diff --git a/detection_rules/rule.py b/detection_rules/rule.py index 89889a117..177f51dd1 100644 --- a/detection_rules/rule.py +++ b/detection_rules/rule.py @@ -1001,30 +1001,33 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): current_stack_version = load_current_package_version() if self.check_restricted_field_version(field_name): - if isinstance(self.data, QueryRuleData) and self.data.language != 'lucene': - package_integrations = self.get_packaged_integrations(self.data, self.metadata, packages_manifest) + if (isinstance(self.data, QueryRuleData) or isinstance(self.data, MachineLearningRuleData)): + if (self.data.get('language') is not None and self.data.get('language') != 'lucene') or \ + self.data.get('type') == 'machine_learning': + package_integrations = self.get_packaged_integrations(self.data, self.metadata, + packages_manifest) - if not package_integrations: - return + if not package_integrations: + return - for package in package_integrations: - package["version"] = find_least_compatible_version( - package=package["package"], - integration=package["integration"], - current_stack_version=current_stack_version, - packages_manifest=packages_manifest) + for package in package_integrations: + package["version"] = find_least_compatible_version( + package=package["package"], + integration=package["integration"], + current_stack_version=current_stack_version, + packages_manifest=packages_manifest) - # if integration is not a policy template remove - if package["version"]: - policy_templates = packages_manifest[ - package["package"]][package["version"].strip("^")]["policy_templates"] - if package["integration"] not in policy_templates: - del package["integration"] + # if integration is not a policy template remove + if package["version"]: + policy_templates = packages_manifest[ + package["package"]][package["version"].strip("^")]["policy_templates"] + if package["integration"] not in policy_templates: + del package["integration"] - # remove duplicate entries - package_integrations = list({json.dumps(d, sort_keys=True): - d for d in package_integrations}.values()) - obj.setdefault("related_integrations", package_integrations) + # remove duplicate entries + package_integrations = list({json.dumps(d, sort_keys=True): + d for d in package_integrations}.values()) + obj.setdefault("related_integrations", package_integrations) def _convert_add_required_fields(self, obj: dict) -> None: """Add restricted field required_fields to the obj, derived from the query AST.""" @@ -1123,7 +1126,7 @@ class TOMLRuleContents(BaseRuleContents, MarshmallowDataclassMixin): rule_integrations = meta.get("integration", []) if rule_integrations: for integration in rule_integrations: - if integration in definitions.NON_DATASET_PACKAGES: + if integration in definitions.NON_DATASET_PACKAGES or isinstance(data, MachineLearningRuleData): packaged_integrations.append({"package": integration, "integration": None}) for value in sorted(datasets): diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index 8c6044884..757b1664c 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index b6604a9e4..43d92a099 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 8a1f8a970..c68d24c04 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index 535ec4df8..449a6ff3e 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index fe67011bb..7d5f0f82d 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 5ff295ae4..108d1f6a6 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 3239c4169..5a7340a19 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 840a6e9bb..208bb5ed2 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index 067f3c66f..70948500d 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index 6c2d56fc7..3520d541d 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index 144f87ae7..2885596e7 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 3594d5bc0..4ef68ed70 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index 907ebfd13..ed009b873 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index b17481a08..8dde1a9c8 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 25 diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index 78dd2101b..d92e316c9 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 7d5cc31b4..13dc66315 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index 6c6dd7f8f..8ef069586 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index cb71b9e52..9d4ac076c 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index ca7fca546..62b9e5aa4 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 7b80e48e6..8246bb110 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 6595b4e46..d8d0e3fb3 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/10" +integration = ["auditd_manager", "endpoint", "system"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index d6ae498c1..686ef15bb 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index d7fabf32b..ffd6ad723 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index b5b3997b0..b5289e0ad 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index ef0fe996f..22fb46f58 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/05" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index 586a13ca5..6679f4147 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/05" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 57cceb316..b1e96b676 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index f31032bb0..c27a15a5c 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index 281b50b98..4dcc51b2f 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 50 diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index fb78f53cc..875c9fe09 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/05" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index 30e06c92a..7e7d8b459 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -1,9 +1,10 @@ [metadata] creation_date = "2021/04/05" +integration = ["endpoint", "network_traffic"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2023/07/27" [rule] anomaly_threshold = 75 diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 13adcd989..338892739 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index d432c97b9..75f0ca416 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index d2e156a9b..a5e44c9f7 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index fd95220d8..93bfc627f 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 8359c61e3..b326a14ac 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index f3ab471ea..dd5bcb424 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index 48f3ffe2d..f6c915343 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 131dd0754..301458aae 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index eb0f58161..93d94089a 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 443c2340f..9aa047528 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/03/25" +integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 10f43cbc1..03c4d43ef 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/03" +integration = ["auditd_manager", "endpoint"] maturity = "production" -updated_date = "2023/06/22" +updated_date = "2023/07/27" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0"