3669969829ede88cb01",
"sha256": "7ff71544a593f40e8c7261a058bd9edd9c796f925043bb8c917fbdfab7137f94",
"type": "eql",
"version": 105
"version": 106
},
"90babaa8-5216-4568-992d-d4a01a105d98": {
"min_stack_version": "8.3",
@@ -5037,9 +5093,9 @@
"96e90768-c3b7-4df6-b5d9-6237f8bc36a8": {
"min_stack_version": "8.3",
"rule_name": "Access to Keychain Credentials Directories",
"sha256": "fe23aa5928440dd067c2f16b8a796d46a7480c4f130d91319cfcba852fce1f0d",
"sha256": "360631a00947fd49eec1f1e5ec2234141c5e18b5d345f84d59ffdbfcf8022c22",
"type": "eql",
"version": 105
"version": 106
},
"97020e61-e591-4191-8a3b-2861a2b887cd": {
"min_stack_version": "8.3",
@@ -5089,10 +5145,10 @@
"version": 107
}
},
"rule_name": "Potential Abuse of Repeated MFA Push Notifications",
"sha256": "77d0337a5eb54baa93eb1e573ddab7f5e356ad4892d6cf02c74ce6562afd8d2d",
"rule_name": "Potentially Successful MFA Bombing via Push Notifications",
"sha256": "9671afcc66dbc58a275066f23ee0484f9b8819dbeccdde28660354c790ae9387",
"type": "eql",
"version": 207
"version": 208
},
"97aba1ef-6034-4bd3-8c1a-1e0996b27afa": {
"min_stack_version": "8.3",
@@ -5181,9 +5237,9 @@
"99239e7d-b0d4-46e3-8609-acafcf99f68c": {
"min_stack_version": "8.3",
"rule_name": "MacOS Installer Package Spawns Network Event",
"sha256": "40258127ac6373780bfd25be362342b142324a166319243b55a747b477db70b0",
"sha256": "3716f7ea4026fc8bb71aa2f326ddd6b6d1d47e6e120cf8b992ebdc2dd76ebb95",
"type": "eql",
"version": 104
"version": 105
},
"994e40aa-8c85-43de-825e-15f665375ee8": {
"min_stack_version": "8.9",
@@ -5379,9 +5435,9 @@
"9d19ece6-c20e-481a-90c5-ccca596537de": {
"min_stack_version": "8.3",
"rule_name": "LaunchDaemon Creation or Modification and Immediate Loading",
"sha256": "362420c35e0dec946d828d9efe8a1dd0e2313dec67f9a9b0f2c27f8361fffe58",
"sha256": "a96af71832577dd58427030d8213653dc4e553bed0e3edf06ad87c56ceef6c49",
"type": "eql",
"version": 104
"version": 105
},
"9d302377-d226-4e12-b54c-1906b5aec4f6": {
"min_stack_version": "8.3",
@@ -5631,9 +5687,9 @@
"a6bf4dd4-743e-4da8-8c03-3ebd753a6c90": {
"min_stack_version": "8.3",
"rule_name": "Emond Rules Creation or Modification",
"sha256": "5059d25e53e20ecda5bd0bddff5f19aa0c90190e3c58cf6926c946c26f701839",
"sha256": "9c88642e11a43c139d78492404690649488e23d89b508c7de31e65e235630a25",
"type": "eql",
"version": 105
"version": 106
},
"a74c60cb-70ee-4629-a127-608ead14ebf1": {
"min_stack_version": "8.9",
@@ -5751,9 +5807,9 @@
"ab75c24b-2502-43a0-bf7c-e60e662c811e": {
"min_stack_version": "8.3",
"rule_name": "Remote Execution via File Shares",
"sha256": "9960496bb3be4ae85c905a65d9967cce3c87c957c5b9c0a36e7940676dc24fac",
"sha256": "d0dd83e403bca3f7f3d1950d5015f30d849b5fcd9227445946baf01306304def",
"type": "eql",
"version": 108
"version": 109
},
"abae61a8-c560-4dbd-acca-1e1438bff36b": {
"min_stack_version": "8.3",
@@ -5765,16 +5821,16 @@
"ac412404-57a5-476f-858f-4e8fbb4f48d8": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Login Hook",
"sha256": "742e178d21a4f38dbde0ceff9f3c75a33a79e70080f971e3fc63e644283c1f24",
"sha256": "5431b29441b0311ce85f05817f1b65afc8e1440be98c43efc808531aceb55b40",
"type": "query",
"version": 105
"version": 106
},
"ac5012b8-8da8-440b-aaaf-aedafdea2dff": {
"min_stack_version": "8.3",
"rule_name": "Suspicious WerFault Child Process",
"sha256": "6fc6cae28ebf0c75451af175b21022b2c33ceb781032192f90c20d91bd0ad2a8",
"sha256": "6db650fd26dc358bff1969f2dddd549f4725e7cb9e13c6037613103125d67d05",
"type": "eql",
"version": 109
"version": 110
},
"ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1": {
"min_stack_version": "8.9",
@@ -5832,16 +5888,16 @@
"ace1e989-a541-44df-93a8-a8b0591b63c0": {
"min_stack_version": "8.3",
"rule_name": "Potential macOS SSH Brute Force Detected",
"sha256": "6d6c36df74a3227db9ddfe242e6d7e4598aa4536c80338756b9774499deb5d46",
"sha256": "717b98ebd28d44eb41e239b4c1fce9a077b804fb2fa74887e44db8abf8a9d984",
"type": "threshold",
"version": 105
"version": 106
},
"acf738b5-b5b2-4acc-bad9-1e18ee234f40": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Managed Code Hosting Process",
"sha256": "f9f3abc0bcdf5a397a26aac862f259f0a5b8a25feded07e85dcb9a308c799f23",
"sha256": "7a665dd484eabb4ea95433a9fc76aa6c2f6a5e88e3bf2aa3586eb8624521f396",
"type": "eql",
"version": 105
"version": 106
},
"ad0d2742-9a49-11ec-8d6b-acde48001122": {
"min_stack_version": "8.3",
@@ -5882,9 +5938,9 @@
"ad88231f-e2ab-491c-8fc6-64746da26cfe": {
"min_stack_version": "8.3",
"rule_name": "Kerberos Cached Credentials Dumping",
"sha256": "1784ba8b2bf2310de8bfc0fb1eb058a96c9ef25ba4a1e78a8e271a61f856f675",
"sha256": "a1d0802a3a49d1a2c58175fb38e49b393c12892b0263bc10245b307ccec0d964",
"type": "query",
"version": 104
"version": 105
},
"adb961e0-cb74-42a0-af9e-29fc41f88f5f": {
"min_stack_version": "8.3",
@@ -5952,9 +6008,9 @@
"b00bcd89-000c-4425-b94c-716ef67762f6": {
"min_stack_version": "8.3",
"rule_name": "TCC Bypass via Mounted APFS Snapshot Access",
"sha256": "fe6380b09c3b3d38b09818076fb3ef3d0693c968fe9ce5547c4a82196782f931",
"sha256": "b919ec7747f8bf3d3a989dbb2894552ecf9eee7139899e68b404a3802c120c3d",
"type": "query",
"version": 104
"version": 105
},
"b0638186-4f12-48ac-83d2-47e686d08e82": {
"min_stack_version": "8.3",
@@ -5986,9 +6042,9 @@
"b25a7df2-120a-4db2-bd3f-3e4b86b24bee": {
"min_stack_version": "8.3",
"rule_name": "Remote File Copy via TeamViewer",
"sha256": "5140f51472bb51e246f8a5076ee0138186c0db463f337c8cbc044bbede59a6bb",
"sha256": "e726cfbb1046391cb001954a90288d5b3222d8379b5ae13d58b6e6bc20aec033",
"type": "eql",
"version": 108
"version": 109
},
"b2951150-658f-4a60-832f-a00d1e6c6745": {
"min_stack_version": "8.3",
@@ -6028,9 +6084,9 @@
"b4449455-f986-4b5a-82ed-e36b129331f7": {
"min_stack_version": "8.3",
"rule_name": "Potential Persistence via Atom Init Script Modification",
"sha256": "46fcd9e76f08b0cd3308e57b64244a9bec5ce01b30e491015a20e1fd53e3de2a",
"sha256": "c663140ba0d75027a34b394dec5c86633102e0f2514050f99e1d706c97cb9b8e",
"type": "query",
"version": 104
"version": 105
},
"b45ab1d2-712f-4f01-a751-df3826969807": {
"min_stack_version": "8.9",
@@ -6313,9 +6369,9 @@
"bc1eeacf-2972-434f-b782-3a532b100d67": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Install Root Certificate",
"sha256": "2ec38edc30ee4c822372bf3a9e2f00ebdead1b16f135cbf5fbb1c657fbf41c9d",
"sha256": "7f461bbff1e8be89e57d400d6e907b6697dbc783dae396c6d6ee0ce3efd419f1",
"type": "query",
"version": 104
"version": 105
},
"bc48bba7-4a23-4232-b551-eca3ca1e3f20": {
"min_stack_version": "8.3",
@@ -6448,9 +6504,9 @@
"c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via Localhost Secure Copy",
"sha256": "0afe2d906b4e49920bacb79b64404fb8d2ad10c938ab6066d1775c4498d2c1a1",
"sha256": "2c9b4244cb4994ff559dfc5ff89df8400a366e4faadd5f8900810fa90b30281e",
"type": "eql",
"version": 105
"version": 106
},
"c0429aa8-9974-42da-bfb6-53a0a515a145": {
"min_stack_version": "8.3",
@@ -6529,9 +6585,9 @@
"c292fa52-4115-408a-b897-e14f684b3cb7": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Folder Action Script",
"sha256": "07321ea58e3520857e64122ab09803a1fc574e94988a20508aea507982b84a06",
"sha256": "bb9fad0b65e7bc241670ef85a6bc8750f4bcc92e98888e091f2ca9b30d833ce8",
"type": "eql",
"version": 104
"version": 105
},
"c2d90150-0133-451c-a783-533e736c12d7": {
"min_stack_version": "8.3",
@@ -6723,9 +6779,9 @@
"c81cefcb-82b9-4408-a533-3c3df549e62d": {
"min_stack_version": "8.3",
"rule_name": "Persistence via Docker Shortcut Modification",
"sha256": "aa52a0c9a38018a7a9d08eff12060ae5763f3672ab6f68acbc3a41dc323c4720",
"sha256": "4c1848771275a47db363a85fd08d70afa61b85baaca4651d4c823c0accc02d6d",
"type": "query",
"version": 104
"version": 105
},
"c82b2bd8-d701-420c-ba43-f11a155b681a": {
"min_stack_version": "8.3",
@@ -6851,9 +6907,9 @@
"cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Calendar File Modification",
"sha256": "0efc16177bd032307d27579913e6c57c8d1d44ed1f5df38407ead5bbbe045dd8",
"sha256": "4020e8d93c52fc49bce77c661a1566c03732a2a74906ceec9c5371f6f0fdecef",
"type": "query",
"version": 104
"version": 105
},
"cc16f774-59f9-462d-8b98-d27ccd4519ec": {
"rule_name": "Process Discovery via Tasklist",
@@ -6864,9 +6920,16 @@
"cc2fd2d0-ba3a-4939-b87f-2901764ed036": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Enable the Root Account",
"sha256": "08bf09dc443eb0fb41c941a0a47f67b866253111c50d852fec72b81e5cdea100",
"sha256": "859a1abd493744516a89a3da4036d0f389decd9a8f56ee51a41b0f3bd7d335bd",
"type": "query",
"version": 104
"version": 105
},
"cc382a2e-7e52-11ee-9aac-f661ea17fbcd": {
"min_stack_version": "8.10",
"rule_name": "Multiple Okta Client Addresses for a Single User Session",
"sha256": "95e6787fdbd7768c2066b060596b45e20e11a64d5e238abe96679290fbbf2469",
"type": "threshold",
"version": 1
},
"cc653d77-ddd2-45b1-9197-c75ad19df66c": {
"min_stack_version": "8.9",
@@ -7112,9 +7175,9 @@
"d22a85c6-d2ad-4cc4-bf7b-54787473669a": {
"min_stack_version": "8.3",
"rule_name": "Potential Microsoft Office Sandbox Evasion",
"sha256": "688898fbfb57e6d44d1f755be87e439516aa1a084dd4adbaa97b65bf8eb86995",
"sha256": "89e780b8ad04e619a91f21797ef0ad455995889221fac37ccd693f8a9be88e1c",
"type": "query",
"version": 104
"version": 105
},
"d31f183a-e5b1-451b-8534-ba62bca0b404": {
"min_stack_version": "8.3",
@@ -7147,9 +7210,9 @@
"d461fac0-43e8-49e2-85ea-3a58fe120b4f": {
"min_stack_version": "8.3",
"rule_name": "Shell Execution via Apple Scripting",
"sha256": "6f6e3def0588b1a03d12a0293b5bbd9c1d0090fe90097786f9d7a4b13c95f02e",
"sha256": "692c64fb60537e8d2920f5feaa3ed8a0bbb120fa138fee7526e2698ed2895421",
"type": "eql",
"version": 104
"version": 105
},
"d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": {
"min_stack_version": "8.10",
@@ -7299,9 +7362,9 @@
"d75991f2-b989-419d-b797-ac1e54ec2d61": {
"min_stack_version": "8.3",
"rule_name": "SystemKey Access via Command Line",
"sha256": "9d6616ef8767f89e243b80ec3f320bdd3c8e6a46acc445fd040ae92aaf3e9c12",
"sha256": "f758f68cb5c44f5582fdf29f91b5ede95c7b692861a950921ce02561e9bddb48",
"type": "query",
"version": 104
"version": 105
},
"d76b02ef-fc95-4001-9297-01cb7412232f": {
"min_stack_version": "8.3",
@@ -7787,6 +7850,13 @@
"type": "eql",
"version": 108
},
"e468f3f6-7c4c-45bb-846a-053738b3fe5d": {
"min_stack_version": "8.4",
"rule_name": "First Time Seen NewCredentials Logon Process",
"sha256": "856cdc898f8b290d5ebe5bfffde4ce85f483f62eb7e0158a0f9e35f6e8dc2afd",
"type": "new_terms",
"version": 1
},
"e48236ca-b67a-4b4e-840c-fdc7782bc0c3": {
"min_stack_version": "8.10",
"previous": {
@@ -7849,9 +7919,9 @@
"e6c98d38-633d-4b3e-9387-42112cd5ac10": {
"min_stack_version": "8.3",
"rule_name": "Authorization Plugin Modification",
"sha256": "588ebf1bdd990fd6153d745e01de7aa329e4b9ad1cf727e6c6ae340a7691e07f",
"sha256": "0e60f668e5a539600f5060b2537b7bda7cd79b13c441946455056b809cb95563",
"type": "query",
"version": 104
"version": 105
},
"e6e3ecff-03dd-48ec-acbd-54a04de10c68": {
"min_stack_version": "8.10",
@@ -7872,9 +7942,9 @@
"e6e8912f-283f-4d0d-8442-e0dcaf49944b": {
"min_stack_version": "8.3",
"rule_name": "Screensaver Plist File Modified by Unexpected Process",
"sha256": "1732013a4ba605cabe48c7b619ab0091ebe06309b90dd143c75a2212213833bf",
"sha256": "7180375170c573c1ff2a7287cba28879a2150c8796bb81c12556a08394e87e8f",
"type": "eql",
"version": 105
"version": 106
},
"e7075e8d-a966-458e-a183-85cd331af255": {
"min_stack_version": "8.3",
@@ -8226,6 +8296,13 @@
"type": "eql",
"version": 3
},
"ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": {
"min_stack_version": "8.3",
"rule_name": "Okta FastPass Phishing Detection",
"sha256": "8270e1a274c3fc9549fd1c6e7a45f05f1bffa07a9b5f4f416074649a7a48b303",
"type": "query",
"version": 2
},
"ee5300a7-7e31-4a72-a258-250abb8b3aa1": {
"min_stack_version": "8.3",
"rule_name": "Unusual Print Spooler Child Process",
@@ -8249,9 +8326,9 @@
"eea82229-b002-470e-a9e1-00be38b14d32": {
"min_stack_version": "8.3",
"rule_name": "Potential Privacy Control Bypass via TCCDB Modification",
"sha256": "9893771c796bd09dcc8f046fd8356942e6cdc5159da8de8a23d418df3220c216",
"sha256": "26d4865a30d6490602a379d7abcba4e5aa0095e306e662d489bb63f80cb57bc9",
"type": "eql",
"version": 105
"version": 106
},
"ef04a476-07ec-48fc-8f3d-5e1742de76d3": {
"min_stack_version": "8.3",
@@ -8314,9 +8391,9 @@
"f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7": {
"min_stack_version": "8.3",
"rule_name": "Attempt to Remove File Quarantine Attribute",
"sha256": "d7bdcd2de9485c0496e83b118d9a4206a6bb8b4d6a4708797dc89b42403f753a",
"sha256": "692fa40e6bf4142e039d77a8009d3ffaf73cb02fb0bad253f89a7791b27bb286",
"type": "eql",
"version": 105
"version": 106
},
"f0bc081a-2346-4744-a6a4-81514817e888": {
"min_stack_version": "8.3",
@@ -8328,9 +8405,9 @@
"f0eb70e9-71e9-40cd-813f-bf8e8c812cb1": {
"min_stack_version": "8.3",
"rule_name": "Execution with Explicit Credentials via Scripting",
"sha256": "1757d1031c5a71bf9d138675ce1ff87d27789dbda0f8da8764846ec8e42433f4",
"sha256": "86c5bd201fcce02f843be59ad5577b453feab265fb5ace94414dfd794f1083c5",
"type": "query",
"version": 104
"version": 105
},
"f16fca20-4d6c-43f9-aec1-20b6de3b0aeb": {
"min_stack_version": "8.3",
@@ -8356,9 +8433,9 @@
"f24bcae1-8980-4b30-b5dd-f851b055c9e7": {
"min_stack_version": "8.3",
"rule_name": "Creation of Hidden Login Item via Apple Script",
"sha256": "e9d5cd6f343029ce8db6fae1ac69791d81d0079795f15c27d2b04cae4d5692b5",
"sha256": "6fb54f1660018d11515f2fbdb198da3ff179bd8c841c93cccdb1fc2e681d5f7e",
"type": "eql",
"version": 106
"version": 107
},
"f28e2be4-6eca-4349-bdd9-381573730c22": {
"min_stack_version": "8.3",
@@ -8539,9 +8616,9 @@
"f683dcdf-a018-4801-b066-193d4ae6c8e5": {
"min_stack_version": "8.3",
"rule_name": "SoftwareUpdate Preferences Modification",
"sha256": "244211398fba0bab7dda8256bd3c850b4d50809a75b98d4a729d349b94fee478",
"sha256": "fb87b9eb3ce642106368e9900a834940914053f852b8fb77bc5c68cc937f3312",
"type": "query",
"version": 104
"version": 105
},
"f75f65cf-ed04-48df-a7ff-b02a8bfe636e": {
"min_stack_version": "8.3",
@@ -8597,9 +8674,9 @@
"f85ce03f-d8a8-4c83-acdc-5c8cd0592be7": {
"min_stack_version": "8.3",
"rule_name": "Suspicious Child Process of Adobe Acrobat Reader Update Service",
"sha256": "a2f610710f7b33470a65808c34fbd182dcd0512ec2a9678a18b05f5f24343378",
"sha256": "f27060c1e1635cedb3d4db1d8bb5ddabdf1ffa478643e158e4847d1405cac3ca",
"type": "query",
"version": 104
"version": 105
},
"f874315d-5188-4b4a-8521-d1c73093a7e4": {
"min_stack_version": "8.3",
detection_rules/integrations.py
+3 -2
View File
@@ -292,7 +292,7 @@ def get_integration_schema_data(data, meta, package_integrations: dict) -> Gener
# lazy import to avoid circular import
from .rule import ( # pylint: disable=import-outside-toplevel
QueryRuleData, RuleMeta)
ESQLRuleData, QueryRuleData, RuleMeta)
data: QueryRuleData = data
meta: RuleMeta = meta
@@ -301,7 +301,8 @@ def get_integration_schema_data(data, meta, package_integrations: dict) -> Gener
integrations_schemas = load_integrations_schemas()
# validate the query against related integration fields
if isinstance(data, QueryRuleData) and data.language != 'lucene' and meta.maturity == "production":
if (isinstance(data, QueryRuleData) or isinstance(data, ESQLRuleData)) \
and data.language != 'lucene' and meta.maturity == "production":
# flag to only warn once per integration for available upgrades
notify_update_available = True
detection_rules/rule.py
+25 -7
View File
@@ -569,6 +569,8 @@ class QueryRuleData(BaseRuleData):
return KQLValidator(self.query)
elif self.language == "eql":
return EQLValidator(self.query)
elif self.language == "esql":
return ESQLValidator(self.query)
def validate_query(self, meta: RuleMeta) -> None:
validator = self.validator
@@ -602,6 +604,21 @@ class QueryRuleData(BaseRuleData):
raise ValidationError("Alert suppression is only valid for query rule type.")
@dataclass(frozen=True)
class ESQLRuleData(BaseRuleData):
"""ESQL rules are a special case of query rules."""
type: Literal["esql"]
language: Literal["esql"]
query: str
@cached_property
def validator(self) -> Optional[QueryValidator]:
return ESQLValidator(self.query)
def validate_query(self, meta: RuleMeta) -> None:
return self.validator.validate(self, meta)
@dataclass(frozen=True)
class MachineLearningRuleData(BaseRuleData):
type: Literal["machine_learning"]
@@ -760,7 +777,7 @@ class ThreatMatchRuleData(QueryRuleData):
# All of the possible rule types
# Sort inverse of any inheritance - see comment in TOMLRuleContents.to_dict
AnyRuleData = Union[EQLRuleData, ThresholdQueryRuleData, ThreatMatchRuleData,
AnyRuleData = Union[EQLRuleData, ESQLRuleData, ThresholdQueryRuleData, ThreatMatchRuleData,
MachineLearningRuleData, QueryRuleData, NewTermsRuleData]
@@ -1084,11 +1101,12 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin):
packaged_integrations = []
datasets = set()
for node in data.get('ast', []):
if isinstance(node, eql.ast.Comparison) and str(node.left) == 'event.dataset':
datasets.update(set(n.value for n in node if isinstance(n, eql.ast.Literal)))
elif isinstance(node, FieldComparison) and str(node.field) == 'event.dataset':
datasets.update(set(str(n) for n in node if isinstance(n, kql.ast.Value)))
if data.type != "esql":
for node in data.get('ast', []):
if isinstance(node, eql.ast.Comparison) and str(node.left) == 'event.dataset':
datasets.update(set(n.value for n in node if isinstance(n, eql.ast.Literal)))
elif isinstance(node, FieldComparison) and str(node.field) == 'event.dataset':
datasets.update(set(str(n) for n in node if isinstance(n, kql.ast.Value)))
# integration is None to remove duplicate references upstream in Kibana
# chronologically, event.dataset is checked for package:integration, then rule tags
@@ -1333,4 +1351,4 @@ def get_unique_query_fields(rule: TOMLRule) -> List[str]:
# avoid a circular import
from .rule_validators import EQLValidator, KQLValidator # noqa: E402
from .rule_validators import EQLValidator, ESQLValidator, KQLValidator # noqa: E402
detection_rules/rule_validators.py
+20
View File
@@ -346,6 +346,26 @@ class EQLValidator(QueryValidator):
return [], False
class ESQLValidator(QueryValidator):
"""Validate specific fields for ESQL query event types."""
@cached_property
def ast(self):
"""Return an AST."""
return None
@cached_property
def unique_fields(self) -> List[str]:
"""Return a list of unique fields in the query."""
# return empty list for ES|QL rules until ast is available
return []
def validate(self, data: 'QueryRuleData', meta: RuleMeta) -> None:
"""Validate an ESQL query while checking TOMLRule."""
print("Warning: ESQL queries are not validated at this time.")
return None
def extract_error_field(exc: Union[eql.EqlParseError, kql.KqlParseError]) -> Optional[str]:
"""Extract the field name from an EQL or KQL parse error."""
lines = exc.source.splitlines()
detection_rules/schemas/definitions.py
+3 -2
View File
@@ -123,6 +123,7 @@ EXPECTED_RULE_TAGS = [
'Use Case: Log Auditing',
'Use Case: Network Security Monitoring',
'Use Case: Threat Detection',
'Use Case: UEBA',
'Use Case: Vulnerability'
]
@@ -137,7 +138,7 @@ CardinalityFields = NewType('CardinalityFields', List[NonEmptyStr], validate=val
CodeString = NewType("CodeString", str)
ConditionSemVer = NewType('ConditionSemVer', str, validate=validate.Regexp(CONDITION_VERSION_PATTERN))
Date = NewType('Date', str, validate=validate.Regexp(DATE_PATTERN))
FilterLanguages = Literal["kuery", "lucene"]
FilterLanguages = Literal["kuery", "lucene", "eql", "esql"]
Interval = NewType('Interval', str, validate=validate.Regexp(INTERVAL_PATTERN))
Markdown = NewType("MarkdownField", CodeString)
Maturity = Literal['development', 'experimental', 'beta', 'production', 'deprecated']
@@ -148,7 +149,7 @@ OSType = Literal['windows', 'linux', 'macos']
PositiveInteger = NewType('PositiveInteger', int, validate=validate.Range(min=1))
RiskScore = NewType("MaxSignals", int, validate=validate.Range(min=1, max=100))
RuleName = NewType('RuleName', str, validate=validate.Regexp(NAME_PATTERN))
RuleType = Literal['query', 'machine_learning', 'eql', 'threshold', 'threat_match', 'new_terms']
RuleType = Literal['query', 'saved_query', 'machine_learning', 'eql', 'esql', 'threshold', 'threat_match', 'new_terms']
SemVer = NewType('SemVer', str, validate=validate.Regexp(VERSION_PATTERN))
SemVerMinorOnly = NewType('SemVerFullStrict', str, validate=validate.Regexp(MINOR_SEMVER))
Severity = Literal['low', 'medium', 'high', 'critical']
rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml
+95
View File
@@ -0,0 +1,95 @@
[metadata]
creation_date = "2023/11/18"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/27"
[rule]
author = ["Elastic"]
description = """
Detects when an attacker abuses the Multi-Factor authentication mechanism by repeatedly issuing login requests until the
user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured
for an organization to obtain unauthorized access.
"""
event_category_override = "event.category"
index = ["filebeat-*", "logs-okta*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Okta MFA Bombing via Push Notifications"
note = """## Triage and analysis
### Investigating Potential Okta MFA Bombing via Push Notifications
Multi-Factor Authentication (MFA) is an effective method to prevent unauthorized access. However, some adversaries may abuse the system by repeatedly sending MFA push notifications until the user unwittingly approves the access.
This rule detects when a user denies MFA Okta Verify push notifications twice, followed by a successful authentication event within a 10-minute window. This sequence could indicate an adversary's attempt to bypass the Okta MFA policy.
#### Possible investigation steps:
- Identify the user who received the MFA notifications by reviewing the `user.email` field.
- Identify the time, source IP, and geographical location of the MFA requests and the subsequent successful login.
- Review the `event.action` field to understand the nature of the events. It should include two `user.mfa.okta_verify.deny_push` actions and one `user.authentication.sso` action.
- Ask the user if they remember receiving the MFA notifications and subsequently logging into their account.
- Check if the MFA requests and the successful login occurred during the user's regular activity hours.
- Look for any other suspicious activity on the account around the same time.
- Identify whether the same pattern is repeated for other users in your organization. Multiple users receiving push notifications simultaneously might indicate a larger attack.
### False positive analysis:
- Determine if the MFA push notifications were legitimate. Sometimes, users accidentally trigger MFA requests or deny them unintentionally and later approve them.
- Check if there are known issues with the MFA system causing false denials.
### Response and remediation:
- If unauthorized access is confirmed, initiate your incident response process.
- Alert the user and your IT department immediately.
- If possible, isolate the user's account until the issue is resolved.
- Investigate the source of the unauthorized access.
- If the account was accessed by an unauthorized party, determine the actions they took after logging in.
- Consider enhancing your MFA policy to prevent such incidents in the future.
- Encourage users to report any unexpected MFA notifications immediately.
- Review and update your incident response plans and security policies based on the findings from the incident.
"""
references = [
"https://www.mandiant.com/resources/russian-targeting-gov-business",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/",
]
risk_score = 73
rule_id = "8a0fbd26-867f-11ee-947c-f661ea17fbcd"
setup = """
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
severity = "high"
tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta"]
type = "eql"
query = '''
sequence by okta.actor.id with maxspan=10m
[authentication where event.dataset == "okta.system"
and okta.event_type == "user.mfa.okta_verify.deny_push"] with runs=5
until [authentication where event.dataset == "okta.system"
and (okta.event_type: (
"user.authentication.sso",
"user.authentication.auth_via_mfa",
"user.authentication.verify",
"user.session.start") and okta.outcome.result == "SUCCESS")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1621"
name = "Multi-Factor Authentication Request Generation"
reference = "https://attack.mitre.org/techniques/T1621/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
rules/integrations/okta/credential_access_mfa_push_brute_force.toml → rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml
+17 -9
View File
@@ -4,7 +4,7 @@ integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/10/24"
updated_date = "2023/11/27"
[rule]
author = ["Elastic"]
@@ -13,10 +13,11 @@ Detects when an attacker abuses the Multi-Factor authentication mechanism by rep
user eventually accepts the Okta push notification. An adversary may attempt to bypass the Okta MFA policies configured
for an organization to obtain unauthorized access.
"""
event_category_override = "event.category"
index = ["filebeat-*", "logs-okta*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Abuse of Repeated MFA Push Notifications"
name = "Potentially Successful MFA Bombing via Push Notifications"
note = """## Triage and analysis
### Investigating Potential Abuse of Repeated MFA Push Notifications
@@ -57,6 +58,8 @@ The Okta Fleet integration, Filebeat module, or similarly structured data is req
references = [
"https://www.mandiant.com/resources/russian-targeting-gov-business",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/",
]
risk_score = 73
rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7"
@@ -65,19 +68,24 @@ tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Dat
type = "eql"
query = '''
sequence by user.email with maxspan=10m
[any where event.dataset == "okta.system" and event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"]
[any where event.dataset == "okta.system" and event.module == "okta" and event.action == "user.mfa.okta_verify.deny_push"]
[any where event.dataset == "okta.system" and event.module == "okta" and event.action == "user.authentication.sso"]
sequence by okta.actor.id with maxspan=10m
[authentication where event.dataset == "okta.system" and event.module == "okta"
and event.action == "user.mfa.okta_verify.deny_push"] with runs=3
[authentication where event.dataset == "okta.system" and event.module == "okta"
and (event.action : (
"user.authentication.sso",
"user.authentication.auth_via_mfa",
"user.authentication.verify",
"user.session.start") and okta.outcome.result == "SUCCESS")]
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
id = "T1621"
name = "Multi-Factor Authentication Request Generation"
reference = "https://attack.mitre.org/techniques/T1621/"
[rule.threat.tactic]
rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
+83
View File
@@ -0,0 +1,83 @@
[metadata]
creation_date = "2023/11/07"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/07"
[rule]
author = ["Elastic"]
description = "Identifies the first occurrence of an Okta user session started via a proxy."
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "First Occurrence of Okta User Session Started via Proxy"
note = """## Triage and analysis
### Investigating First Occurrence of Okta User Session Started via Proxy
This rule detects the first occurrence of an Okta user session started via a proxy. This rule is designed to help identify suspicious authentication behavior that may be indicative of an attacker attempting to gain access to an Okta account while remaining anonymous. This rule leverages the New Terms rule type feature where the `okta.actor.id` value is checked against the previous 7 days of data to determine if the value has been seen before for this activity.
#### Possible investigation steps:
- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
- Examine the `okta.debug_context.debug_data.flattened` field for more information about the proxy used.
- Review the `okta.request.ip_chain` field for more information about the geographic location of the proxy.
- Review the past activities of the actor involved in this action by checking their previous actions.
- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
### False positive analysis:
- A user may have legitimately started a session via a proxy for security or privacy reasons.
### Response and remediation:
- Review the profile of the user involved in this action to determine if proxy usage may be expected.
- If the user is legitimate and the authentication behavior is not suspicious, no action is required.
- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).
- If MFA is already enabled, consider resetting MFA for the user.
- If the user is not legitimate, consider deactivating the user's account.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://developer.okta.com/docs/reference/api/system-log/#issuer-object",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
]
risk_score = 47
rule_id = "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd"
severity = "medium"
tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.dataset:okta.system and okta.event_type: (user.session.start or user.authentication.verify) and okta.security_context.is_proxy:true and not okta.actor.id: okta*
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1133"
name = "External Remote Services"
reference = "https://attack.mitre.org/techniques/T1133/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.new_terms]
field = "new_terms_fields"
value = ["okta.actor.id", "cloud.account.id"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"
rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2023/11/10"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/10"
[rule]
author = ["Elastic"]
description = "Detects when Okta user or system events are reported for multiple users with the same device token hash."
false_positives = [
"An Okta admnistrator may be logged into multiple accounts from the same host for legitimate reasons.",
"Users may share an endpoint related to work or personal use in which separate Okta accounts are used.",
"Shared systems such as Kiosks and conference room computers may be used by multiple users."
]
from = "now-9m"
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Multiple Okta Users with the Same Device Token Hash"
note = """## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
]
risk_score = 47
rule_id = "50887ba8-7ff7-11ee-a038-f661ea17fbcd"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:okta.system and not okta.actor.id:okta* and okta.debug_context.debug_data.dt_hash:* and okta.event_type:(system* or user*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.threshold]
field = ["okta.debug_context.debug_data.dt_hash"]
value = 1
[[rule.threshold.cardinality]]
field = "okta.actor.id"
value = 2
rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2023/11/08"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/08"
[rule]
author = ["Elastic"]
description = """
Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate an attacker has compromised a user's Okta account and is using it to access the organization's resources.
"""
from = "now-30m"
interval = "60m"
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Multiple Okta Client Addresses for a Single User Session"
note = """## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
]
risk_score = 47
rule_id = "cc382a2e-7e52-11ee-9aac-f661ea17fbcd"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:okta.system
and okta.authentication_context.external_session_id:* and okta.debug_context.debug_data.dt_hash:*
and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.threshold]
field = ["okta.actor.id", "okta.authentication_context.external_session_id"]
value = 1
[[rule.threshold.cardinality]]
field = "okta.debug_context.debug_data.dt_hash"
value = 2
rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
+77
View File
@@ -0,0 +1,77 @@
[metadata]
creation_date = "2023/11/07"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/07"
[rule]
author = ["Elastic"]
description = "Detects events where Okta behavior detection has identified a new authentication behavior."
from = "now-30m"
index = ["filebeat-*", "logs-okta*"]
interval = "15m"
language = "kuery"
license = "Elastic License v2"
name = "New Okta Authentication Behavior Detected"
note = """## Triage and analysis
### Investigating New Okta Authentication Behavior Detected
This rule detects events where Okta behavior detection has identified a new authentication behavior such as a new device or location.
#### Possible investigation steps:
- Identify the user involved in this action by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
- Determine the authentication anomaly by examining the `okta.debug_context.debug_data.risk_behaviors` and `okta.debug_context.debug_data.flattened` fields.
- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.
- Review the past activities of the actor involved in this action by checking their previous actions.
- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.
- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
### False positive analysis:
- A user may be using a new device or location to sign in.
- The Okta behavior detection may be incorrectly identifying a new authentication behavior and need adjusted.
### Response and remediation:
- If the user is legitimate and the authentication behavior is not suspicious, no action is required.
- If the user is legitimate but the authentication behavior is suspicious, consider resetting the user's password and enabling multi-factor authentication (MFA).
- If MFA is already enabled, consider resetting MFA for the user.
- If the user is not legitimate, consider deactivating the user's account.
- If this is a false positive, consider adjusting the Okta behavior detection settings.
- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
references = [
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://unit42.paloaltonetworks.com/muddled-libra/",
"https://help.okta.com/oie/en-us/content/topics/security/behavior-detection/about-behavior-detection.htm",
]
risk_score = 47
rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd"
severity = "medium"
tags = [
"Use Case: Identity and Access Audit",
"Tactic: Initial Access",
"Data Source: Okta",
]
timestamp_override = "event.ingested"
type = "query"
query = '''event.dataset:okta.system and okta.debug_context.debug_data.risk_behaviors:*'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
+57
View File
@@ -0,0 +1,57 @@
[metadata]
creation_date = "2023/05/07"
integration = ["okta"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/11/07"
[rule]
author = ["Austin Songer"]
description = """
Detects when Okta FastPass prevents a user from authenticating to a phishing website.
"""
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Okta FastPass Phishing Detection"
note = """## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
This rule requires Okta to have the following turned on:
Okta Identity Engine - select 'Phishing Resistance for FastPass' under Settings > Features in the Admin Console.
"""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://sec.okta.com/fastpassphishingdetection",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
]
risk_score = 47
rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e"
severity = "medium"
tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:okta.system and event.category:authentication and
okta.event_type:user.authentication.auth_via_mfa and event.outcome:failure and okta.outcome.reason:"FastPass declined phishing attempt"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1566"
name = "Phishing"
reference = "https://attack.mitre.org/techniques/T1566/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
+66
View File
@@ -0,0 +1,66 @@
[metadata]
creation_date = "2023/11/18"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/18"
[rule]
author = ["Elastic"]
description = """
Detects when a specific Okta actor has multiple sessions started from different geolocations.
"""
from = "now-30m"
interval = "15m"
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Okta User Sessions Started from Different Geolocations"
note = """## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://www.rezonate.io/blog/okta-logs-decoded-unveiling-identity-threats-through-threat-hunting/"
]
risk_score = 47
rule_id = "2e56e1bc-867a-11ee-b13e-f661ea17fbcd"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:okta.system and okta.event_type:user.session.start and not okta.security_context.is_proxy:true
and okta.actor.id:* and client.geo.country_name:*
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[rule.threshold]
field = ["okta.actor.id"]
value = 1
[[rule.threshold.cardinality]]
field = "client.geo.country_name"
value = 2
rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml
+99
View File
@@ -0,0 +1,99 @@
[metadata]
creation_date = "2023/11/06"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/06"
[rule]
author = ["Elastic"]
description = "Detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP)."
from = "now-30m"
index = ["filebeat-*", "logs-okta*"]
interval = "15m"
language = "kuery"
license = "Elastic License v2"
name = "Okta Sign-In Events via Third-Party IdP"
note = """## Triage and analysis
### Investigating Okta Sign-In Events via Third-Party IdP
This rule detects sign-in events where authentication is carried out via a third-party Identity Provider (IdP).
Adversaries may attempt to add an unauthorized IdP to an Okta tenant to gain access to the tenant. Following this action, adversaries may attempt to sign in to the tenant using the unauthorized IdP. This rule detects both the addition of an unauthorized IdP and the subsequent sign-in attempt.
#### Possible investigation steps:
- Identify the third-party IdP by examining the `okta.authentication_context.issuer.id` field.
- Once the third-party IdP is identified, determine if this IdP is authorized to be used by the tenant.
- If the IdP is unauthorized, deactivate it immediately via the Okta console.
- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields in historical data.
- The `New Okta Identity Provider (IdP) Added by Admin` rule may be helpful in identifying the actor and the IdP creation event.
- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.
- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.
- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.
- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
### False positive analysis:
- It might be a false positive if this IdP is authorized to be used by the tenant.
- This may be a false positive if an authorized third-party IdP is used to sign in to the tenant but failures occurred due to an incorrect configuration.
### Response and remediation:
- If the IdP is unauthorized, deactivate it immediately via the Okta console.
- Reset the effected user's password and enforce MFA re-enrollment, if applicable.
- Mobile device forensics may be required to determine if the user's device is compromised.
- If the IdP is authorized, ensure that the actor who created it is authorized to do so.
- If the actor is unauthorized, deactivate their account via the Okta console.
- If the actor is authorized, ensure that the actor's account is not compromised.
- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
references = [
"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://unit42.paloaltonetworks.com/muddled-libra/",
]
risk_score = 47
rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:okta.system and okta.debug_context.debug_data.request_uri:/oauth2/v1/authorize/callback and
(not okta.authentication_context.issuer.id:Okta and event.action:(user.authentication.auth_via_IDP
or user.authentication.auth_via_inbound_SAML
or user.authentication.auth_via_mfa
or user.authentication.auth_via_social)
or event.action:user.session.start) or
(event.action:user.authentication.auth_via_IDP and okta.outcome.result:FAILURE
and okta.outcome.reason:("A SAML assert with the same ID has already been processed by Okta for a previous request"
or "Unable to match transformed username"
or "Unable to resolve IdP endpoint"
or "Unable to validate SAML Response"
or "Unable to validate incoming SAML Assertion"))
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1199"
name = "Trusted Relationship"
reference = "https://attack.mitre.org/techniques/T1199/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
+69
View File
@@ -0,0 +1,69 @@
[metadata]
creation_date = "2023/11/07"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/07"
[rule]
author = ["Elastic"]
description = """
Detects when a user has started multiple Okta sessions with the same user account and different session IDs. This may indicate that an attacker has stolen the user's session cookie and is using it to access the user's account from a different location.
"""
false_positives = [
"A user may have multiple sessions open at the same time, such as on a mobile device and a laptop.",
]
from = "now-30m"
interval = "60m"
index = ["filebeat-*", "logs-okta*"]
language = "kuery"
license = "Elastic License v2"
name = "Multiple Okta Sessions Detected for a Single User"
note = """## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://developer.okta.com/docs/reference/api/system-log/",
"https://developer.okta.com/docs/reference/api/event-types/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection"
]
risk_score = 47
rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.dataset:okta.system and okta.event_type:user.session.start and okta.authentication_context.external_session_id:*
and not (okta.actor.id: okta* or okta.actor.display_name: okta*)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"
[[rule.threat.technique.subtechnique]]
id = "T1550.004"
name = "Web Session Cookie"
reference = "https://attack.mitre.org/techniques/T1550/004/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[rule.threshold]
field = ["okta.actor.id"]
value = 1
[[rule.threshold.cardinality]]
field = "okta.authentication_context.external_session_id"
value = 3
rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml
+87
View File
@@ -0,0 +1,87 @@
[metadata]
creation_date = "2023/11/06"
integration = ["okta"]
maturity = "production"
min_stack_comments = "Breaking change in Okta integration bumping version to ^2.0.0"
min_stack_version = "8.10.0"
updated_date = "2023/11/06"
[rule]
author = ["Elastic"]
description = """
Detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.
"""
from = "now-30m"
index = ["filebeat-*", "logs-okta*"]
interval = "15m"
language = "kuery"
license = "Elastic License v2"
name = "New Okta Identity Provider (IdP) Added by Admin"
note = """## Triage and analysis
### Investigating New Okta Identity Provider (IdP) Added by Admin
This rule detects the creation of a new Identity Provider (IdP) by a Super Administrator or Organization Administrator within Okta.
#### Possible investigation steps:
- Identify the actor associated with the IdP creation by examining the `okta.actor.id`, `okta.actor.type`, `okta.actor.alternate_id`, and `okta.actor.display_name` fields.
- Identify the IdP added by reviewing the `okta.target` field and determing if this IdP is authorized.
- Determine the client used by the actor. Review the `okta.client.ip`, `okta.client.user_agent.raw_user_agent`, `okta.client.zone`, `okta.client.device`, and `okta.client.id` fields.
- If the client is a device, check the `okta.device.id`, `okta.device.name`, `okta.device.os_platform`, `okta.device.os_version`, and `okta.device.managed` fields.
- Review the past activities of the actor involved in this action by checking their previous actions logged in the `okta.target` field.
- Examine the `okta.request.ip_chain` field to potentially determine if the actor used a proxy or VPN to perform this action.
- Evaluate the actions that happened just before and after this event in the `okta.event_type` field to help understand the full context of the activity.
### False positive analysis:
- It might be a false positive if the action was part of a planned activity or performed by an authorized person.
- Several unsuccessful attempts prior to this success, may indicate an adversary attempting to add an unauthorized IdP multiple times.
### Response and remediation:
- If the IdP is unauthorized, deactivate it immediately via the Okta console.
- If the IdP is authorized, ensure that the actor who created it is authorized to do so.
- If the actor is unauthorized, deactivate their account via the Okta console.
- If the actor is authorized, ensure that the actor's account is not compromised.
- Reset the user's password and enforce MFA re-enrollment, if applicable.
- Block the IP address or device used in the attempts if they appear suspicious, using the data from the `okta.client.ip` and `okta.device.id` fields.
- Conduct a review of Okta policies and ensure they are in accordance with security best practices.
- If the deactivated IdP was crucial to the organization, consider adding a new IdP and removing the unauthorized IdP.
## Setup
The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
"""
references = [
"https://blog.cloudflare.com/cloudflare-investigation-of-the-january-2022-okta-compromise/",
"https://www.elastic.co/security-labs/testing-okta-visibility-and-detection-dorothy",
"https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection",
"https://unit42.paloaltonetworks.com/muddled-libra/",
]
risk_score = 47
rule_id = "29b53942-7cd4-11ee-b70e-f661ea17fbcd"
severity = "medium"
tags = ["Use Case: Identity and Access Audit", "Tactic: Persistence", "Data Source: Okta"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset: "okta.system" and event.action: "system.idp.lifecycle.create" and okta.outcome.result: "SUCCESS"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1556"
name = "Modify Authentication Process"
reference = "https://attack.mitre.org/techniques/T1556/"
[[rule.threat.technique.subtechnique]]
id = "T1556.007"
name = "Hybrid Identity"
reference = "https://attack.mitre.org/techniques/T1556/007/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/macos/credential_access_access_to_browser_credentials_procargs.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of a process with arguments pointing to known browser f
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Access of Stored Browser Credentials"
@@ -22,11 +22,29 @@ risk_score = 73
rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
rules/macos/credential_access_credentials_keychains.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ for macOS to keep track of users' passwords and credentials for many services an
websites, secure notes and certificates.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Access to Keychain Credentials Directories"
@@ -26,11 +26,29 @@ risk_score = 73
rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
rules/macos/credential_access_dumping_hashes_bi_cmds.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ credentials to obtain account login information in the form of a hash. These has
lateral movement.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Dumping Account Hashes via Built-In Commands"
@@ -24,6 +24,32 @@ references = [
]
risk_score = 73
rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/credential_access_dumping_keychain_security.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,17 +14,35 @@ built-in way for macOS to keep track of users' passwords and credentials for man
and website passwords, secure notes, certificates, and Kerberos.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Dumping of Keychain Content via Security Command"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
references = ["https://ss64.com/osx/security.html"]
risk_score = 73
rules/macos/credential_access_kerberosdump_kcc.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the use of the Kerberos credential cache (kcc) utility to dump locall
may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Kerberos Cached Credentials Dumping"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 73
rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ and website passwords, secure notes, certificates, and Kerberos.
"""
false_positives = ["Applications for password management."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Keychain Password Retrieval via Command Line"
@@ -29,11 +29,29 @@ risk_score = 73
rule_id = "9092cd6c-650f-4fa3-8a8a-28256c7489c9"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
rules/macos/credential_access_mitm_localhost_webproxy.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ hijack web browser traffic for credential access via traffic sniffing or redirec
"""
false_positives = ["Legitimate WebProxy Settings Modification"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "WebProxy Settings Modification"
@@ -24,6 +24,32 @@ references = [
]
risk_score = 47
rule_id = "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/credential_access_potential_macos_ssh_bruteforce.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,13 +13,39 @@ Identifies a high number (20) of macOS SSH KeyGen process executions from the sa
brute force attack to obtain unauthorized access to user accounts.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential macOS SSH Brute Force Detected"
references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monitoring/"]
risk_score = 47
rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
type = "threshold"
rules/macos/credential_access_promt_for_pwd_via_osascript.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the use of osascript to execute scripts via standard input that may p
credentials.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Prompt for Credentials with OSASCRIPT"
@@ -25,11 +25,29 @@ risk_score = 73
rule_id = "38948d29-3d5d-42e3-8aec-be832aaaf8eb"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
rules/macos/credential_access_systemkey_dumping.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,13 +14,39 @@ features, including Wi-Fi and website passwords, secure notes, certificates, and
keychain storage data from a system to acquire credentials.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "SystemKey Access via Command Line"
references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/softwares/system/chainbreaker.py"]
risk_score = 73
rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/defense_evasion_apple_softupdates_modification.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,13 +14,39 @@ an attempt to disable security updates.
"""
false_positives = ["Authorized SoftwareUpdate Settings Changes"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "SoftwareUpdate Preferences Modification"
references = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/"]
risk_score = 47
rule_id = "f683dcdf-a018-4801-b066-193d4ae6c8e5"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ there is a quarantine flag set on the file. This attribute is read by Apple's Ga
time. An adversary may disable this attribute to evade defenses.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Remove File Quarantine Attribute"
@@ -26,11 +26,29 @@ risk_score = 47
rule_id = "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Detects attempts to disable Gatekeeper on macOS. Gatekeeper is a security featur
trusted software is run. Adversaries may attempt to disable Gatekeeper before executing malicious code.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Disable Gatekeeper"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 47
rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/defense_evasion_install_root_certificate.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -16,13 +16,39 @@ trust that have been signed by the root certificate.
"""
false_positives = ["Certain applications may install root certificates for the purpose of inspecting SSL traffic."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Install Root Certificate"
references = ["https://ss64.com/osx/security-cert.html"]
risk_score = 47
rule_id = "bc1eeacf-2972-434f-b782-3a532b100d67"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/defense_evasion_modify_environment_launchctl.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ own malicious payloads by hijacking certain environment variables to load arbitr
restrictions.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Modification of Environment Variable via Launchctl"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 47
rule_id = "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ indicate an attempt to bypass macOS privacy controls, including access to sensit
microphone, address book, and calendar.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privacy Control Bypass via TCCDB Modification"
@@ -27,11 +27,29 @@ risk_score = 47
rule_id = "eea82229-b002-470e-a9e1-00be38b14d32"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ Daemon (sshd) to the authorized application list for Full Disk Access. This may
privacy controls to access sensitive files.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Privacy Control Bypass via Localhost Secure Copy"
@@ -25,11 +25,29 @@ risk_score = 73
rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
rules/macos/defense_evasion_safari_config_change.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,13 +14,39 @@ disable certain Safari settings, such as enabling JavaScript from Apple Events t
browser.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Modification of Safari Settings via Defaults Command"
references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"]
risk_score = 47
rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ applications on macOS are allowed to write files that start with special charact
AutoStart location to achieve sandbox evasion.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Microsoft Office Sandbox Evasion"
@@ -25,6 +25,32 @@ references = [
]
risk_score = 73
rule_id = "d22a85c6-d2ad-4cc4-bf7b-54787473669a"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,13 +14,39 @@ as read-only and with the noowners flag set. This action enables the adversary t
system, including all user data and files protected by Apples privacy framework (TCC).
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "TCC Bypass via Mounted APFS Snapshot Access"
references = ["https://theevilbit.github.io/posts/cve_2020_9771/"]
risk_score = 73
rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
+28 -2
View File
@@ -4,18 +4,44 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
description = "Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command."
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Unload Elastic Endpoint Security Kernel Extension"
risk_score = 73
rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/discovery_users_domain_built_in_commands.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of macOS built-in commands related to account or group
and group information to orient themselves before deciding how to act.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Enumeration of Users or Groups via Built-in Commands"
@@ -21,11 +21,29 @@ risk_score = 21
rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies attempts to execute a child process from within the context of an Ele
child_process Node.js module. Adversaries may abuse this technique to inherit permissions from parent processes.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Execution via Electron Child Process Node.js Module"
@@ -24,6 +24,32 @@ references = [
]
risk_score = 47
rule_id = "35330ba2-c859-4c98-8b7f-c19159ea0e58"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/execution_initial_access_suspicious_browser_childproc.toml
+27 -1
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -24,6 +24,32 @@ references = [
]
risk_score = 73
rule_id = "080bc66a-5d56-4d1f-8071-817671716db9"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/execution_installer_package_spawned_network_event.toml
+27 -1
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -33,6 +33,32 @@ references = [
]
risk_score = 47
rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control", "Data Source: Elastic Defend"]
type = "eql"
rules/macos/execution_script_via_automator_workflows.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,13 +14,39 @@ Adversaries may drop a custom workflow template that hosts malicious JavaScript
alternative to using osascript.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Suspicious Automator Workflows Execution"
references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"]
risk_score = 47
rule_id = "5d9f8cfc-0d03-443e-a167-2b0597ce0965"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
type = "eql"
rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Detects execution via the Apple script interpreter (osascript) followed by a net
within a short time period. Adversaries may use malicious scripts for execution and command and control.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Apple Script Execution followed by Network Connection"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 47
rule_id = "47f76567-d58a-4fed-b32b-21f571e28910"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution", "Data Source: Elastic Defend"]
type = "eql"
rules/macos/execution_shell_execution_via_apple_scripting.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of the shell process (sh) via scripting (JXA or AppleSc
doShellScript functionality in JXA or do shell script in AppleScript to execute system commands.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Shell Execution via Apple Scripting"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 47
rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
type = "eql"
rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
+27 -1
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -21,6 +21,32 @@ name = "Suspicious macOS MS Office Child Process"
references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office-macro-malware-targets-macs/"]
risk_score = 47
rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,13 +13,39 @@ Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be
attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Kerberos Attack via Bifrost"
references = ["https://github.com/its-a-feature/bifrost"]
risk_score = 73
rule_id = "16904215-2c95-4ac8-bf5c-12354e047192"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/lateral_movement_mounting_smb_share.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of macOS built-in commands to mount a Server Message Bl
use valid accounts to interact with a remote network share using SMB.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Attempt to Mount SMB Share via Command Line"
@@ -22,11 +22,29 @@ risk_score = 21
rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
rules/macos/lateral_movement_remote_ssh_login_enabled.toml
+28 -2
View File
@@ -4,13 +4,13 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
description = "Detects use of the systemsetup command to enable remote SSH Login."
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Remote SSH Login Enabled via systemsetup Command"
@@ -21,6 +21,32 @@ references = [
]
risk_score = 47
rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/lateral_movement_vpn_connection_attempt.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of macOS built-in commands to connect to an existing Vi
may use VPN connections to laterally move and control remote systems on a network.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Virtual Private Network Connection Attempt"
@@ -26,11 +26,29 @@ risk_score = 21
rule_id = "15dacaa0-5b90-466b-acab-63435a59701a"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"]
rules/macos/persistence_account_creation_hide_at_logon.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,13 +13,39 @@ Identifies attempts to create a local account that will be hidden from the macOS
attempt to evade user attention while maintaining persistence using a separate local account.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Hidden Local User Account Creation"
references = ["https://support.apple.com/en-us/HT203998"]
risk_score = 47
rule_id = "41b638a1-8ab6-4f8e-86d9-466317ef2db5"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_creation_change_launch_agents_file.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ launchctl to load a plist into the appropriate directories.
"""
false_positives = ["Trusted applications persisting via LaunchAgent"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Launch Agent Creation or Modification and Immediate Loading"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 21
rule_id = "082e3f8c-6f80-485c-91eb-5b112cb79b28"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
type = "eql"
rules/macos/persistence_creation_hidden_login_item_osascript.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of osascript to create a hidden login item. This may in
program while concealing its presence.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Creation of Hidden Login Item via Apple Script"
@@ -21,11 +21,29 @@ risk_score = 47
rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution", "Data Source: Elastic Defend"]
rules/macos/persistence_creation_modif_launch_deamon_sequence.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ payloads as part of persistence.
"""
false_positives = ["Trusted applications persisting via LaunchDaemons"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "LaunchDaemon Creation or Modification and Immediate Loading"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 21
rule_id = "9d19ece6-c20e-481a-90c5-ccca596537de"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
type = "eql"
rules/macos/persistence_credential_access_authorization_plugin_creation.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ supported by the OS, such as multi-factor authentication with third party softwa
to persist and/or collect clear text credentials as they traverse the registered plugins during user logon.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Authorization Plugin Modification"
@@ -24,6 +24,32 @@ references = [
]
risk_score = 47
rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_crontab_creation.toml
+27 -1
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -23,6 +23,32 @@ references = [
]
risk_score = 47
rule_id = "530178da-92ea-43ce-94c2-8877a826783d"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the execution of a launchd child process with a hidden file. An adver
installing a new logon item, launch agent, or daemon that executes upon login.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Hidden Child Process of Launchd"
@@ -24,6 +24,32 @@ references = [
]
risk_score = 47
rule_id = "083fa162-e790-4d85-9aeb-4fea04188adb"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_directory_services_plugins_modification.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,13 +14,39 @@ launches on each system boot and automatically reloads after crash. It scans and
the DirectoryServices PlugIns folder and can be abused by adversaries to maintain persistence.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Persistence via DirectoryService Plugin Modification"
references = ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-abusing-plugins/"]
risk_score = 47
rule_id = "89fa6cb7-6b53-4de2-b604-648488841ab8"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_docker_shortcuts_plist_modification.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ An adversary can establish persistence by modifying an existing macOS dock prope
application instead of the intended one when invoked.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Persistence via Docker Shortcut Modification"
@@ -22,6 +22,32 @@ references = [
]
risk_score = 47
rule_id = "c81cefcb-82b9-4408-a533-3c3df549e62d"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_emond_rules_file_creation.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation or modification of the Event Monitor Daemon (emond) rule
writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Emond Rules Creation or Modification"
@@ -25,11 +25,29 @@ risk_score = 47
rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
rules/macos/persistence_emond_rules_process_execution.toml
+27 -1
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -21,6 +21,32 @@ name = "Suspicious Emond Child Process"
references = ["https://www.xorrior.com/emond-persistence/"]
risk_score = 47
rule_id = "3e3d15c6-1509-479a-b125-21718372157e"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_enable_root_account.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,13 +13,39 @@ Identifies attempts to enable the root account using the dsenableroot command. T
for persistence, as the root account is disabled by default.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Attempt to Enable the Root Account"
references = ["https://ss64.com/osx/dsenableroot.html"]
risk_score = 47
rule_id = "cc2fd2d0-ba3a-4939-b87f-2901764ed036"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation of a hidden launch agent or daemon. An adversary may est
launch agent or daemon which executes at login.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Creation of Hidden Launch Agent or Daemon"
@@ -24,11 +24,29 @@ risk_score = 47
rule_id = "092b068f-84ac-485d-8a55-7dd9e006715f"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion", "Data Source: Elastic Defend"]
rules/macos/persistence_finder_sync_plugin_pluginkit.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ this feature by adding a rogue Finder Plugin to repeatedly execute malicious pay
"""
false_positives = ["Trusted Finder Sync Plugins"]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Finder Sync Plugin Registered and Enabled"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 47
rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_folder_action_scripts_runtime.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,13 +14,39 @@ attached has items added or removed, or when its window is opened, closed, moved
feature to establish persistence by utilizing a malicious script.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Persistence via Folder Action Script"
references = ["https://posts.specterops.io/folder-actions-for-persistence-on-macos-8923f222343d"]
risk_score = 47
rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence", "Data Source: Elastic Defend"]
type = "eql"
rules/macos/persistence_login_logout_hooks_defaults.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies use of the Defaults command to install a login or logoff hook in MacO
capability to establish persistence in an environment by inserting code to be executed at login or logout.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Persistence via Login or Logout Hook"
@@ -25,11 +25,29 @@ risk_score = 47
rule_id = "5d0265bf-dea9-41a9-92ad-48a8dcd05080"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
rules/macos/persistence_loginwindow_plist_modification.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation or modification of the login window property list (plist
run a program during system boot or user login for persistence.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence via Login Hook"
@@ -23,6 +23,32 @@ Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be r
references = ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript.js"]
risk_score = 47
rule_id = "ac412404-57a5-476f-858f-4e8fbb4f48d8"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Adversaries may create or modify the Sublime application plugins or scripts to e
Sublime application is started.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Sublime Plugin or Application Script Modification"
@@ -22,11 +22,29 @@ risk_score = 21
rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
rules/macos/persistence_periodic_tasks_file_mdofiy.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies the creation or modification of the default configuration for periodi
tasks to execute malicious code or maintain persistence.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence via Periodic Tasks"
@@ -24,6 +24,32 @@ references = [
]
risk_score = 21
rule_id = "48ec9452-e1fd-4513-a376-10a1a26d2c83"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
+24 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ on a macOS endpoint by creating a malicious screensaver (.saver) file and config
execute code each time the screensaver is activated.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Unexpected Child Process of macOS Screensaver Engine"
@@ -35,11 +35,28 @@ risk_score = 47
rule_id = "48d7f54d-c29e-4430-93a9-9db6b5892270"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
rules/macos/persistence_screensaver_plist_file_modification.toml
+24 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ a macOS endpoint by creating a malicious screensaver (.saver) file and configuri
code each time the screensaver is activated.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Screensaver Plist File Modified by Unexpected Process"
@@ -33,11 +33,28 @@ risk_score = 47
rule_id = "e6e8912f-283f-4d0d-8442-e0dcaf49944b"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
rules/macos/persistence_suspicious_calendar_modification.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ notification procedure to execute a malicious program at a recurring interval to
"""
false_positives = ["Trusted applications for managing calendars and reminders."]
from = "now-9m"
index = ["logs-endpoint.events.*", "auditbeat-*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Calendar File Modification"
@@ -25,6 +25,32 @@ references = [
]
risk_score = 47
rule_id = "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/persistence_via_atom_init_file_modification.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies modifications to the Atom desktop text editor Init File. Adversaries
init.coffee file that will be executed upon the Atom application opening.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Persistence via Atom Init Script Modification"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 21
rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "low"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/privilege_escalation_applescript_with_admin_privs.toml
+25 -7
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/10/23"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies execution of the Apple script interpreter (osascript) without a passw
privileges.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Apple Scripting Execution with Administrator Privileges"
@@ -22,11 +22,29 @@ risk_score = 47
rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b"
setup = """
If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -14,7 +14,7 @@ AuthorizationExecute-WithPrivileges from the Security.framework to run another p
not be run by itself, as this is a sign of execution with explicit logon credentials.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Execution with Explicit Credentials via Scripting"
@@ -24,6 +24,32 @@ references = [
]
risk_score = 47
rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -15,7 +15,7 @@ CVE-2020-9613 and verify that the impacted system is patched.
"""
false_positives = ["Trusted system or Adobe Acrobat Related processes."]
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Suspicious Child Process of Adobe Acrobat Reader Update Service"
@@ -24,6 +24,32 @@ references = [
]
risk_score = 73
rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = [
"Domain: Endpoint",
rules/macos/privilege_escalation_local_user_added_to_admin.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,13 +13,39 @@ Identifies attempts to add an account to the admin group via the command line. T
escalation activity.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Potential Admin Group Account Addition"
references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-admin-group-via-command-line-3-0/"]
risk_score = 47
rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "medium"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/macos/privilege_escalation_root_crontab_filemod.toml
+28 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
@@ -13,7 +13,7 @@ Identifies modifications to the root crontab file. Adversaries may overwrite thi
privileges by exploiting privileged file write or move related vulnerabilities.
"""
from = "now-9m"
index = ["auditbeat-*", "logs-endpoint.events.*"]
index = ["logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License v2"
name = "Privilege Escalation via Root Crontab File Modification"
@@ -23,6 +23,32 @@ references = [
]
risk_score = 73
rule_id = "0ff84c42-873d-41a2-a4ed-08d74d352d01"
setup = """
This rule requires data coming in from Elastic Defend.
### Elastic Defend Integration Setup
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
#### Prerequisite Requirements:
- Fleet is required for Elastic Defend.
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
- Go to the Kibana home page and click "Add integrations".
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
- Click "Add Elastic Defend".
- Configure the integration name and optionally add a description.
- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
- Click "Save and Continue".
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
"""
severity = "high"
tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
+56
View File
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2023/11/15"
integration = ["system", "windows"]
maturity = "production"
min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4"
min_stack_version = "8.4.0"
updated_date = "2023/11/15"
[rule]
author = ["Elastic"]
description = """
Identifies a new credentials logon type performed by an unusual process. This may indicate the existence of an access token
forging capability that are often abused to bypass access control restrictions.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "First Time Seen NewCredentials Logon Process"
risk_score = 47
rule_id = "e468f3f6-7c4c-45bb-846a-053738b3fe5d"
severity = "medium"
references = ["https://www.elastic.co/pt/blog/how-attackers-abuse-access-token-manipulation"]
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "new_terms"
query = '''
event.category:"authentication" and host.os.type:"windows" and winlog.logon.type:"NewCredentials" and winlog.event_data.LogonProcessName:(Advapi* or "Advapi ")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1134"
name = "Access Token Manipulation"
reference = "https://attack.mitre.org/techniques/T1134/"
[[rule.threat.technique.subtechnique]]
id = "T1134.001"
name = "Token Impersonation/Theft"
reference = "https://attack.mitre.org/techniques/T1134/001/"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[rule.new_terms]
field = "new_terms_fields"
value = ["process.executable"]
[[rule.new_terms.history_window_start]]
field = "history_window_start"
value = "now-7d"