[Rule Tuning] Remove duplicate rules after EQL conversion (#436)

* [Rule Tuning] Remove duplicate rules after EQL conversion * Update defense_evasion_rundll32_sequence.toml * swap msxsl rules
2020-10-30 15:49:28 -04:00
parent a575cf9ff3
commit 9838d3d2f7
7 changed files with 19 additions and 7 deletions
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 ecs_version = ["1.6.0"]
-maturity = "production"
+maturity = "development"
 updated_date = "2020/10/27"

 [rule]
@@ -23,6 +23,8 @@ timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "eql"

 query = '''
+/* duplicate of MsBuild Making Network Connections - 0e79980b-4250-4a50-a509-69294c14e84b */
+
 sequence by process.entity_id
  [process where event.type in ("start", "process_started") and process.name : "MSBuild.exe"]
  [network where process.name : "MSBuild.exe" and
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 ecs_version = ["1.6.0"]
-maturity = "production"
+maturity = "development"
 updated_date = "2020/10/28"

 [rule]
@@ -23,6 +23,8 @@ timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "eql"

 query = '''
+/* duplicate of Network Connection via MsXsl - b86afe07-0d98-4738-b15d-8d7465f95ff5 */
+
 sequence by process.entity_id
  [process where event.type in ("start", "process_started") and process.name : "msxsl.exe"]
  [network where process.name : "msxsl.exe" and network.direction == "outgoing"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 ecs_version = ["1.6.0"]
-maturity = "production"
+maturity = "development"
 updated_date = "2020/10/28"

 [rule]
@@ -23,6 +23,8 @@ timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "eql"

 query = '''
+/* duplicate of Network Connection via Registration Utility - fb02b8d3-71ee-4af1-bacd-215d23f17efa */
+
 sequence by process.entity_id
  [process where event.type in ("start", "process_started") and
     (process.name : "RegAsm.exe" or process.name : "regsvcs.exe" or process.name : "regsvr32.exe")]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 ecs_version = ["1.6.0"]
-maturity = "production"
+maturity = "development"
 updated_date = "2020/10/28"

 [rule]
@@ -23,6 +23,8 @@ timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "eql"

 query = '''
+/* duplicate of Unusual Network Connection via RunDLL32 - 52aaab7b-b51c-441a-89ce-4387b3aea886 */
+
 sequence by process.entity_id with maxspan=2h
  [process where event.type in ("start", "process_started") and
                                    /* uncomment once in winlogbeat */
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/02/18"
 ecs_version = ["1.6.0"]
-maturity = "production"
+maturity = "development"
 updated_date = "2020/10/28"

 [rule]
@@ -24,6 +24,8 @@ timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
 type = "eql"

 query = '''
+/* duplicate of Mshta Making Network Connections - c2d90150-0133-451c-a783-533e736c12d7 */
+
 sequence by process.entity_id
  [process where process.name : "mshta.exe" and event.type == "start"]
  [network where process.name : "mshta.exe"]
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 ecs_version = ["1.6.0"]
-maturity = "production"
+maturity = "development"
 updated_date = "2020/10/27"

 [rule]
@@ -25,6 +25,7 @@ type = "eql"

 query = '''
 /* preference would be to use user.sid rather than domain+name, once it is available in ECS + datasources */
+/* didn't trigger successfully during testing */

 sequence with maxspan=5s
  [process where event.type in ("start", "process_started") and process.name : "svchost.exe" and
@@ -1,7 +1,7 @@
 [metadata]
 creation_date = "2020/09/02"
 ecs_version = ["1.6.0"]
-maturity = "production"
+maturity = "development"
 updated_date = "2020/10/27"

 [rule]
@@ -24,6 +24,7 @@ type = "eql"

 query = '''
 /* add winlogbeat-* when process.code_signature.* fields are populated */
+/* still needs testing, applicable binary was not available on test machine */

 sequence with maxspan=1m
  [process where event.type in ("start", "process_started") and process.name : "sdclt.exe" and