diff --git a/.github/workflows/lock-versions.yml b/.github/workflows/lock-versions.yml index 6547292b9..85e6c68cf 100644 --- a/.github/workflows/lock-versions.yml +++ b/.github/workflows/lock-versions.yml @@ -6,7 +6,7 @@ on: description: 'List of branches to lock versions (ordered, comma separated)' required: true # 7.17 was intentionally skipped because it was added late and was bug fix only - default: '8.14,8.15,8.16,8.17,8.18,9.0' + default: '8.18,8.19,9.0,9.1' jobs: pr: diff --git a/detection_rules/etc/api_schemas/8.19/8.19.base.json b/detection_rules/etc/api_schemas/8.19/8.19.base.json new file mode 100644 index 000000000..000d9dccf --- /dev/null +++ b/detection_rules/etc/api_schemas/8.19/8.19.base.json @@ -0,0 +1,431 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.19/8.19.eql.json b/detection_rules/etc/api_schemas/8.19/8.19.eql.json new file mode 100644 index 000000000..3f8af8475 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.19/8.19.eql.json @@ -0,0 +1,510 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "event_category_override": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.19/8.19.esql.json b/detection_rules/etc/api_schemas/8.19/8.19.esql.json new file mode 100644 index 000000000..dc5f6f138 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.19/8.19.esql.json @@ -0,0 +1,492 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.19/8.19.machine_learning.json b/detection_rules/etc/api_schemas/8.19/8.19.machine_learning.json new file mode 100644 index 000000000..c86efac22 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.19/8.19.machine_learning.json @@ -0,0 +1,486 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": [ + "string" + ] + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.19/8.19.new_terms.json b/detection_rules/etc/api_schemas/8.19/8.19.new_terms.json new file mode 100644 index 000000000..a2c679c8e --- /dev/null +++ b/detection_rules/etc/api_schemas/8.19/8.19.new_terms.json @@ -0,0 +1,532 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "value": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "history_window_start" + ], + "type": "object" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "new_terms", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.19/8.19.query.json b/detection_rules/etc/api_schemas/8.19/8.19.query.json new file mode 100644 index 000000000..651aad608 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.19/8.19.query.json @@ -0,0 +1,496 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.19/8.19.threat_match.json b/detection_rules/etc/api_schemas/8.19/8.19.threat_match.json new file mode 100644 index 000000000..c2d5fd189 --- /dev/null +++ b/detection_rules/etc/api_schemas/8.19/8.19.threat_match.json @@ -0,0 +1,577 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": [ + "string" + ] + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": [ + "string" + ] + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": [ + "string" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/8.19/8.19.threshold.json b/detection_rules/etc/api_schemas/8.19/8.19.threshold.json new file mode 100644 index 000000000..3fefec3cf --- /dev/null +++ b/detection_rules/etc/api_schemas/8.19/8.19.threshold.json @@ -0,0 +1,522 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "field": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "type": "object" + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.1/9.1.base.json b/detection_rules/etc/api_schemas/9.1/9.1.base.json new file mode 100644 index 000000000..000d9dccf --- /dev/null +++ b/detection_rules/etc/api_schemas/9.1/9.1.base.json @@ -0,0 +1,431 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "query", + "saved_query", + "machine_learning", + "eql", + "esql", + "threshold", + "threat_match", + "new_terms" + ], + "enumNames": [], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.1/9.1.eql.json b/detection_rules/etc/api_schemas/9.1/9.1.eql.json new file mode 100644 index 000000000..3f8af8475 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.1/9.1.eql.json @@ -0,0 +1,510 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "event_category_override": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql" + ], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "tiebreaker_field": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_field": { + "min_compat": "8.0", + "type": [ + "string" + ] + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "eql" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.1/9.1.esql.json b/detection_rules/etc/api_schemas/9.1/9.1.esql.json new file mode 100644 index 000000000..dc5f6f138 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.1/9.1.esql.json @@ -0,0 +1,492 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "esql" + ], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "esql" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.1/9.1.machine_learning.json b/detection_rules/etc/api_schemas/9.1/9.1.machine_learning.json new file mode 100644 index 000000000..c86efac22 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.1/9.1.machine_learning.json @@ -0,0 +1,486 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "anomaly_threshold": { + "type": "integer" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "license": { + "type": [ + "string" + ] + }, + "machine_learning_job_id": { + "anyOf": [ + { + "type": "string" + }, + { + "items": { + "type": "string" + }, + "type": "array" + } + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "machine_learning" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "anomaly_threshold", + "author", + "description", + "machine_learning_job_id", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.1/9.1.new_terms.json b/detection_rules/etc/api_schemas/9.1/9.1.new_terms.json new file mode 100644 index 000000000..a2c679c8e --- /dev/null +++ b/detection_rules/etc/api_schemas/9.1/9.1.new_terms.json @@ -0,0 +1,532 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "new_terms": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + }, + "history_window_start": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "value": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + } + }, + "required": [ + "history_window_start" + ], + "type": "object" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "new_terms" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "new_terms", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.1/9.1.query.json b/detection_rules/etc/api_schemas/9.1/9.1.query.json new file mode 100644 index 000000000..651aad608 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.1/9.1.query.json @@ -0,0 +1,496 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "query" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.1/9.1.threat_match.json b/detection_rules/etc/api_schemas/9.1/9.1.threat_match.json new file mode 100644 index 000000000..c2d5fd189 --- /dev/null +++ b/detection_rules/etc/api_schemas/9.1/9.1.threat_match.json @@ -0,0 +1,577 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + }, + "group_by": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "minItems": 1, + "type": "array" + }, + "missing_fields_strategy": { + "enum": [ + "suppress", + "doNotSuppress" + ], + "enumNames": [], + "type": "string" + } + }, + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "threat_filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "threat_index": { + "items": { + "type": "string" + }, + "type": "array" + }, + "threat_indicator_path": { + "type": [ + "string" + ] + }, + "threat_language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": [ + "string" + ] + }, + "threat_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "entries": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "minLength": 1, + "type": "string" + }, + "type": { + "enum": [ + "mapping" + ], + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "entries" + ], + "type": "object" + }, + "type": "array" + }, + "threat_query": { + "type": [ + "string" + ] + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "threat_match" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "threat_index", + "threat_mapping", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/9.1/9.1.threshold.json b/detection_rules/etc/api_schemas/9.1/9.1.threshold.json new file mode 100644 index 000000000..3fefec3cf --- /dev/null +++ b/detection_rules/etc/api_schemas/9.1/9.1.threshold.json @@ -0,0 +1,522 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "additionalProperties": false, + "properties": { + "actions": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "alert_suppression": { + "additionalProperties": false, + "properties": { + "duration": { + "additionalProperties": false, + "properties": { + "unit": { + "enum": [ + "s", + "m", + "h" + ], + "enumNames": [], + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "unit" + ], + "type": "object" + } + }, + "required": [ + "duration" + ], + "type": "object" + }, + "author": { + "items": { + "type": "string" + }, + "type": "array" + }, + "building_block_type": { + "enum": [ + "default" + ], + "type": [ + "string" + ] + }, + "data_view_id": { + "type": [ + "string" + ] + }, + "description": { + "type": "string" + }, + "enabled": { + "type": [ + "boolean" + ] + }, + "exceptions_list": { + "items": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "false_positives": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "filters": { + "items": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" + }, + "type": [ + "array" + ] + }, + "from": { + "type": [ + "string" + ] + }, + "index": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "interval": { + "pattern": "^\\d+[mshd]$", + "type": "string" + }, + "investigation_fields": { + "additionalProperties": false, + "properties": { + "field_names": { + "items": { + "minLength": 1, + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "field_names" + ], + "type": "object" + }, + "language": { + "enum": [ + "eql", + "esql", + "kuery", + "lucene" + ], + "enumNames": [], + "type": "string" + }, + "license": { + "type": [ + "string" + ] + }, + "max_signals": { + "minimum": 1, + "type": "integer" + }, + "meta": { + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": [ + "object" + ] + }, + "name": { + "type": "string" + }, + "note": { + "description": "Markdown", + "type": [ + "string" + ] + }, + "query": { + "type": "string" + }, + "references": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "related_integrations": { + "items": { + "additionalProperties": false, + "properties": { + "package": { + "minLength": 1, + "type": "string" + } + }, + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "required_fields": { + "items": { + "additionalProperties": false, + "properties": { + "ecs": { + "type": "boolean" + }, + "name": { + "minLength": 1, + "type": "string" + } + }, + "required": [ + "ecs" + ], + "type": "object" + }, + "min_compat": "8.3", + "type": [ + "array" + ] + }, + "revision": { + "min_compat": "8.8", + "type": [ + "integer" + ] + }, + "risk_score": { + "maximum": 100, + "minimum": 1, + "type": "integer" + }, + "risk_score_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "rule_id": { + "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", + "type": "string" + }, + "rule_name_override": { + "type": [ + "string" + ] + }, + "setup": { + "description": "Markdown", + "min_compat": "8.3", + "type": [ + "string" + ] + }, + "severity": { + "enum": [ + "low", + "medium", + "high", + "critical" + ], + "enumNames": [], + "type": "string" + }, + "severity_mapping": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "operator": { + "enum": [ + "equals" + ], + "type": [ + "string" + ] + }, + "severity": { + "type": [ + "string" + ] + }, + "value": { + "type": [ + "string" + ] + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "tags": { + "items": { + "type": "string" + }, + "type": [ + "array" + ] + }, + "threat": { + "items": { + "additionalProperties": false, + "properties": { + "framework": { + "enum": [ + "MITRE ATT&CK" + ], + "type": "string" + }, + "tactic": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "technique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", + "type": "string" + }, + "subtechnique": { + "items": { + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "reference": { + "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", + "type": "string" + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "id", + "name" + ], + "type": "object" + }, + "type": [ + "array" + ] + } + }, + "required": [ + "framework", + "tactic" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "threshold": { + "additionalProperties": false, + "properties": { + "cardinality": { + "items": { + "additionalProperties": false, + "properties": { + "field": { + "type": "string" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "field" + ], + "type": "object" + }, + "type": [ + "array" + ] + }, + "field": { + "items": { + "minLength": 1, + "type": "string" + }, + "maxItems": 3, + "type": "array" + }, + "value": { + "minimum": 1, + "type": "integer" + } + }, + "type": "object" + }, + "throttle": { + "type": [ + "string" + ] + }, + "timeline_id": { + "type": "string" + }, + "timeline_title": { + "type": "string" + }, + "timestamp_override": { + "type": [ + "string" + ] + }, + "to": { + "type": [ + "string" + ] + }, + "type": { + "enum": [ + "threshold" + ], + "type": "string" + }, + "version": { + "minimum": 1, + "type": "integer" + } + }, + "required": [ + "author", + "description", + "language", + "query", + "severity", + "threshold", + "type" + ], + "type": "object" +} \ No newline at end of file diff --git a/detection_rules/etc/api_schemas/master/master.base.json b/detection_rules/etc/api_schemas/master/master.base.json index 23138b136..000d9dccf 100644 --- a/detection_rules/etc/api_schemas/master/master.base.json +++ b/detection_rules/etc/api_schemas/master/master.base.json @@ -4,15 +4,20 @@ "properties": { "actions": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "author": { "items": { @@ -24,31 +29,36 @@ "enum": [ "default" ], - "type": "string" + "type": [ + "string" + ] }, "description": { "type": "string" }, "enabled": { - "type": "boolean" + "type": [ + "boolean" + ] }, "exceptions_list": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "false_positives": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "filters": { "items": { @@ -63,13 +73,16 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "from": { - "type": "string" + "type": [ + "string" + ] }, "interval": { - "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, @@ -78,7 +91,6 @@ "properties": { "field_names": { "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -91,10 +103,11 @@ "type": "object" }, "license": { - "type": "string" + "type": [ + "string" + ] }, "max_signals": { - "description": "MaxSignals", "minimum": 1, "type": "integer" }, @@ -108,50 +121,42 @@ "boolean" ] }, - "type": "object" + "type": [ + "object" + ] }, "name": { - "description": "RuleName", "type": "string" }, "note": { - "description": "MarkdownField", - "type": "string" + "description": "Markdown", + "type": [ + "string" + ] }, "references": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "required_fields": { "items": { @@ -161,32 +166,27 @@ "type": "boolean" }, "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "revision": { "min_compat": "8.8", - "type": "integer" + "type": [ + "integer" + ] }, "risk_score": { - "description": "MaxSignals", "maximum": 100, "minimum": 1, "type": "integer" @@ -202,10 +202,14 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -213,20 +217,25 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "rule_id": { - "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { - "type": "string" + "type": [ + "string" + ] }, "setup": { - "description": "MarkdownField", + "description": "Markdown", "min_compat": "8.3", - "type": "string" + "type": [ + "string" + ] }, "severity": { "enum": [ @@ -249,13 +258,19 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "severity": { - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -263,13 +278,17 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "tags": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "threat": { "items": { @@ -291,15 +310,13 @@ "type": "string" }, "reference": { - "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -314,7 +331,6 @@ "type": "string" }, "reference": { - "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, @@ -329,29 +345,30 @@ "type": "string" }, "reference": { - "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ @@ -360,24 +377,30 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "throttle": { - "type": "string" + "type": [ + "string" + ] }, "timeline_id": { - "description": "TimelineTemplateId", "type": "string" }, "timeline_title": { - "description": "TimelineTemplateTitle", "type": "string" }, "timestamp_override": { - "type": "string" + "type": [ + "string" + ] }, "to": { - "type": "string" + "type": [ + "string" + ] }, "type": { "enum": [ @@ -394,7 +417,6 @@ "type": "string" }, "version": { - "description": "PositiveInteger", "minimum": 1, "type": "integer" } @@ -402,9 +424,6 @@ "required": [ "author", "description", - "name", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.eql.json b/detection_rules/etc/api_schemas/master/master.eql.json index 30f489eed..3f8af8475 100644 --- a/detection_rules/etc/api_schemas/master/master.eql.json +++ b/detection_rules/etc/api_schemas/master/master.eql.json @@ -4,15 +4,20 @@ "properties": { "actions": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "alert_suppression": { "additionalProperties": false, @@ -30,21 +35,17 @@ "type": "string" }, "value": { - "description": "AlertSupressionValue", "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { - "description": "AlertSuppressionGroupBy", "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -53,7 +54,6 @@ "type": "array" }, "missing_fields_strategy": { - "description": "AlertSuppressionMissing", "enum": [ "suppress", "doNotSuppress" @@ -62,10 +62,6 @@ "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -78,38 +74,47 @@ "enum": [ "default" ], - "type": "string" + "type": [ + "string" + ] }, "data_view_id": { - "type": "string" + "type": [ + "string" + ] }, "description": { "type": "string" }, "enabled": { - "type": "boolean" + "type": [ + "boolean" + ] }, "event_category_override": { "min_compat": "8.0", - "type": "string" + "type": [ + "string" + ] }, "exceptions_list": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "false_positives": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "filters": { "items": { @@ -124,19 +129,24 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "from": { - "type": "string" + "type": [ + "string" + ] }, "index": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "interval": { - "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, @@ -145,7 +155,6 @@ "properties": { "field_names": { "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -164,10 +173,11 @@ "type": "string" }, "license": { - "type": "string" + "type": [ + "string" + ] }, "max_signals": { - "description": "MaxSignals", "minimum": 1, "type": "integer" }, @@ -181,15 +191,18 @@ "boolean" ] }, - "type": "object" + "type": [ + "object" + ] }, "name": { - "description": "RuleName", "type": "string" }, "note": { - "description": "MarkdownField", - "type": "string" + "description": "Markdown", + "type": [ + "string" + ] }, "query": { "type": "string" @@ -198,36 +211,25 @@ "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "required_fields": { "items": { @@ -237,32 +239,27 @@ "type": "boolean" }, "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "revision": { "min_compat": "8.8", - "type": "integer" + "type": [ + "integer" + ] }, "risk_score": { - "description": "MaxSignals", "maximum": 100, "minimum": 1, "type": "integer" @@ -278,10 +275,14 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -289,20 +290,25 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "rule_id": { - "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { - "type": "string" + "type": [ + "string" + ] }, "setup": { - "description": "MarkdownField", + "description": "Markdown", "min_compat": "8.3", - "type": "string" + "type": [ + "string" + ] }, "severity": { "enum": [ @@ -325,13 +331,19 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "severity": { - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -339,13 +351,17 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "tags": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "threat": { "items": { @@ -367,15 +383,13 @@ "type": "string" }, "reference": { - "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -390,7 +404,6 @@ "type": "string" }, "reference": { - "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, @@ -405,29 +418,30 @@ "type": "string" }, "reference": { - "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ @@ -436,32 +450,42 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "throttle": { - "type": "string" + "type": [ + "string" + ] }, "tiebreaker_field": { "min_compat": "8.0", - "type": "string" + "type": [ + "string" + ] }, "timeline_id": { - "description": "TimelineTemplateId", "type": "string" }, "timeline_title": { - "description": "TimelineTemplateTitle", "type": "string" }, "timestamp_field": { "min_compat": "8.0", - "type": "string" + "type": [ + "string" + ] }, "timestamp_override": { - "type": "string" + "type": [ + "string" + ] }, "to": { - "type": "string" + "type": [ + "string" + ] }, "type": { "enum": [ @@ -470,7 +494,6 @@ "type": "string" }, "version": { - "description": "PositiveInteger", "minimum": 1, "type": "integer" } @@ -479,10 +502,7 @@ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.esql.json b/detection_rules/etc/api_schemas/master/master.esql.json index b3e42f35b..dc5f6f138 100644 --- a/detection_rules/etc/api_schemas/master/master.esql.json +++ b/detection_rules/etc/api_schemas/master/master.esql.json @@ -4,15 +4,20 @@ "properties": { "actions": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "alert_suppression": { "additionalProperties": false, @@ -30,21 +35,17 @@ "type": "string" }, "value": { - "description": "AlertSupressionValue", "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { - "description": "AlertSuppressionGroupBy", "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -53,7 +54,6 @@ "type": "array" }, "missing_fields_strategy": { - "description": "AlertSuppressionMissing", "enum": [ "suppress", "doNotSuppress" @@ -62,10 +62,6 @@ "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -78,34 +74,41 @@ "enum": [ "default" ], - "type": "string" + "type": [ + "string" + ] }, "data_view_id": { - "type": "string" + "type": [ + "string" + ] }, "description": { "type": "string" }, "enabled": { - "type": "boolean" + "type": [ + "boolean" + ] }, "exceptions_list": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "false_positives": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "filters": { "items": { @@ -120,19 +123,24 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "from": { - "type": "string" + "type": [ + "string" + ] }, "index": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "interval": { - "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, @@ -141,7 +149,6 @@ "properties": { "field_names": { "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -160,10 +167,11 @@ "type": "string" }, "license": { - "type": "string" + "type": [ + "string" + ] }, "max_signals": { - "description": "MaxSignals", "minimum": 1, "type": "integer" }, @@ -177,15 +185,18 @@ "boolean" ] }, - "type": "object" + "type": [ + "object" + ] }, "name": { - "description": "RuleName", "type": "string" }, "note": { - "description": "MarkdownField", - "type": "string" + "description": "Markdown", + "type": [ + "string" + ] }, "query": { "type": "string" @@ -194,36 +205,25 @@ "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "required_fields": { "items": { @@ -233,32 +233,27 @@ "type": "boolean" }, "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "revision": { "min_compat": "8.8", - "type": "integer" + "type": [ + "integer" + ] }, "risk_score": { - "description": "MaxSignals", "maximum": 100, "minimum": 1, "type": "integer" @@ -274,10 +269,14 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -285,20 +284,25 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "rule_id": { - "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { - "type": "string" + "type": [ + "string" + ] }, "setup": { - "description": "MarkdownField", + "description": "Markdown", "min_compat": "8.3", - "type": "string" + "type": [ + "string" + ] }, "severity": { "enum": [ @@ -321,13 +325,19 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "severity": { - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -335,13 +345,17 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "tags": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "threat": { "items": { @@ -363,15 +377,13 @@ "type": "string" }, "reference": { - "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -386,7 +398,6 @@ "type": "string" }, "reference": { - "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, @@ -401,29 +412,30 @@ "type": "string" }, "reference": { - "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ @@ -432,24 +444,30 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "throttle": { - "type": "string" + "type": [ + "string" + ] }, "timeline_id": { - "description": "TimelineTemplateId", "type": "string" }, "timeline_title": { - "description": "TimelineTemplateTitle", "type": "string" }, "timestamp_override": { - "type": "string" + "type": [ + "string" + ] }, "to": { - "type": "string" + "type": [ + "string" + ] }, "type": { "enum": [ @@ -458,7 +476,6 @@ "type": "string" }, "version": { - "description": "PositiveInteger", "minimum": 1, "type": "integer" } @@ -467,10 +484,7 @@ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.machine_learning.json b/detection_rules/etc/api_schemas/master/master.machine_learning.json index 7b1b42c22..c86efac22 100644 --- a/detection_rules/etc/api_schemas/master/master.machine_learning.json +++ b/detection_rules/etc/api_schemas/master/master.machine_learning.json @@ -4,15 +4,20 @@ "properties": { "actions": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "alert_suppression": { "additionalProperties": false, @@ -30,21 +35,17 @@ "type": "string" }, "value": { - "description": "AlertSupressionValue", "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { - "description": "AlertSuppressionGroupBy", "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -53,7 +54,6 @@ "type": "array" }, "missing_fields_strategy": { - "description": "AlertSuppressionMissing", "enum": [ "suppress", "doNotSuppress" @@ -62,10 +62,6 @@ "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "anomaly_threshold": { @@ -81,31 +77,36 @@ "enum": [ "default" ], - "type": "string" + "type": [ + "string" + ] }, "description": { "type": "string" }, "enabled": { - "type": "boolean" + "type": [ + "boolean" + ] }, "exceptions_list": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "false_positives": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "filters": { "items": { @@ -120,13 +121,16 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "from": { - "type": "string" + "type": [ + "string" + ] }, "interval": { - "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, @@ -135,7 +139,6 @@ "properties": { "field_names": { "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -148,7 +151,9 @@ "type": "object" }, "license": { - "type": "string" + "type": [ + "string" + ] }, "machine_learning_job_id": { "anyOf": [ @@ -164,7 +169,6 @@ ] }, "max_signals": { - "description": "MaxSignals", "minimum": 1, "type": "integer" }, @@ -178,50 +182,42 @@ "boolean" ] }, - "type": "object" + "type": [ + "object" + ] }, "name": { - "description": "RuleName", "type": "string" }, "note": { - "description": "MarkdownField", - "type": "string" + "description": "Markdown", + "type": [ + "string" + ] }, "references": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "required_fields": { "items": { @@ -231,32 +227,27 @@ "type": "boolean" }, "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "revision": { "min_compat": "8.8", - "type": "integer" + "type": [ + "integer" + ] }, "risk_score": { - "description": "MaxSignals", "maximum": 100, "minimum": 1, "type": "integer" @@ -272,10 +263,14 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -283,20 +278,25 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "rule_id": { - "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { - "type": "string" + "type": [ + "string" + ] }, "setup": { - "description": "MarkdownField", + "description": "Markdown", "min_compat": "8.3", - "type": "string" + "type": [ + "string" + ] }, "severity": { "enum": [ @@ -319,13 +319,19 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "severity": { - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -333,13 +339,17 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "tags": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "threat": { "items": { @@ -361,15 +371,13 @@ "type": "string" }, "reference": { - "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -384,7 +392,6 @@ "type": "string" }, "reference": { - "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, @@ -399,29 +406,30 @@ "type": "string" }, "reference": { - "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ @@ -430,24 +438,30 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "throttle": { - "type": "string" + "type": [ + "string" + ] }, "timeline_id": { - "description": "TimelineTemplateId", "type": "string" }, "timeline_title": { - "description": "TimelineTemplateTitle", "type": "string" }, "timestamp_override": { - "type": "string" + "type": [ + "string" + ] }, "to": { - "type": "string" + "type": [ + "string" + ] }, "type": { "enum": [ @@ -456,7 +470,6 @@ "type": "string" }, "version": { - "description": "PositiveInteger", "minimum": 1, "type": "integer" } @@ -466,9 +479,6 @@ "author", "description", "machine_learning_job_id", - "name", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.new_terms.json b/detection_rules/etc/api_schemas/master/master.new_terms.json index c0d7d437f..a2c679c8e 100644 --- a/detection_rules/etc/api_schemas/master/master.new_terms.json +++ b/detection_rules/etc/api_schemas/master/master.new_terms.json @@ -4,15 +4,20 @@ "properties": { "actions": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "alert_suppression": { "additionalProperties": false, @@ -30,21 +35,17 @@ "type": "string" }, "value": { - "description": "AlertSupressionValue", "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { - "description": "AlertSuppressionGroupBy", "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -53,7 +54,6 @@ "type": "array" }, "missing_fields_strategy": { - "description": "AlertSuppressionMissing", "enum": [ "suppress", "doNotSuppress" @@ -62,10 +62,6 @@ "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -78,34 +74,41 @@ "enum": [ "default" ], - "type": "string" + "type": [ + "string" + ] }, "data_view_id": { - "type": "string" + "type": [ + "string" + ] }, "description": { "type": "string" }, "enabled": { - "type": "boolean" + "type": [ + "boolean" + ] }, "exceptions_list": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "false_positives": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "filters": { "items": { @@ -120,19 +123,24 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "from": { - "type": "string" + "type": [ + "string" + ] }, "index": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "interval": { - "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, @@ -141,7 +149,6 @@ "properties": { "field_names": { "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -164,10 +171,11 @@ "type": "string" }, "license": { - "type": "string" + "type": [ + "string" + ] }, "max_signals": { - "description": "MaxSignals", "minimum": 1, "type": "integer" }, @@ -181,17 +189,17 @@ "boolean" ] }, - "type": "object" + "type": [ + "object" + ] }, "name": { - "description": "RuleName", "type": "string" }, "new_terms": { "additionalProperties": false, "properties": { "field": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -200,28 +208,16 @@ "additionalProperties": false, "properties": { "field": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "value": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "field", - "value" - ], "type": "object" }, "type": "array" }, "value": { - "description": "NewTermsFields", "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -231,15 +227,15 @@ } }, "required": [ - "field", - "history_window_start", - "value" + "history_window_start" ], "type": "object" }, "note": { - "description": "MarkdownField", - "type": "string" + "description": "Markdown", + "type": [ + "string" + ] }, "query": { "type": "string" @@ -248,36 +244,25 @@ "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "required_fields": { "items": { @@ -287,32 +272,27 @@ "type": "boolean" }, "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "revision": { "min_compat": "8.8", - "type": "integer" + "type": [ + "integer" + ] }, "risk_score": { - "description": "MaxSignals", "maximum": 100, "minimum": 1, "type": "integer" @@ -328,10 +308,14 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -339,20 +323,25 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "rule_id": { - "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { - "type": "string" + "type": [ + "string" + ] }, "setup": { - "description": "MarkdownField", + "description": "Markdown", "min_compat": "8.3", - "type": "string" + "type": [ + "string" + ] }, "severity": { "enum": [ @@ -375,13 +364,19 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "severity": { - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -389,13 +384,17 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "tags": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "threat": { "items": { @@ -417,15 +416,13 @@ "type": "string" }, "reference": { - "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -440,7 +437,6 @@ "type": "string" }, "reference": { - "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, @@ -455,29 +451,30 @@ "type": "string" }, "reference": { - "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ @@ -486,24 +483,30 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "throttle": { - "type": "string" + "type": [ + "string" + ] }, "timeline_id": { - "description": "TimelineTemplateId", "type": "string" }, "timeline_title": { - "description": "TimelineTemplateTitle", "type": "string" }, "timestamp_override": { - "type": "string" + "type": [ + "string" + ] }, "to": { - "type": "string" + "type": [ + "string" + ] }, "type": { "enum": [ @@ -512,7 +515,6 @@ "type": "string" }, "version": { - "description": "PositiveInteger", "minimum": 1, "type": "integer" } @@ -521,11 +523,8 @@ "author", "description", "language", - "name", "new_terms", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.query.json b/detection_rules/etc/api_schemas/master/master.query.json index 408c8bbb9..651aad608 100644 --- a/detection_rules/etc/api_schemas/master/master.query.json +++ b/detection_rules/etc/api_schemas/master/master.query.json @@ -4,15 +4,20 @@ "properties": { "actions": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "alert_suppression": { "additionalProperties": false, @@ -30,21 +35,17 @@ "type": "string" }, "value": { - "description": "AlertSupressionValue", "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { - "description": "AlertSuppressionGroupBy", "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -53,7 +54,6 @@ "type": "array" }, "missing_fields_strategy": { - "description": "AlertSuppressionMissing", "enum": [ "suppress", "doNotSuppress" @@ -62,10 +62,6 @@ "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -78,34 +74,41 @@ "enum": [ "default" ], - "type": "string" + "type": [ + "string" + ] }, "data_view_id": { - "type": "string" + "type": [ + "string" + ] }, "description": { "type": "string" }, "enabled": { - "type": "boolean" + "type": [ + "boolean" + ] }, "exceptions_list": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "false_positives": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "filters": { "items": { @@ -120,19 +123,24 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "from": { - "type": "string" + "type": [ + "string" + ] }, "index": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "interval": { - "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, @@ -141,7 +149,6 @@ "properties": { "field_names": { "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -164,10 +171,11 @@ "type": "string" }, "license": { - "type": "string" + "type": [ + "string" + ] }, "max_signals": { - "description": "MaxSignals", "minimum": 1, "type": "integer" }, @@ -181,15 +189,18 @@ "boolean" ] }, - "type": "object" + "type": [ + "object" + ] }, "name": { - "description": "RuleName", "type": "string" }, "note": { - "description": "MarkdownField", - "type": "string" + "description": "Markdown", + "type": [ + "string" + ] }, "query": { "type": "string" @@ -198,36 +209,25 @@ "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "required_fields": { "items": { @@ -237,32 +237,27 @@ "type": "boolean" }, "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "revision": { "min_compat": "8.8", - "type": "integer" + "type": [ + "integer" + ] }, "risk_score": { - "description": "MaxSignals", "maximum": 100, "minimum": 1, "type": "integer" @@ -278,10 +273,14 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -289,20 +288,25 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "rule_id": { - "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { - "type": "string" + "type": [ + "string" + ] }, "setup": { - "description": "MarkdownField", + "description": "Markdown", "min_compat": "8.3", - "type": "string" + "type": [ + "string" + ] }, "severity": { "enum": [ @@ -325,13 +329,19 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "severity": { - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -339,13 +349,17 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "tags": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "threat": { "items": { @@ -367,15 +381,13 @@ "type": "string" }, "reference": { - "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -390,7 +402,6 @@ "type": "string" }, "reference": { - "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, @@ -405,29 +416,30 @@ "type": "string" }, "reference": { - "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ @@ -436,24 +448,30 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "throttle": { - "type": "string" + "type": [ + "string" + ] }, "timeline_id": { - "description": "TimelineTemplateId", "type": "string" }, "timeline_title": { - "description": "TimelineTemplateTitle", "type": "string" }, "timestamp_override": { - "type": "string" + "type": [ + "string" + ] }, "to": { - "type": "string" + "type": [ + "string" + ] }, "type": { "enum": [ @@ -462,7 +480,6 @@ "type": "string" }, "version": { - "description": "PositiveInteger", "minimum": 1, "type": "integer" } @@ -471,10 +488,7 @@ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "type" ], diff --git a/detection_rules/etc/api_schemas/master/master.threat_match.json b/detection_rules/etc/api_schemas/master/master.threat_match.json index f10aa0d85..c2d5fd189 100644 --- a/detection_rules/etc/api_schemas/master/master.threat_match.json +++ b/detection_rules/etc/api_schemas/master/master.threat_match.json @@ -4,15 +4,20 @@ "properties": { "actions": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "alert_suppression": { "additionalProperties": false, @@ -30,21 +35,17 @@ "type": "string" }, "value": { - "description": "AlertSupressionValue", "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" }, "group_by": { - "description": "AlertSuppressionGroupBy", "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -53,7 +54,6 @@ "type": "array" }, "missing_fields_strategy": { - "description": "AlertSuppressionMissing", "enum": [ "suppress", "doNotSuppress" @@ -62,10 +62,6 @@ "type": "string" } }, - "required": [ - "group_by", - "missing_fields_strategy" - ], "type": "object" }, "author": { @@ -78,39 +74,41 @@ "enum": [ "default" ], - "type": "string" - }, - "concurrent_searches": { - "description": "PositiveInteger", - "minimum": 1, - "type": "integer" + "type": [ + "string" + ] }, "data_view_id": { - "type": "string" + "type": [ + "string" + ] }, "description": { "type": "string" }, "enabled": { - "type": "boolean" + "type": [ + "boolean" + ] }, "exceptions_list": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "false_positives": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "filters": { "items": { @@ -125,19 +123,24 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "from": { - "type": "string" + "type": [ + "string" + ] }, "index": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "interval": { - "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, @@ -146,7 +149,6 @@ "properties": { "field_names": { "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -158,11 +160,6 @@ ], "type": "object" }, - "items_per_search": { - "description": "PositiveInteger", - "minimum": 1, - "type": "integer" - }, "language": { "enum": [ "eql", @@ -174,10 +171,11 @@ "type": "string" }, "license": { - "type": "string" + "type": [ + "string" + ] }, "max_signals": { - "description": "MaxSignals", "minimum": 1, "type": "integer" }, @@ -191,15 +189,18 @@ "boolean" ] }, - "type": "object" + "type": [ + "object" + ] }, "name": { - "description": "RuleName", "type": "string" }, "note": { - "description": "MarkdownField", - "type": "string" + "description": "Markdown", + "type": [ + "string" + ] }, "query": { "type": "string" @@ -208,36 +209,25 @@ "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "required_fields": { "items": { @@ -247,32 +237,27 @@ "type": "boolean" }, "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "revision": { "min_compat": "8.8", - "type": "integer" + "type": [ + "integer" + ] }, "risk_score": { - "description": "MaxSignals", "maximum": 100, "minimum": 1, "type": "integer" @@ -288,10 +273,14 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -299,20 +288,25 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "rule_id": { - "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { - "type": "string" + "type": [ + "string" + ] }, "setup": { - "description": "MarkdownField", + "description": "Markdown", "min_compat": "8.3", - "type": "string" + "type": [ + "string" + ] }, "severity": { "enum": [ @@ -335,13 +329,19 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "severity": { - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -349,13 +349,17 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "tags": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "threat": { "items": { @@ -377,15 +381,13 @@ "type": "string" }, "reference": { - "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -400,7 +402,6 @@ "type": "string" }, "reference": { - "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, @@ -415,29 +416,30 @@ "type": "string" }, "reference": { - "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ @@ -446,7 +448,9 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "threat_filters": { "items": { @@ -461,7 +465,9 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "threat_index": { "items": { @@ -470,7 +476,9 @@ "type": "array" }, "threat_indicator_path": { - "type": "string" + "type": [ + "string" + ] }, "threat_language": { "enum": [ @@ -480,7 +488,9 @@ "lucene" ], "enumNames": [], - "type": "string" + "type": [ + "string" + ] }, "threat_mapping": { "items": { @@ -491,7 +501,6 @@ "additionalProperties": false, "properties": { "field": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -500,17 +509,10 @@ "mapping" ], "type": "string" - }, - "value": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" } }, "required": [ - "field", - "type", - "value" + "type" ], "type": "object" }, @@ -525,24 +527,30 @@ "type": "array" }, "threat_query": { - "type": "string" + "type": [ + "string" + ] }, "throttle": { - "type": "string" + "type": [ + "string" + ] }, "timeline_id": { - "description": "TimelineTemplateId", "type": "string" }, "timeline_title": { - "description": "TimelineTemplateTitle", "type": "string" }, "timestamp_override": { - "type": "string" + "type": [ + "string" + ] }, "to": { - "type": "string" + "type": [ + "string" + ] }, "type": { "enum": [ @@ -551,7 +559,6 @@ "type": "string" }, "version": { - "description": "PositiveInteger", "minimum": 1, "type": "integer" } @@ -560,10 +567,7 @@ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "threat_index", "threat_mapping", diff --git a/detection_rules/etc/api_schemas/master/master.threshold.json b/detection_rules/etc/api_schemas/master/master.threshold.json index 584696214..3fefec3cf 100644 --- a/detection_rules/etc/api_schemas/master/master.threshold.json +++ b/detection_rules/etc/api_schemas/master/master.threshold.json @@ -4,15 +4,20 @@ "properties": { "actions": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": [ + "string", + "number", + "object", + "array", + "boolean" + ] + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "alert_suppression": { "additionalProperties": false, @@ -30,14 +35,12 @@ "type": "string" }, "value": { - "description": "AlertSupressionValue", "minimum": 1, "type": "integer" } }, "required": [ - "unit", - "value" + "unit" ], "type": "object" } @@ -57,34 +60,41 @@ "enum": [ "default" ], - "type": "string" + "type": [ + "string" + ] }, "data_view_id": { - "type": "string" + "type": [ + "string" + ] }, "description": { "type": "string" }, "enabled": { - "type": "boolean" + "type": [ + "boolean" + ] }, "exceptions_list": { "items": { - "type": [ - "string", - "number", - "object", - "array", - "boolean" - ] + "additionalProperties": { + "type": "string" + }, + "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "false_positives": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "filters": { "items": { @@ -99,19 +109,24 @@ }, "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "from": { - "type": "string" + "type": [ + "string" + ] }, "index": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "interval": { - "description": "Interval", "pattern": "^\\d+[mshd]$", "type": "string" }, @@ -120,7 +135,6 @@ "properties": { "field_names": { "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -143,10 +157,11 @@ "type": "string" }, "license": { - "type": "string" + "type": [ + "string" + ] }, "max_signals": { - "description": "MaxSignals", "minimum": 1, "type": "integer" }, @@ -160,15 +175,18 @@ "boolean" ] }, - "type": "object" + "type": [ + "object" + ] }, "name": { - "description": "RuleName", "type": "string" }, "note": { - "description": "MarkdownField", - "type": "string" + "description": "Markdown", + "type": [ + "string" + ] }, "query": { "type": "string" @@ -177,36 +195,25 @@ "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "related_integrations": { "items": { "additionalProperties": false, "properties": { - "integration": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, "package": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "version": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, - "required": [ - "package", - "version" - ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "required_fields": { "items": { @@ -216,32 +223,27 @@ "type": "boolean" }, "name": { - "description": "NonEmptyStr", - "minLength": 1, - "type": "string" - }, - "type": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" } }, "required": [ - "ecs", - "name", - "type" + "ecs" ], "type": "object" }, "min_compat": "8.3", - "type": "array" + "type": [ + "array" + ] }, "revision": { "min_compat": "8.8", - "type": "integer" + "type": [ + "integer" + ] }, "risk_score": { - "description": "MaxSignals", "maximum": 100, "minimum": 1, "type": "integer" @@ -257,10 +259,14 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -268,20 +274,25 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "rule_id": { - "description": "UUIDString", "pattern": "^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$", "type": "string" }, "rule_name_override": { - "type": "string" + "type": [ + "string" + ] }, "setup": { - "description": "MarkdownField", + "description": "Markdown", "min_compat": "8.3", - "type": "string" + "type": [ + "string" + ] }, "severity": { "enum": [ @@ -304,13 +315,19 @@ "enum": [ "equals" ], - "type": "string" + "type": [ + "string" + ] }, "severity": { - "type": "string" + "type": [ + "string" + ] }, "value": { - "type": "string" + "type": [ + "string" + ] } }, "required": [ @@ -318,13 +335,17 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "tags": { "items": { "type": "string" }, - "type": "array" + "type": [ + "array" + ] }, "threat": { "items": { @@ -346,15 +367,13 @@ "type": "string" }, "reference": { - "description": "TacticURL", "pattern": "^https://attack.mitre.org/tactics/TA[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, @@ -369,7 +388,6 @@ "type": "string" }, "reference": { - "description": "TechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/$", "type": "string" }, @@ -384,29 +402,30 @@ "type": "string" }, "reference": { - "description": "SubTechniqueURL", "pattern": "^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$", "type": "string" } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ "id", - "name", - "reference" + "name" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] } }, "required": [ @@ -415,7 +434,9 @@ ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "threshold": { "additionalProperties": false, @@ -428,23 +449,21 @@ "type": "string" }, "value": { - "description": "ThresholdValue", "minimum": 1, "type": "integer" } }, "required": [ - "field", - "value" + "field" ], "type": "object" }, - "type": "array" + "type": [ + "array" + ] }, "field": { - "description": "CardinalityFields", "items": { - "description": "NonEmptyStr", "minLength": 1, "type": "string" }, @@ -452,33 +471,32 @@ "type": "array" }, "value": { - "description": "ThresholdValue", "minimum": 1, "type": "integer" } }, - "required": [ - "field", - "value" - ], "type": "object" }, "throttle": { - "type": "string" + "type": [ + "string" + ] }, "timeline_id": { - "description": "TimelineTemplateId", "type": "string" }, "timeline_title": { - "description": "TimelineTemplateTitle", "type": "string" }, "timestamp_override": { - "type": "string" + "type": [ + "string" + ] }, "to": { - "type": "string" + "type": [ + "string" + ] }, "type": { "enum": [ @@ -487,7 +505,6 @@ "type": "string" }, "version": { - "description": "PositiveInteger", "minimum": 1, "type": "integer" } @@ -496,10 +513,7 @@ "author", "description", "language", - "name", "query", - "risk_score", - "rule_id", "severity", "threshold", "type" diff --git a/detection_rules/etc/beats_schemas/main.json.gz b/detection_rules/etc/beats_schemas/main.json.gz index d1de8b728..bf456e172 100644 Binary files a/detection_rules/etc/beats_schemas/main.json.gz and b/detection_rules/etc/beats_schemas/main.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v8.18.3.json.gz b/detection_rules/etc/beats_schemas/v8.18.3.json.gz new file mode 100644 index 000000000..6a6dc545f Binary files /dev/null and b/detection_rules/etc/beats_schemas/v8.18.3.json.gz differ diff --git a/detection_rules/etc/beats_schemas/v9.0.3.json.gz b/detection_rules/etc/beats_schemas/v9.0.3.json.gz new file mode 100644 index 000000000..4fdf79c92 Binary files /dev/null and b/detection_rules/etc/beats_schemas/v9.0.3.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz index 509115dda..e6ab635b8 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz index 7dd28b516..03e1268e7 100644 Binary files a/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz index d14f74fb6..8de7f1168 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz index d74ca16df..73a32dabb 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz index 8bf5455ad..d9a8813b9 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz index c4d0b157f..fe4de36b3 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz index 751d5622f..c58c159b3 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz index ff4331cd7..afd9e10d0 100644 Binary files a/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz index 23b5921d3..a10bf8450 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz index 0f7a10863..8c9473d30 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz index 08c90435c..15a2eba75 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz index 139055e22..3b0dd453b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz index 2beec6357..5818f7b48 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz index 8d70fa4f8..789a12940 100644 Binary files a/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz index 7e85a3476..5ee3fb57f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz index 883504467..5db74034a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz index 7b3ee4bdf..2db22a52a 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz index b9b0b99b6..2cdcfe0df 100644 Binary files a/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz index 5a56c930a..019cab1d3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz index caa153725..2a4f84a2e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz index ac01b41ff..5321c1509 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz index 478bc914f..2fbe5260b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz index c6b09961c..3f070f431 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz index f2366aea4..b31dd8323 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz index d051c53ea..98157579b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz index 5f9edd89d..fd2c0ba75 100644 Binary files a/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz index 43a73eb54..f446a4eeb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz index d77c3110a..61a52bdb6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz index 5cca4b3f2..87e0b287c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz index d3a3f21e1..087684a86 100644 Binary files a/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz index 5a660b3eb..1bf7fcdfa 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz index 3e03fbf7c..9cd7424a1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz index d4f90c6d2..eb4c01739 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz index 931ff028c..c78782ff4 100644 Binary files a/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz index a44c17483..8d059e85c 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz index 3ab675d76..9c047f0f3 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz index 0d5debb92..11935b546 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz index bcf868307..29814018f 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz index 2b1d19b9e..9e02aba76 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz index 14729fba5..e17038a39 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz index 4e01548e3..0a1edfbdb 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz index f32ef1112..c4d5561a1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz index bc50c401c..6e17d2789 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz index 7c41025d4..6c8b59dc1 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz index b0eda9c62..ed2b502ee 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz index 7d9f9f055..91a868d92 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz index 79aaa24a5..96071f728 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz index 37a6d7045..d42b57d61 100644 Binary files a/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz index 84e1e5c02..d3dfb4615 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz index edc80a218..3a41fd6de 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz index 3c53cc029..4629854ae 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz index a344b9aaf..2b454a4c6 100644 Binary files a/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz index 64b38733c..5d049870e 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz index db6a989e4..20b591b17 100644 Binary files a/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz index 5e9e904fb..ce30d394b 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz index 5fc1f3f1c..6f5fcc119 100644 Binary files a/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz index 88dc5a9b8..7d5d5f2d7 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz index 1e4331310..8b551f1b9 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz index b4edfb07d..35872d6a4 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz index d7f9f8a0b..dc2e8c050 100644 Binary files a/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz and b/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz differ diff --git a/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz b/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz index 6ea0e599f..2e86536ea 100644 Binary files a/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz and b/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz differ diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 32a2cc685..e42437096 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 386887406..7d3b3f375 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/packages.yaml b/detection_rules/etc/packages.yaml index d326f1f04..67da91905 100644 --- a/detection_rules/etc/packages.yaml +++ b/detection_rules/etc/packages.yaml @@ -3,7 +3,7 @@ package: maturity: - production log_deprecated: true - name: '9.1' + name: '9.2' registry_data: categories: - security @@ -12,7 +12,7 @@ package: capabilities: - security subscription: basic - kibana.version: ^9.1.0 + kibana.version: ^9.2.0 description: Prebuilt detection rules for Elastic Security format_version: 3.0.0 icons: @@ -27,5 +27,5 @@ package: license: Elastic-2.0 title: Prebuilt Security Detection Rules type: integration - version: 9.1.0-beta.1 + version: 9.2.0-beta.1 release: true diff --git a/detection_rules/etc/stack-schema-map.yaml b/detection_rules/etc/stack-schema-map.yaml index 43a2b5926..3614c7b9c 100644 --- a/detection_rules/etc/stack-schema-map.yaml +++ b/detection_rules/etc/stack-schema-map.yaml @@ -97,39 +97,49 @@ # ecs: "8.11.0" # endgame: "8.4.0" +#"8.14.0": +# beats: "8.14.3" +# ecs: "8.11.0" +# endgame: "8.4.0" + +#"8.15.0": +# beats: "8.15.3" +# ecs: "8.11.0" +# endgame: "8.4.0" + +#"8.16.0": +# beats: "8.16.1" +# ecs: "8.16.0" +# endgame: "8.4.0" + +#"8.17.0": +# beats: "8.17.0" +# ecs: "8.17.0" +# endgame: "8.4.0" + ## Supported -"8.14.0": - beats: "8.14.3" - ecs: "8.11.0" - endgame: "8.4.0" - -"8.15.0": - beats: "8.15.3" - ecs: "8.11.0" - endgame: "8.4.0" - -"8.16.0": - beats: "8.16.1" - ecs: "8.16.0" - endgame: "8.4.0" - -"8.17.0": - beats: "8.17.0" - ecs: "8.17.0" - endgame: "8.4.0" - "8.18.0": beats: "8.18.0" ecs: "8.17.0" endgame: "8.4.0" +"8.19.0": + beats: "8.18.3" + ecs: "8.17.0" + endgame: "8.4.0" + "9.0.0": beats: "9.0.0" ecs: "9.0.0" endgame: "8.4.0" "9.1.0": - beats: "9.0.0" + beats: "9.0.3" + ecs: "9.0.0" + endgame: "8.4.0" + +"9.2.0": + beats: "9.0.3" ecs: "9.0.0" endgame: "8.4.0" \ No newline at end of file diff --git a/detection_rules/etc/version.lock.json b/detection_rules/etc/version.lock.json index 914a33ce7..6965168ce 100644 --- a/detection_rules/etc/version.lock.json +++ b/detection_rules/etc/version.lock.json @@ -1,15 +1,5 @@ { "000047bb-b27a-47ec-8b62-ef1a5d2c9e19": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 309, - "rule_name": "Attempt to Modify an Okta Policy Rule", - "sha256": "fcd948028bd42ce890deb31d6aef7d2a5f841d194d024c8a632bd40203c89554", - "type": "query", - "version": 211 - } - }, "rule_name": "Attempt to Modify an Okta Policy Rule", "sha256": "fcd948028bd42ce890deb31d6aef7d2a5f841d194d024c8a632bd40203c89554", "type": "query", @@ -64,7 +54,6 @@ "version": 12 }, "017de1e4-ea35-11ee-a417-f661ea17fbce": { - "min_stack_version": "8.16", "rule_name": "Memory Threat - Detected - Elastic Defend", "sha256": "2b1277af9a824d07977a035ae4f6833f19e26f54f8e63a687a92d4333c198416", "type": "query", @@ -101,7 +90,6 @@ "version": 311 }, "02b4420d-eda2-4529-9e46-4a60eccb7e2d": { - "min_stack_version": "8.18", "rule_name": "Spike in Group Privilege Change Events", "sha256": "2015c7b46d30958f203057f4aba73ca8177b642c7900850ec22b6db4fa4ad5af", "type": "machine_learning", @@ -270,7 +258,6 @@ "version": 217 }, "06f3a26c-ea35-11ee-a417-f661ea17fbce": { - "min_stack_version": "8.16", "rule_name": "Memory Threat - Prevented- Elastic Defend", "sha256": "39ab8efbaba1708840ab6193657a5a186f3a085b6224598c77a08006514293dd", "type": "query", @@ -343,7 +330,6 @@ "version": 7 }, "08be5599-3719-4bbd-8cbc-7e9cff556881": { - "min_stack_version": "8.18", "rule_name": "Unusual Source IP for Windows Privileged Operations Detected", "sha256": "f0c3939a5957cddd4b6387710c93b4c9797c526fdc426a83b3c681d57d67b47b", "type": "machine_learning", @@ -380,7 +366,6 @@ "version": 100 }, "097ef0b8-fb21-4e45-ad89-d81666349c6a": { - "min_stack_version": "8.18", "rule_name": "Spike in Special Logon Events", "sha256": "42bb7ebf26e253f5a13b0f718a37a6de590190e051705ab28122bca64c59bbb5", "type": "machine_learning", @@ -483,7 +468,6 @@ "version": 9 }, "0c74cd7e-ea35-11ee-a417-f661ea17fbce": { - "min_stack_version": "8.16", "rule_name": "Ransomware - Detected - Elastic Defend", "sha256": "4cd274302356966cd95f09c1100bc8a7ded3746edf7901cc0a36a7d8a85120fb", "type": "query", @@ -502,7 +486,6 @@ "version": 204 }, "0cbbb5e0-f93a-47fe-ab72-8213366c38f1": { - "min_stack_version": "8.18", "rule_name": "High Command Line Entropy Detected for Privileged Commands", "sha256": "59c263dc1cdfe3855fdd501367d03907ed748e52353b5e059b96f1ee2c5afde3", "type": "machine_learning", @@ -527,7 +510,6 @@ "version": 4 }, "0d3d2254-2b4a-11f0-a019-f661ea17fbcc": { - "min_stack_version": "8.17", "rule_name": "Microsoft Entra ID Session Reuse with Suspicious Graph Access", "sha256": "5c708e3c3878ddd653cdf55f9cbaf029d5b6de268e2681c65df4ccdfd93c3223", "type": "esql", @@ -546,16 +528,6 @@ "version": 113 }, "0d92d30a-5f3e-4b71-bc3d-4a0c4914b7e0": { - "min_stack_version": "8.17", - "previous": { - "8.14": { - "max_allowable_version": 100, - "rule_name": "AWS STS Temporary IAM Session Token Used from Multiple Addresses", - "sha256": "fb175cfc21beb83df7bcff6a18a7a0e8a0d6d449a76447a0ab35e979a20980f3", - "type": "esql", - "version": 1 - } - }, "rule_name": "AWS Access Token Used from Multiple Addresses", "sha256": "156805611533217338dd0a15eb5010ccbc4528c1188d7e5e6e299e430043fe77", "type": "esql", @@ -622,7 +594,6 @@ "version": 107 }, "0f615fe4-eaa2-11ee-ae33-f661ea17fbce": { - "min_stack_version": "8.16", "rule_name": "Behavior - Detected - Elastic Defend", "sha256": "d8fb41394bccffb0c9806c9a2edcf0cd1eefa2bc71a5d98d020b766f1e9e0c1c", "type": "query", @@ -665,7 +636,6 @@ "version": 210 }, "10f3d520-ea35-11ee-a417-f661ea17fbce": { - "min_stack_version": "8.16", "rule_name": "Ransomware - Prevented - Elastic Defend", "sha256": "3d0922a96d70e3acfbd3d41bfb8c15881b2c0754486948513d6e29ced4a004e4", "type": "query", @@ -786,7 +756,6 @@ "version": 105 }, "138520d2-11ff-4288-a80e-a45b36dca4b1": { - "min_stack_version": "8.18", "rule_name": "Spike in Group Membership Events", "sha256": "e2e661163bffdfe10ea5fed8565f15060b3aa280538e6ab7961a0c4d34d930e3", "type": "machine_learning", @@ -853,16 +822,6 @@ "version": 3 }, "1502a836-84b2-11ef-b026-f661ea17fbcc": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 102, - "rule_name": "Successful Application SSO from Rare Unknown Client Device", - "sha256": "a787c8a5d1e30ca3e750ec49ca534e9a496786f700ab8794b3a8449050392808", - "type": "new_terms", - "version": 4 - } - }, "rule_name": "Successful Application SSO from Rare Unknown Client Device", "sha256": "a787c8a5d1e30ca3e750ec49ca534e9a496786f700ab8794b3a8449050392808", "type": "new_terms", @@ -995,7 +954,6 @@ "version": 209 }, "178770e0-5c20-4246-b430-e216a2888b23": { - "min_stack_version": "8.18", "rule_name": "Spike in User Lifecycle Management Change Events", "sha256": "438ed61161676ea1f78ee1750b4a062b253a0a0f630d801114e69b75540c3dd0", "type": "machine_learning", @@ -1188,16 +1146,6 @@ "version": 212 }, "1ceb05c4-7d25-11ee-9562-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 104, - "rule_name": "Okta Sign-In Events via Third-Party IdP", - "sha256": "a84e20c2c4fc5066af8592c0955130207146c842eee469e7530c0bf8af7b911a", - "type": "query", - "version": 6 - } - }, "rule_name": "Okta Sign-In Events via Third-Party IdP", "sha256": "a84e20c2c4fc5066af8592c0955130207146c842eee469e7530c0bf8af7b911a", "type": "query", @@ -1468,16 +1416,6 @@ "version": 2 }, "23f18264-2d6d-11ef-9413-f661ea17fbce": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 102, - "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", - "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", - "type": "esql", - "version": 4 - } - }, "rule_name": "High Number of Okta Device Token Cookies Generated for Authentication", "sha256": "5878c82e5f3d8f2d217199e6f32a1448352e8c4ce303fe0ba02fb32c73a3df47", "type": "esql", @@ -1520,16 +1458,6 @@ "version": 4 }, "260486ee-7d98-11ee-9599-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 104, - "rule_name": "New Okta Authentication Behavior Detected", - "sha256": "f8a12d199fb7a1095704fd2f04c3cdf19a78c0eae297510e7225c28990d53ee8", - "type": "query", - "version": 6 - } - }, "rule_name": "New Okta Authentication Behavior Detected", "sha256": "f8a12d199fb7a1095704fd2f04c3cdf19a78c0eae297510e7225c28990d53ee8", "type": "query", @@ -1596,16 +1524,6 @@ "version": 107 }, "26f68dba-ce29-497b-8e13-b4fde1db5a2d": { - "min_stack_version": "8.17", - "previous": { - "8.14": { - "max_allowable_version": 411, - "rule_name": "Attempts to Brute Force a Microsoft 365 User Account", - "sha256": "d25046282b20d2a93b29f3016f1dfa97b68488629031ddb7157c032045f36b59", - "type": "esql", - "version": 312 - } - }, "rule_name": "Potential Microsoft 365 User Account Brute Force", "sha256": "5c514169b6d79b56e7862806ed11630e068b9d8675fbe1f9f171736a3b42ad0e", "type": "esql", @@ -1630,7 +1548,6 @@ "version": 209 }, "27569131-560e-441e-b556-0b9180af3332": { - "min_stack_version": "8.18", "rule_name": "Unusual Privilege Type assigned to a User", "sha256": "579ed4cf157c5823aba1285af6e70c68cb53ea8b58681a305bb4b2fad6f975e3", "type": "machine_learning", @@ -1709,16 +1626,6 @@ "version": 110 }, "28eb3afe-131d-48b0-a8fc-9784f3d54f3c": { - "min_stack_version": "8.16", - "previous": { - "8.14": { - "max_allowable_version": 104, - "rule_name": "Privilege Escalation via SUID/SGID", - "sha256": "1bb60aadb66e216d1d1c739cbaf1aa1299ea9b11590f0081e13aa9883a42e732", - "type": "eql", - "version": 6 - } - }, "rule_name": "Privilege Escalation via SUID/SGID", "sha256": "a0f28f4019bcdc2ec46f08f84bfb25eb3a3c510c7a4e16bf8606a7b721157da4", "type": "eql", @@ -1755,16 +1662,6 @@ "version": 419 }, "29b53942-7cd4-11ee-b70e-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 103, - "rule_name": "New Okta Identity Provider (IdP) Added by Admin", - "sha256": "1537231ffbe3f9f7c4366b5fc908eb9fd04fc332d5810b920c40f450550dc123", - "type": "query", - "version": 5 - } - }, "rule_name": "New Okta Identity Provider (IdP) Added by Admin", "sha256": "1537231ffbe3f9f7c4366b5fc908eb9fd04fc332d5810b920c40f450550dc123", "type": "query", @@ -1807,7 +1704,6 @@ "version": 111 }, "2bca4fcd-5228-4472-9071-148903a31057": { - "min_stack_version": "8.18", "rule_name": "Unusual Host Name for Windows Privileged Operations Detected", "sha256": "09d0cf5e77010be2cc43c4031d377ce5839b0314b7c66300b0bbcf1eaef32711", "type": "machine_learning", @@ -1850,7 +1746,6 @@ "version": 205 }, "2d6f5332-42ea-11f0-b09a-f661ea17fbcd": { - "min_stack_version": "8.17", "rule_name": "Microsoft Entra ID Exccessive Account Lockouts Detected", "sha256": "0f02e577ddc1fe851a0145485a0c80e9146f51ff9d58736c18233e59adcdc755", "type": "esql", @@ -1911,16 +1806,6 @@ "version": 108 }, "2e56e1bc-867a-11ee-b13e-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 100, - "rule_name": "Okta User Sessions Started from Different Geolocations", - "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", - "type": "esql", - "version": 3 - } - }, "rule_name": "Okta User Sessions Started from Different Geolocations", "sha256": "9d2bcc3e964c0434187bfaa20b0f3273fdedbc87d5c26e8096ceaf6770db9e66", "type": "esql", @@ -2059,7 +1944,6 @@ "version": 105 }, "3278313c-d6cd-4d49-aa24-644e1da6623c": { - "min_stack_version": "8.18", "rule_name": "Spike in Group Application Assignment Change Events", "sha256": "ca1b781fbc4b97568ce2cdfea10b7dc1b76842294599e010a6e2ea443697cf09", "type": "machine_learning", @@ -2156,16 +2040,6 @@ "version": 7 }, "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc": { - "min_stack_version": "8.17", - "previous": { - "8.14": { - "max_allowable_version": 103, - "rule_name": "Azure Entra Sign-in Brute Force against Microsoft 365 Accounts", - "sha256": "93996a82dfb600e7e40a0bc6c930c29592b522b81f785c3d11c67bd43e234bbe", - "type": "esql", - "version": 4 - } - }, "rule_name": "Potential Microsoft 365 Brute Force via Entra ID Sign-Ins", "sha256": "e001d9362eed086bc923624a65783867be0e1257151bba0624238afbb168c521", "type": "esql", @@ -2196,7 +2070,6 @@ "version": 100 }, "36188365-f88f-4f70-8c1d-0b9554186b9c": { - "min_stack_version": "8.17", "rule_name": "Suspicious Microsoft 365 UserLoggedIn via OAuth Code", "sha256": "e65cd735fc5838b036a00de0f93ac57a0a0bd8463796719fe697884b902b45c2", "type": "esql", @@ -2227,7 +2100,6 @@ "version": 109 }, "375132c6-25d5-11f0-8745-f661ea17fbcd": { - "min_stack_version": "8.17", "rule_name": "Suspicious Microsoft OAuth Flow via Auth Broker to DRS", "sha256": "d30059429db55e2153898e53be14f42ddd4df5776f79a3702905867ae95cd0fe", "type": "esql", @@ -2264,7 +2136,6 @@ "version": 1 }, "37cca4d4-92ab-4a33-a4f8-44a7a380ccda": { - "min_stack_version": "8.18", "rule_name": "Spike in User Account Management Events", "sha256": "bd6a9507ccb771be5c4d84d5289168f672b66e36e548c57fb2b4c8c99b6fc847", "type": "machine_learning", @@ -2277,16 +2148,6 @@ "version": 211 }, "3805c3dc-f82c-4f8d-891e-63c24d3102b0": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 309, - "rule_name": "Attempted Bypass of Okta MFA", - "sha256": "be1bd9b556ac557afbe8f745f307835a1dc26a7d90561ccfae0c1e6c05c8e6cd", - "type": "query", - "version": 211 - } - }, "rule_name": "Attempted Bypass of Okta MFA", "sha256": "be1bd9b556ac557afbe8f745f307835a1dc26a7d90561ccfae0c1e6c05c8e6cd", "type": "query", @@ -2671,16 +2532,6 @@ "version": 4 }, "42bf698b-4738-445b-8231-c834ddefd8a0": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 310, - "rule_name": "Okta Brute Force or Password Spraying Attack", - "sha256": "f2cddaf0e60500a194a108dfe0e27c92610bd4a455cdc6613c978dffd06b1881", - "type": "threshold", - "version": 212 - } - }, "rule_name": "Okta Brute Force or Password Spraying Attack", "sha256": "f2cddaf0e60500a194a108dfe0e27c92610bd4a455cdc6613c978dffd06b1881", "type": "threshold", @@ -2969,7 +2820,6 @@ "version": 113 }, "4d169db7-0323-4157-9ad3-ea5ece9019c9": { - "min_stack_version": "8.14", "rule_name": "Potential NetNTLMv1 Downgrade Attack", "sha256": "b4d688bb17f571660796ae95fb0496f32e1a568a228a67a2f4c97a8e0307cf84", "type": "eql", @@ -3030,16 +2880,6 @@ "version": 212 }, "4edd3e1a-3aa0-499b-8147-4d2ea43b1613": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Unauthorized Access to an Okta Application", - "sha256": "1da534261dd74dbfe7a88a3120ea11d3178d0d7d15bc26c55663375b183b66ce", - "type": "query", - "version": 210 - } - }, "rule_name": "Unauthorized Access to an Okta Application", "sha256": "1da534261dd74dbfe7a88a3120ea11d3178d0d7d15bc26c55663375b183b66ce", "type": "query", @@ -3064,16 +2904,6 @@ "version": 317 }, "50887ba8-7ff7-11ee-a038-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 104, - "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", - "sha256": "f2424834e44a69340ce5568b0d5fe81eba881e0c3a8bef999f8951a46b3106a2", - "type": "threshold", - "version": 6 - } - }, "rule_name": "Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy", "sha256": "f2424834e44a69340ce5568b0d5fe81eba881e0c3a8bef999f8951a46b3106a2", "type": "threshold", @@ -3272,16 +3102,6 @@ "version": 110 }, "5610b192-7f18-11ee-825b-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 103, - "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", - "sha256": "408545a8e0abf5d71e8765dc71ece9a464ea7b35a2d12b135df96bec31f1b631", - "type": "eql", - "version": 5 - } - }, "rule_name": "Stolen Credentials Used to Login to Okta Account After MFA Reset", "sha256": "e5063799ab10aae18df8b80273efb3ce5480722024992f100e3a70f3f4ccd897", "type": "eql", @@ -3660,7 +3480,6 @@ "version": 100 }, "5eac16ab-6d4f-427b-9715-f33e1b745fc7": { - "min_stack_version": "8.18", "rule_name": "Unusual Process Detected for Privileged Commands by a User", "sha256": "c9aa68e0bbefe704a06a42460c07f488861cf71aaaec68520a0c536c8084352e", "type": "machine_learning", @@ -3739,16 +3558,6 @@ "version": 216 }, "621e92b6-7e54-11ee-bdc0-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 104, - "rule_name": "Multiple Okta Sessions Detected for a Single User", - "sha256": "8718b5f7766c49df934b5a358670fd814c176f3dba6835a0ec719cd8c6560b56", - "type": "threshold", - "version": 7 - } - }, "rule_name": "Multiple Okta Sessions Detected for a Single User", "sha256": "8718b5f7766c49df934b5a358670fd814c176f3dba6835a0ec719cd8c6560b56", "type": "threshold", @@ -3899,16 +3708,6 @@ "version": 10 }, "6649e656-6f85-11ef-8876-f661ea17fbcc": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 103, - "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", - "sha256": "73db657803846bffc7d107cbc8bf0cc7d9bbda6f034becce1f0990588362cb7f", - "type": "new_terms", - "version": 5 - } - }, "rule_name": "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials", "sha256": "73db657803846bffc7d107cbc8bf0cc7d9bbda6f034becce1f0990588362cb7f", "type": "new_terms", @@ -3951,16 +3750,6 @@ "version": 117 }, "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Modify an Okta Policy", - "sha256": "a641b7d199f4e4fd832c1dc4b7bb8e8e0693119f5efdf132d673600f1a67de92", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Modify an Okta Policy", "sha256": "a641b7d199f4e4fd832c1dc4b7bb8e8e0693119f5efdf132d673600f1a67de92", "type": "query", @@ -3973,23 +3762,12 @@ "version": 209 }, "6756ee27-9152-479b-9b73-54b5bbda301c": { - "min_stack_version": "8.17", "rule_name": "Rare Connection to WebDAV Target", "sha256": "92b9fe3e356e788ab08e04b80551d2c955982681d6c01d7bd8b098d0720ece71", "type": "esql", "version": 1 }, "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Revoke Okta API Token", - "sha256": "46ce327e5a7721a4232d054cffea7064e587e8fe9066deaf0b52b4dce137c44e", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Revoke Okta API Token", "sha256": "46ce327e5a7721a4232d054cffea7064e587e8fe9066deaf0b52b4dce137c44e", "type": "query", @@ -4026,16 +3804,6 @@ "version": 210 }, "6885d2ae-e008-4762-b98a-e8e1cd3a81e9": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 307, - "rule_name": "Okta ThreatInsight Threat Suspected Promotion", - "sha256": "0213339b429615707aed9697fd239830b2cc1c6c0f4d8b8ea9c25c860c76c36d", - "type": "query", - "version": 209 - } - }, "rule_name": "Okta ThreatInsight Threat Suspected Promotion", "sha256": "0213339b429615707aed9697fd239830b2cc1c6c0f4d8b8ea9c25c860c76c36d", "type": "query", @@ -4294,16 +4062,6 @@ "version": 100 }, "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 103, - "rule_name": "First Occurrence of Okta User Session Started via Proxy", - "sha256": "dc30f02925c5388d6fb4fcadedc3792f0bd291945f7de61c8c6e40287ea12fb7", - "type": "new_terms", - "version": 5 - } - }, "rule_name": "First Occurrence of Okta User Session Started via Proxy", "sha256": "9868b324f20d976867393dea2d166df6dc944a6a56def58191886a560e656fce", "type": "new_terms", @@ -4322,7 +4080,6 @@ "version": 100 }, "6fb2280a-d91a-4e64-a97e-1332284d9391": { - "min_stack_version": "8.18", "rule_name": "Spike in Special Privilege Use Events", "sha256": "ed6ffa275f2e757c537e56f54d8322172b0f69b4f8654de69c31e43cf69165f2", "type": "machine_learning", @@ -4431,16 +4188,6 @@ "version": 2 }, "729aa18d-06a6-41c7-b175-b65b739b1181": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", - "sha256": "cc1423cbb9a6308b079d91c2db23175ab961848433acd76b756d3d618d8ae37f", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Reset MFA Factors for an Okta User Account", "sha256": "cc1423cbb9a6308b079d91c2db23175ab961848433acd76b756d3d618d8ae37f", "type": "query", @@ -4507,7 +4254,6 @@ "version": 2 }, "751b0329-7295-4682-b9c7-4473b99add69": { - "min_stack_version": "8.18", "rule_name": "Spike in Group Management Events", "sha256": "6aa16483545e4ae86c71fcab6c5cfd06448c88dcea3463a478df4a043f618b71", "type": "machine_learning", @@ -4666,7 +4412,7 @@ "79543b00-28a5-4461-81ac-644c4dc4012f": { "min_stack_version": "9.0", "previous": { - "8.15": { + "8.18": { "max_allowable_version": 103, "rule_name": "Execution of a Downloaded Windows Script", "sha256": "e952b2c22ea74d519101db31f240accb3c939550221f13dc5f35591267a4d717", @@ -4752,16 +4498,6 @@ "version": 216 }, "7b981906-86b7-4544-8033-c30ec6eb45fc": { - "min_stack_version": "8.16", - "previous": { - "8.14": { - "max_allowable_version": 100, - "rule_name": "SELinux Configuration Creation or Renaming", - "sha256": "e0fd7a02977ac1874c461de3c585b307275722953f25c025ed9c7678b2efb492", - "type": "eql", - "version": 2 - } - }, "rule_name": "SELinux Configuration Creation or Renaming", "sha256": "873586d99be1693225ad6dc1701f18678b981b927866f1bada9871d2b49ebc30", "type": "eql", @@ -5044,7 +4780,6 @@ "version": 213 }, "85e2d45e-a3df-4acf-83d3-21805f564ff4": { - "min_stack_version": "8.17", "rule_name": "Potential PowerShell Obfuscation via Character Array Reconstruction", "sha256": "acaa59b7068789551c4bea35c19e1d53a5768954e4d110604a5b2a1b6271db39", "type": "esql", @@ -5189,16 +4924,6 @@ "version": 10 }, "8a0fbd26-867f-11ee-947c-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 105, - "rule_name": "Potential Okta MFA Bombing via Push Notifications", - "sha256": "5b134678f04342b904ee4c63980fc14bdcf2f7cbf135b07967094491c2b4da6f", - "type": "eql", - "version": 7 - } - }, "rule_name": "Potential Okta MFA Bombing via Push Notifications", "sha256": "5b134678f04342b904ee4c63980fc14bdcf2f7cbf135b07967094491c2b4da6f", "type": "eql", @@ -5223,16 +4948,6 @@ "version": 211 }, "8a5c1e5f-ad63-481e-b53a-ef959230f7f1": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Deactivate an Okta Network Zone", - "sha256": "dbce4eb6536e98fead4c6b92a94a9dfc69b503211cd450e3c89655a61ff3653d", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Deactivate an Okta Network Zone", "sha256": "dbce4eb6536e98fead4c6b92a94a9dfc69b503211cd450e3c89655a61ff3653d", "type": "query", @@ -5293,7 +5008,6 @@ "version": 111 }, "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f": { - "min_stack_version": "8.18", "rule_name": "Unusual Host Name for Okta Privileged Operations Detected", "sha256": "7a6965067decb91421ed50757505f4af9ffd89cf9cf0f0e91cae128d11f3a3e9", "type": "machine_learning", @@ -5570,16 +5284,6 @@ "version": 214 }, "94e734c0-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 102, - "rule_name": "Multiple Okta User Authentication Events with Client Address", - "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", - "type": "esql", - "version": 4 - } - }, "rule_name": "Multiple Okta User Authentication Events with Client Address", "sha256": "81219dd2b471c66d9005d11edc88ba7fb5ab4f7f886b8417e1d3dab37f366606", "type": "esql", @@ -5616,16 +5320,6 @@ "version": 212 }, "95b99adc-2cda-11ef-84e1-f661ea17fbce": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 102, - "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", - "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", - "type": "esql", - "version": 4 - } - }, "rule_name": "Multiple Okta User Authentication Events with Same Device Token Hash", "sha256": "a085a6ef8490d83757962f54f7be99b6c5ef0cec9446e6dc1eb1f17ce5848d85", "type": "esql", @@ -5656,16 +5350,6 @@ "version": 3 }, "96b9f4ea-0e8c-435b-8d53-2096e75fcac5": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 307, - "rule_name": "Attempt to Create Okta API Token", - "sha256": "a5d1a18063a75668e70700f1528f8337ed0d0f3744f711f615a6b1bc9a4164c7", - "type": "query", - "version": 209 - } - }, "rule_name": "Attempt to Create Okta API Token", "sha256": "a5d1a18063a75668e70700f1528f8337ed0d0f3744f711f615a6b1bc9a4164c7", "type": "query", @@ -5732,16 +5416,6 @@ "version": 210 }, "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 311, - "rule_name": "Potentially Successful MFA Bombing via Push Notifications", - "sha256": "4041c4ae09570e6883d75b0cc6d734066a4ad40fdd5c2249576cc80d9efac0c3", - "type": "eql", - "version": 213 - } - }, "rule_name": "Potentially Successful MFA Bombing via Push Notifications", "sha256": "4041c4ae09570e6883d75b0cc6d734066a4ad40fdd5c2249576cc80d9efac0c3", "type": "eql", @@ -6168,7 +5842,6 @@ "version": 111 }, "a300dea6-e228-40e1-9123-a339e207378b": { - "min_stack_version": "8.18", "rule_name": "Unusual Spike in Concurrent Active Sessions by a User", "sha256": "6766dc8f5e02b59766bf64222d202554ead379489ef45a93a89f75f34701b72b", "type": "machine_learning", @@ -6319,7 +5992,6 @@ "version": 7 }, "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120": { - "min_stack_version": "8.18", "rule_name": "Unusual Region Name for Okta Privileged Operations Detected", "sha256": "c1754fb24018b0b1ad18dda900585a848ef023365ffdb417c9ee87a5e201ac4c", "type": "machine_learning", @@ -6356,7 +6028,6 @@ "version": 108 }, "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833": { - "min_stack_version": "8.18", "rule_name": "Spike in Group Lifecycle Change Events", "sha256": "3ab7c41b734b153c7587be53dfc664648e566347fe8811622b4ec7949d802ed9", "type": "machine_learning", @@ -6735,16 +6406,6 @@ "version": 108 }, "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Delete an Okta Policy", - "sha256": "774aa21659a63c8b8b6166215078531f5d94fd43b5e2ee37fd411ccca68d5991", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Delete an Okta Policy", "sha256": "774aa21659a63c8b8b6166215078531f5d94fd43b5e2ee37fd411ccca68d5991", "type": "query", @@ -6805,16 +6466,6 @@ "version": 106 }, "b719a170-3bdb-4141-b0e3-13e3cf627bfe": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Deactivate an Okta Policy", - "sha256": "4cddeb02ca83f5ec2218122735fb4489929a8613f1d7da7bab02a3d2a4a87cdc", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Deactivate an Okta Policy", "sha256": "4cddeb02ca83f5ec2218122735fb4489929a8613f1d7da7bab02a3d2a4a87cdc", "type": "query", @@ -6827,16 +6478,6 @@ "version": 4 }, "b8075894-0b62-46e5-977c-31275da34419": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 307, - "rule_name": "Administrator Privileges Assigned to an Okta Group", - "sha256": "d5413219e7e19880fd290c1a21c134fc35ace0ab27f8d072b6acb7e98b834264", - "type": "query", - "version": 209 - } - }, "rule_name": "Administrator Privileges Assigned to an Okta Group", "sha256": "d5413219e7e19880fd290c1a21c134fc35ace0ab27f8d072b6acb7e98b834264", "type": "query", @@ -7047,7 +6688,6 @@ "version": 1 }, "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f": { - "min_stack_version": "8.18", "rule_name": "Spike in Privileged Command Execution by a User", "sha256": "0abbb06b0ea223dd93d5fe72d4038b28733b82fe49397d0f3f46a331b0bd7adb", "type": "machine_learning", @@ -7186,7 +6826,6 @@ "version": 209 }, "c18975f5-676c-4091-b626-81e8938aa2ee": { - "min_stack_version": "8.14", "rule_name": "Potential RemoteMonologue Attack", "sha256": "5bfa9994c043217b1bfb42b4f0028e2871267f04b10dc7ba6898bc97a5f6551c", "type": "eql", @@ -7391,32 +7030,12 @@ "version": 2 }, "c749e367-a069-4a73-b1f2-43a3798153ad": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Delete an Okta Network Zone", - "sha256": "c52cfad33cb4e250d22ce58eae016d2063b67a5e56c310c77fd3d68bf7ca8b93", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Delete an Okta Network Zone", "sha256": "c52cfad33cb4e250d22ce58eae016d2063b67a5e56c310c77fd3d68bf7ca8b93", "type": "query", "version": 413 }, "c74fd275-ab2c-4d49-8890-e2943fa65c09": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 307, - "rule_name": "Attempt to Modify an Okta Application", - "sha256": "7aba5f4848c54d1dbdf9f339b258ef0b10e8f0ced4be14bbe8731c72fb21c2ae", - "type": "query", - "version": 209 - } - }, "rule_name": "Attempt to Modify an Okta Application", "sha256": "7aba5f4848c54d1dbdf9f339b258ef0b10e8f0ced4be14bbe8731c72fb21c2ae", "type": "query", @@ -7585,16 +7204,6 @@ "version": 110 }, "cc382a2e-7e52-11ee-9aac-f661ea17fbcd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 101, - "rule_name": "Multiple Device Token Hashes for Single Okta Session", - "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", - "type": "esql", - "version": 3 - } - }, "rule_name": "Multiple Device Token Hashes for Single Okta Session", "sha256": "7a54288765d90440a1d3da5ea46ee1746323c6b4268a456262dce90422b820cd", "type": "esql", @@ -7619,16 +7228,6 @@ "version": 107 }, "cc92c835-da92-45c9-9f29-b4992ad621a0": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 309, - "rule_name": "Attempt to Deactivate an Okta Policy Rule", - "sha256": "ad8b058fbd73eb0d1d35b377a0e40d51bff4555e31e6a3aae172ebaa6c924480", - "type": "query", - "version": 211 - } - }, "rule_name": "Attempt to Deactivate an Okta Policy Rule", "sha256": "ad8b058fbd73eb0d1d35b377a0e40d51bff4555e31e6a3aae172ebaa6c924480", "type": "query", @@ -7647,16 +7246,6 @@ "version": 105 }, "cd16fb10-0261-46e8-9932-a0336278cdbe": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", - "sha256": "e5f40a33e82975840bc65f1ac5e0feec696b92cfafff003e9fb617478b68b0f7", - "type": "query", - "version": 210 - } - }, "rule_name": "Modification or Removal of an Okta Application Sign-On Policy", "sha256": "e5f40a33e82975840bc65f1ac5e0feec696b92cfafff003e9fb617478b68b0f7", "type": "query", @@ -7687,32 +7276,12 @@ "version": 7 }, "cd89602e-9db0-48e3-9391-ae3bf241acd8": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 310, - "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", - "sha256": "04ca550d18255b6f9e3437537b63cbdeedfe26f51c89cd8415e639ca6e57b68b", - "type": "eql", - "version": 212 - } - }, "rule_name": "MFA Deactivation with no Re-Activation for Okta User Account", "sha256": "04ca550d18255b6f9e3437537b63cbdeedfe26f51c89cd8415e639ca6e57b68b", "type": "eql", "version": 415 }, "cdbebdc1-dc97-43c6-a538-f26a20c0a911": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 309, - "rule_name": "Okta User Session Impersonation", - "sha256": "fd20dd3278688d63cc6c90f2a764d862c712ec3c2bf755f14cd15a06830ed4af", - "type": "query", - "version": 211 - } - }, "rule_name": "Okta User Session Impersonation", "sha256": "fd20dd3278688d63cc6c90f2a764d862c712ec3c2bf755f14cd15a06830ed4af", "type": "query", @@ -7851,7 +7420,6 @@ "version": 110 }, "d2703b82-f92c-4489-a4a7-62aa29a62542": { - "min_stack_version": "8.18", "rule_name": "Unusual Region Name for Windows Privileged Operations Detected", "sha256": "4a27a3971ab4ac2abd8929f07178a8052f887401d8443d1e1f49f090638b2f20", "type": "machine_learning", @@ -7900,16 +7468,6 @@ "version": 4 }, "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 307, - "rule_name": "Attempt to Delete an Okta Application", - "sha256": "55dcaf216c136ee36ab1a0795a0eac62cc5934afc12bf9c3aa62d375c85478ae", - "type": "query", - "version": 209 - } - }, "rule_name": "Attempt to Delete an Okta Application", "sha256": "55dcaf216c136ee36ab1a0795a0eac62cc5934afc12bf9c3aa62d375c85478ae", "type": "query", @@ -7958,16 +7516,6 @@ "version": 311 }, "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Delete an Okta Policy Rule", - "sha256": "bb64864ae4182c5c20617d0c144142f701fef1633a31bec20e5d737717157f13", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Delete an Okta Policy Rule", "sha256": "bb64864ae4182c5c20617d0c144142f701fef1633a31bec20e5d737717157f13", "type": "query", @@ -8262,14 +7810,12 @@ "version": 4 }, "ddf26e25-3e30-42b2-92db-bde8eb82ad67": { - "min_stack_version": "8.14", "rule_name": "File Creation in /var/log via Suspicious Process", "sha256": "de3213512466504ceeb6f647d621e99c20c97e611635b24da26b508e4494ee12", "type": "new_terms", "version": 3 }, "de67f85e-2d43-11f0-b8c9-f661ea17fbcc": { - "min_stack_version": "8.17", "rule_name": "Multiple Microsoft 365 User Account Lockouts in Short Time Window", "sha256": "75096b67404510e3b605f336c782c92b5393e605841cbe4a5c2c272e8c34adc1", "type": "esql", @@ -8366,16 +7912,6 @@ "version": 112 }, "e08ccd49-0380-4b2b-8d71-8000377d6e49": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 310, - "rule_name": "Attempts to Brute Force an Okta User Account", - "sha256": "6895c9fbae5168b04623118fd5fc7fd437115a39af78dc23169e7b1ec667b959", - "type": "threshold", - "version": 212 - } - }, "rule_name": "Attempts to Brute Force an Okta User Account", "sha256": "6895c9fbae5168b04623118fd5fc7fd437115a39af78dc23169e7b1ec667b959", "type": "threshold", @@ -8532,16 +8068,6 @@ "version": 109 }, "e48236ca-b67a-4b4e-840c-fdc7782bc0c3": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Modify an Okta Network Zone", - "sha256": "0fe269bb97bcb2fd0169410d29766dd6d5f9d7c0cb45606460e173d3a8122c76", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Modify an Okta Network Zone", "sha256": "0fe269bb97bcb2fd0169410d29766dd6d5f9d7c0cb45606460e173d3a8122c76", "type": "query", @@ -8590,16 +8116,6 @@ "version": 111 }, "e6e3ecff-03dd-48ec-acbd-54a04de10c68": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 307, - "rule_name": "Possible Okta DoS Attack", - "sha256": "b21e24b57dbe58161fb421ca64574bc8e25b38423b8b0522e7245c63e7482a0b", - "type": "query", - "version": 209 - } - }, "rule_name": "Possible Okta DoS Attack", "sha256": "b21e24b57dbe58161fb421ca64574bc8e25b38423b8b0522e7245c63e7482a0b", "type": "query", @@ -8630,16 +8146,6 @@ "version": 210 }, "e72f87d0-a70e-4f8d-8443-a6407bc34643": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 205, - "rule_name": "Suspicious WMI Event Subscription Created", - "sha256": "1d4928687d5b313813eacd82c02dd0bbb88450ae3f5d5333b8a9e6294eb7c536", - "type": "eql", - "version": 108 - } - }, "rule_name": "Suspicious WMI Event Subscription Created", "sha256": "9c93aeec24059f67b5818ecca56f9e895e131405830338493251cb0e0658c8e3", "type": "eql", @@ -8730,16 +8236,6 @@ "version": 3 }, "e90ee3af-45fc-432e-a850-4a58cf14a457": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 310, - "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", - "sha256": "cd48b966ef0a6d90372a5d1bea8755963aa907f83d7e62adacbb43d77280b961", - "type": "threshold", - "version": 212 - } - }, "rule_name": "High Number of Okta User Password Reset or Unlock Attempts", "sha256": "cd48b966ef0a6d90372a5d1bea8755963aa907f83d7e62adacbb43d77280b961", "type": "threshold", @@ -8842,7 +8338,6 @@ "version": 104 }, "eb804972-ea34-11ee-a417-f661ea17fbce": { - "min_stack_version": "8.16", "rule_name": "Behavior - Prevented - Elastic Defend", "sha256": "02eda12d21fbff98e95223ba0596351a3c2e483be002663151be5c250edadc69", "type": "query", @@ -8921,16 +8416,6 @@ "version": 317 }, "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 308, - "rule_name": "Attempt to Deactivate an Okta Application", - "sha256": "3d33d63b18b70ecb260d4753743b10a2f38b083d5fd42f92e86d1a27f815795e", - "type": "query", - "version": 210 - } - }, "rule_name": "Attempt to Deactivate an Okta Application", "sha256": "3d33d63b18b70ecb260d4753743b10a2f38b083d5fd42f92e86d1a27f815795e", "type": "query", @@ -8949,16 +8434,6 @@ "version": 9 }, "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 205, - "rule_name": "Okta FastPass Phishing Detection", - "sha256": "79bcd3e51917161d1bbbb3d46ba9ae90ed7261430e0bddd58d172517d5348729", - "type": "query", - "version": 107 - } - }, "rule_name": "Okta FastPass Phishing Detection", "sha256": "79bcd3e51917161d1bbbb3d46ba9ae90ed7261430e0bddd58d172517d5348729", "type": "query", @@ -9037,16 +8512,6 @@ "version": 111 }, "f06414a6-f2a4-466d-8eba-10f85e8abf71": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 307, - "rule_name": "Administrator Role Assigned to an Okta User", - "sha256": "d92a66888822d35e66809a1c34f7e2a8a0429973e9e2ba1971c23ead1cfa2518", - "type": "query", - "version": 209 - } - }, "rule_name": "Administrator Role Assigned to an Okta User", "sha256": "d92a66888822d35e66809a1c34f7e2a8a0429973e9e2ba1971c23ead1cfa2518", "type": "query", @@ -9065,7 +8530,6 @@ "version": 105 }, "f0cc239b-67fa-46fc-89d4-f861753a40f5": { - "min_stack_version": "8.17", "rule_name": "Microsoft Azure or Mail Sign-in from a Suspicious Source", "sha256": "4fd69243a3f405a2fc8dac28257d472860062369ad573cd79c1e6fc5b6add7a7", "type": "esql", @@ -9126,7 +8590,6 @@ "version": 213 }, "f2c3caa6-ea34-11ee-a417-f661ea17fbce": { - "min_stack_version": "8.16", "rule_name": "Malicious File - Detected - Elastic Defend", "sha256": "41ad2b2030986dcdd6d5acd828d369cbf10f4b53afd0cbc73f44834f48ac57aa", "type": "query", @@ -9187,7 +8650,6 @@ "version": 7 }, "f38633f4-3b31-4c80-b13d-e77c70ce8254": { - "min_stack_version": "8.17", "rule_name": "Potential PowerShell Obfuscation via Reverse Keywords", "sha256": "f1e316afb64f4a9a133e5e3d818c57ed93ff99c9d5594d2251e7fa353ff01d9e", "type": "esql", @@ -9440,7 +8902,6 @@ "version": 314 }, "f87e6122-ea34-11ee-a417-f661ea17fbce": { - "min_stack_version": "8.16", "rule_name": "Malicious File - Prevented - Elastic Defend", "sha256": "5f0651f7f44774e085a9b994162b48004c1a1ea83463576e78763c92ceecb71b", "type": "query", @@ -9495,16 +8956,6 @@ "version": 114 }, "f994964f-6fce-4d75-8e79-e16ccc412588": { - "min_stack_version": "8.15", - "previous": { - "8.14": { - "max_allowable_version": 307, - "rule_name": "Suspicious Activity Reported by Okta User", - "sha256": "6e2937a3d1e9b3398d71d4bd594a454dcd061816ff73f7c83de5de94a21590d2", - "type": "query", - "version": 209 - } - }, "rule_name": "Suspicious Activity Reported by Okta User", "sha256": "6e2937a3d1e9b3398d71d4bd594a454dcd061816ff73f7c83de5de94a21590d2", "type": "query", @@ -9571,7 +9022,6 @@ "version": 2 }, "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a": { - "min_stack_version": "8.18", "rule_name": "Unusual Group Name Accessed by a User", "sha256": "9f2db22b9e734b5a889262f1f2f439535f666e0297237040c15e016852a51ff1", "type": "machine_learning", @@ -9584,7 +9034,6 @@ "version": 100 }, "fbb10f1e-77cb-42f9-994e-5da17fc3fc15": { - "min_stack_version": "8.18", "rule_name": "Unusual Source IP for Okta Privileged Operations Detected", "sha256": "f1169e957a20125ed74336cc3fa63c1c0f4d95f9affb1dff7262a2ab43453162", "type": "machine_learning", @@ -9777,16 +9226,6 @@ "version": 107 }, "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b": { - "min_stack_version": "8.16", - "previous": { - "8.14": { - "max_allowable_version": 106, - "rule_name": "Potential Sudo Token Manipulation via Process Injection", - "sha256": "8fbb3353e5408d77e803c0cc9fddcaa0d3eeb968ec610316ae535419f86a94ec", - "type": "eql", - "version": 8 - } - }, "rule_name": "Potential Sudo Token Manipulation via Process Injection", "sha256": "7dee889e4307b772481635d2b67ec6dfbc300840bfed47d7b74ea140549cfc50", "type": "eql", diff --git a/detection_rules/schemas/__init__.py b/detection_rules/schemas/__init__.py index 416094cb1..c1fc8b4b7 100644 --- a/detection_rules/schemas/__init__.py +++ b/detection_rules/schemas/__init__.py @@ -313,12 +313,24 @@ def migrate_to_8_18(version: Version, api_contents: dict[str, Any]) -> dict[str, return strip_additional_properties(version, api_contents) +@migrate("8.19") +def migrate_to_8_19(version: Version, api_contents: dict[str, Any]) -> dict[str, Any]: + """Default migration for 8.19.""" + return strip_additional_properties(version, api_contents) + + @migrate("9.0") def migrate_to_9_0(version: Version, api_contents: dict[str, Any]) -> dict[str, Any]: """Default migration for 9.0.""" return strip_additional_properties(version, api_contents) +@migrate("9.1") +def migrate_to_9_1(version: Version, api_contents: dict[str, Any]) -> dict[str, Any]: + """Default migration for 9.1.""" + return strip_additional_properties(version, api_contents) + + def downgrade( api_contents: dict[str, Any], target_version: str, current_version_val: str | None = None ) -> dict[str, Any]: diff --git a/pyproject.toml b/pyproject.toml index 455194084..bf039133d 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.3.2" +version = "1.3.3" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml index 0930f8b01..329c2fd6e 100644 --- a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml +++ b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml @@ -2,16 +2,14 @@ creation_date = "2025/04/29" integration = ["azure", "o365"] maturity = "production" -updated_date = "2025/05/15" -min_stack_version = "8.17.0" -min_stack_comments = "Elastic ES|QL query functions limitation." - +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ This rule correlate Azure or Office 356 mail successful sign-in events with network security alerts by source.ip. -Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud resources. +Adversaries may trigger some network security alerts such as reputation or other anomalies before accessing cloud +resources. """ false_positives = [ """ @@ -73,7 +71,7 @@ tags = [ "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", - "Rule Type: Higher-Order Rule" + "Rule Type: Higher-Order Rule", ] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml index 3f457935c..124a39fc3 100644 --- a/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml +++ b/rules/integrations/aws/initial_access_iam_session_token_used_from_multiple_addresses.toml @@ -1,22 +1,27 @@ [metadata] creation_date = "2025/04/11" integration = ["aws"] -min_stack_version = "8.17.0" -min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above." maturity = "production" -updated_date = "2025/05/29" +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -This rule identifies potentially suspicious activity by detecting instances where a single IAM user's temporary session token is accessed from multiple IP addresses within a short time frame. Such behavior may suggest that an adversary has compromised temporary credentials and is utilizing them from various locations. -To enhance detection accuracy and minimize false positives, the rule incorporates criteria that evaluate unique IP addresses, user agents, cities, and networks. These additional checks help distinguish between legitimate distributed access patterns and potential credential misuse. -Detected activities are classified into different types based on the combination of unique indicators, with each classification assigned a fidelity score reflecting the likelihood of malicious behavior. High fidelity scores are given to patterns most indicative of threats, such as multiple unique IPs, networks, cities, and user agents. Medium and low fidelity scores correspond to less severe patterns, enabling security teams to effectively prioritize alerts. +This rule identifies potentially suspicious activity by detecting instances where a single IAM user's temporary session +token is accessed from multiple IP addresses within a short time frame. Such behavior may suggest that an adversary has +compromised temporary credentials and is utilizing them from various locations. To enhance detection accuracy and +minimize false positives, the rule incorporates criteria that evaluate unique IP addresses, user agents, cities, and +networks. These additional checks help distinguish between legitimate distributed access patterns and potential +credential misuse. Detected activities are classified into different types based on the combination of unique +indicators, with each classification assigned a fidelity score reflecting the likelihood of malicious behavior. High +fidelity scores are given to patterns most indicative of threats, such as multiple unique IPs, networks, cities, and +user agents. Medium and low fidelity scores correspond to less severe patterns, enabling security teams to effectively +prioritize alerts. """ false_positives = [ """ - Highly distributed environments (e.g., globally deployed automation or edge nodes) may cause a single IAM user to appear from multiple IPs. - Review the geolocation, network context, and user agent patterns to rule out benign use. + Highly distributed environments (e.g., globally deployed automation or edge nodes) may cause a single IAM user to + appear from multiple IPs. Review the geolocation, network context, and user agent patterns to rule out benign use. """, ] from = "now-32m" diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml index 70676b277..62c22b810 100644 --- a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml +++ b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml @@ -2,9 +2,7 @@ creation_date = "2025/07/01" integration = ["azure"] maturity = "production" -min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above." -min_stack_version = "8.17.0" -updated_date = "2025/07/01" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml index 92db80a2d..a311d6ba5 100644 --- a/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml +++ b/rules/integrations/azure/credential_access_entra_signin_brute_force_microsoft_365.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/06" integration = ["azure"] maturity = "production" -updated_date = "2025/06/05" -min_stack_version = "8.17.0" -min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -241,3 +239,4 @@ reference = "https://attack.mitre.org/techniques/T1110/004/" id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml b/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml index 71cdff304..6e62d69af 100644 --- a/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml +++ b/rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml @@ -2,9 +2,7 @@ creation_date = "2025/05/08" integration = ["azure"] maturity = "production" -min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above." -min_stack_version = "8.17.0" -updated_date = "2025/05/08" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml index a07298314..61581563a 100644 --- a/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml +++ b/rules/integrations/azure/initial_access_entra_id_suspicious_oauth_flow_via_auth_broker_to_drs.toml @@ -2,9 +2,7 @@ creation_date = "2025/04/30" integration = ["azure"] maturity = "production" -min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above." -min_stack_version = "8.17.0" -updated_date = "2025/06/11" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml index 6efe866ae..14688de2d 100644 --- a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml +++ b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml @@ -2,10 +2,8 @@ creation_date = "2024/03/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." -min_stack_version = "8.16.0" promotion = true -updated_date = "2025/03/21" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml index 30c8f39a9..850693eb4 100644 --- a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml +++ b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml @@ -2,10 +2,8 @@ creation_date = "2024/03/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." -min_stack_version = "8.16.0" promotion = true -updated_date = "2025/03/21" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml index 545b32f35..a240af55c 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml @@ -2,10 +2,8 @@ creation_date = "2024/03/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." -min_stack_version = "8.16.0" promotion = true -updated_date = "2025/03/21" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml index bb24e18e9..293cd3403 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml @@ -2,10 +2,8 @@ creation_date = "2024/03/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." -min_stack_version = "8.16.0" promotion = true -updated_date = "2025/03/21" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml index 27540bdad..9aa905bb6 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml @@ -2,10 +2,8 @@ creation_date = "2024/03/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." -min_stack_version = "8.16.0" promotion = true -updated_date = "2025/03/21" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml index f456b755c..fb0004930 100644 --- a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml +++ b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml @@ -2,10 +2,8 @@ creation_date = "2024/03/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." -min_stack_version = "8.16.0" promotion = true -updated_date = "2025/03/21" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml index 0690b835f..6f583fc11 100644 --- a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml +++ b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml @@ -2,10 +2,8 @@ creation_date = "2024/03/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." -min_stack_version = "8.16.0" promotion = true -updated_date = "2025/03/21" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml index bb35e257d..8ff6dc03c 100644 --- a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml +++ b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml @@ -2,10 +2,8 @@ creation_date = "2024/03/24" integration = ["endpoint"] maturity = "production" -min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection." -min_stack_version = "8.16.0" promotion = true -updated_date = "2025/03/21" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml index 1aeb79dae..203e8cc6f 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_excessive_account_lockouts.toml @@ -2,9 +2,7 @@ creation_date = "2025/05/10" integration = ["o365"] maturity = "production" -min_stack_version = "8.17.0" -min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above." -updated_date = "2025/05/10" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml index fe187d392..bb2a93206 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_user_account_brute_force.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/30" integration = ["o365"] maturity = "production" -updated_date = "2025/05/20" -min_stack_version = "8.17.0" -min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above." +updated_date = "2025/07/02" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml b/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml index 4f07ef637..a77b4e56c 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_susp_oauth2_authorization.toml @@ -2,9 +2,7 @@ creation_date = "2025/05/01" integration = ["o365"] maturity = "production" -updated_date = "2025/06/25" -min_stack_version = "8.17.0" -min_stack_comments = "Elastic ES|QL values aggregation is more performant in 8.16.5 and above." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -128,3 +126,4 @@ reference = "https://attack.mitre.org/techniques/T1550/001/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 4723dd4f8..a7c2689ef 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -67,7 +65,12 @@ references = [ risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" severity = "high" -tags = ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index b21fe99db..0c7a8ec86 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -65,7 +63,12 @@ references = [ risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml index 8595d3b42..48fac6165 100644 --- a/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml +++ b/rules/integrations/okta/credential_access_multiple_auth_events_from_single_device_behind_proxy.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/10" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -76,7 +74,12 @@ risk_score = 47 rule_id = "50887ba8-7ff7-11ee-a038-f661ea17fbcd" setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml index 4b67396cf..d3196e7b4 100644 --- a/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml +++ b/rules/integrations/okta/credential_access_multiple_device_token_hashes_for_single_okta_session.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/08" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." -min_stack_version = "8.15.0" -updated_date = "2025/01/15" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -17,8 +15,7 @@ from = "now-9m" language = "esql" license = "Elastic License v2" name = "Multiple Device Token Hashes for Single Okta Session" -note = """ -## Triage and analysis +note = """## Triage and analysis ### Investigating Multiple Device Token Hashes for Single Okta Session @@ -69,7 +66,13 @@ setup = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Domain: SaaS", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access", + "Domain: SaaS", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml index 8e8bd9988..e7c7191b1 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_from_single_source.toml @@ -2,14 +2,14 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." -min_stack_version = "8.15.0" -updated_date = "2025/01/15" +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +Detects when a certain threshold of Okta user authentication events are reported for multiple users from the same client +address. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by +using a list of known usernames and passwords to gain unauthorized access to user accounts. """ false_positives = [ "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", @@ -80,7 +80,12 @@ risk_score = 21 rule_id = "94e734c0-2cda-11ef-84e1-f661ea17fbce" setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -100,29 +105,32 @@ FROM logs-okta* source_auth_count DESC ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" - [[rule.threat.technique.subtechnique]] - id = "T1110.003" - name = "Password Spraying" - reference = "https://attack.mitre.org/techniques/T1110/003/" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + - [[rule.threat.technique.subtechnique]] - id = "T1110.004" - name = "Credential Stuffing" - reference = "https://attack.mitre.org/techniques/T1110/004/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml index d91f97f4b..d78f06345 100644 --- a/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml +++ b/rules/integrations/okta/credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml @@ -2,14 +2,14 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." -min_stack_version = "8.15.0" -updated_date = "2025/01/15" +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +Detects when a high number of Okta user authentication events are reported for multiple users in a short time frame. +Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list +of known usernames and passwords to gain unauthorized access to user accounts. """ false_positives = [ "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", @@ -77,7 +77,12 @@ risk_score = 21 rule_id = "95b99adc-2cda-11ef-84e1-f661ea17fbce" setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -105,23 +110,25 @@ framework = "MITRE ATT&CK" id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" - [[rule.threat.technique.subtechnique]] - id = "T1110.003" - name = "Password Spraying" - reference = "https://attack.mitre.org/techniques/T1110/003/" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + - [[rule.threat.technique.subtechnique]] - id = "T1110.004" - name = "Credential Stuffing" - reference = "https://attack.mitre.org/techniques/T1110/004/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 4da6f27a4..4c511098a 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/16" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -65,7 +63,12 @@ references = [ risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml index b32244e0f..e05181c55 100644 --- a/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_mfa_bombing_via_push_notifications.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -67,7 +65,12 @@ setup = """## Setup The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. """ severity = "high" -tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml index 97fe212d4..d3164a325 100644 --- a/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml +++ b/rules/integrations/okta/credential_access_okta_multiple_device_token_hashes_for_single_user.toml @@ -2,14 +2,15 @@ creation_date = "2024/06/17" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." -min_stack_version = "8.15.0" -updated_date = "2025/01/15" +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized access to user accounts. +Detects when an Okta client address has a certain threshold of Okta user authentication events with multiple device +token hashes generated for single user authentication. Adversaries may attempt to launch a credential stuffing or +password spraying attack from the same device by using a list of known usernames and passwords to gain unauthorized +access to user accounts. """ false_positives = [ "Users may share an endpoint related to work or personal use in which separate Okta accounts are used.", @@ -80,7 +81,12 @@ risk_score = 21 rule_id = "23f18264-2d6d-11ef-9413-f661ea17fbce" setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule." severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Credential Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Credential Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -108,23 +114,25 @@ framework = "MITRE ATT&CK" id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" - [[rule.threat.technique.subtechnique]] - id = "T1110.003" - name = "Password Spraying" - reference = "https://attack.mitre.org/techniques/T1110/003/" [[rule.threat.technique]] id = "T1110" name = "Brute Force" reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.004" +name = "Credential Stuffing" +reference = "https://attack.mitre.org/techniques/T1110/004/" + - [[rule.threat.technique.subtechnique]] - id = "T1110.004" - name = "Credential Stuffing" - reference = "https://attack.mitre.org/techniques/T1110/004/" [rule.threat.tactic] id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" + diff --git a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml index a8becb9b5..7e54f71c4 100644 --- a/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml +++ b/rules/integrations/okta/credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml @@ -2,9 +2,7 @@ creation_date = "2022/01/05" integration = ["okta"] maturity = "production" -updated_date = "2025/01/17" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -66,7 +64,12 @@ references = [ risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" severity = "high" -tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index 812f22c51..eef4992bb 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -2,9 +2,7 @@ creation_date = "2022/03/22" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -60,7 +58,12 @@ references = [ risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" severity = "high" -tags = ["Use Case: Identity and Access Audit", "Tactic: Credential Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 88cba8926..5291da129 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index c90031f39..7f1bcaf2c 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml index 184080404..c2ae0981e 100644 --- a/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml +++ b/rules/integrations/okta/defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml @@ -2,9 +2,7 @@ creation_date = "2024/09/11" integration = ["okta"] maturity = "production" -updated_date = "2025/02/03" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -21,37 +19,6 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials" -references = [ - "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/", - "https://developer.okta.com/docs/reference/api/event-types/", - "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", - "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", -] -risk_score = 47 -rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc" -severity = "medium" -tags = [ - "Domain: SaaS", - "Data Source: Okta", - "Use Case: Threat Detection", - "Use Case: Identity and Access Audit", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.dataset: okta.system - and event.action: "app.oauth2.as.token.grant" - and okta.actor.type: "PublicClientApp" - and okta.debug_context.debug_data.flattened.grantType: "client_credentials" - and okta.outcome.result: "FAILURE" - and not okta.client.user_agent.raw_user_agent: "Okta-Integrations" - and not okta.actor.display_name: (Okta* or Datadog) - and not okta.debug_context.debug_data.flattened.requestedScopes: ("okta.logs.read" or "okta.eventHooks.read" or "okta.inlineHooks.read") - and okta.outcome.reason: "no_matching_scope" -''' note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +53,37 @@ OAuth 2.0 is a protocol for authorization, allowing apps to access resources on - Update and enforce stricter access controls and scope permissions for public client apps to minimize the risk of unauthorized scope requests. - Consider implementing multi-factor authentication (MFA) for accessing sensitive resources to add an additional layer of security. - Escalate the incident to the security operations center (SOC) for further investigation and to determine if broader organizational impacts exist.""" +references = [ + "https://github.blog/news-insights/company-news/security-alert-stolen-oauth-user-tokens/", + "https://developer.okta.com/docs/reference/api/event-types/", + "https://www.elastic.co/security-labs/monitoring-okta-threats-with-elastic-security", + "https://www.elastic.co/security-labs/starter-guide-to-understanding-okta", +] +risk_score = 47 +rule_id = "6649e656-6f85-11ef-8876-f661ea17fbcc" +severity = "medium" +tags = [ + "Domain: SaaS", + "Data Source: Okta", + "Use Case: Threat Detection", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: okta.system + and event.action: "app.oauth2.as.token.grant" + and okta.actor.type: "PublicClientApp" + and okta.debug_context.debug_data.flattened.grantType: "client_credentials" + and okta.outcome.result: "FAILURE" + and not okta.client.user_agent.raw_user_agent: "Okta-Integrations" + and not okta.actor.display_name: (Okta* or Datadog) + and not okta.debug_context.debug_data.flattened.requestedScopes: ("okta.logs.read" or "okta.eventHooks.read" or "okta.inlineHooks.read") + and okta.outcome.reason: "no_matching_scope" +''' [[rule.threat]] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index 6d408d13c..afb56b6df 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -74,7 +72,12 @@ references = [ risk_score = 21 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index 161e2f362..497da81d4 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -73,7 +71,12 @@ references = [ risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index d54427942..d15fdf579 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/28" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -74,7 +72,12 @@ references = [ risk_score = 47 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 1d9deff77..5b253b86d 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -73,7 +71,12 @@ references = [ risk_score = 21 rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index 7e6d20602..2811f0d54 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index 47827cd6d..2be46aca1 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -62,7 +60,12 @@ references = [ risk_score = 21 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index 4232a443f..b163bbcf4 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -71,7 +69,12 @@ references = [ risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Tactic: Defense Evasion", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 1862d7402..8c9739a98 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -2,9 +2,7 @@ creation_date = "2020/08/19" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -64,7 +62,12 @@ references = [ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index d5ab503cf..f3129fa16 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -60,7 +58,12 @@ references = [ risk_score = 21 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 94eb2871c..121e67e54 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -64,7 +62,12 @@ references = [ risk_score = 21 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index dc63c7c14..ade1997e4 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -70,7 +68,12 @@ references = [ risk_score = 21 rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 34b39df8b..79b6707bf 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -71,7 +69,12 @@ references = [ risk_score = 21 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09" severity = "low" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index 0d8d62910..52c88d548 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -64,7 +62,12 @@ references = [ risk_score = 47 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Impact", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml index 198052a76..ad10f74ed 100644 --- a/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml +++ b/rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2025/02/19" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -54,7 +52,12 @@ references = [ risk_score = 47 rule_id = "6f1bb4b2-7dc8-11ee-92b2-f661ea17fbcd" severity = "medium" -tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml index 0e18cae8b..e9c89d825 100644 --- a/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml +++ b/rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -58,7 +56,12 @@ references = [ risk_score = 47 rule_id = "260486ee-7d98-11ee-9599-f661ea17fbcd" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml index 739694179..286487e6a 100644 --- a/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml +++ b/rules/integrations/okta/initial_access_okta_fastpass_phishing.toml @@ -2,9 +2,7 @@ creation_date = "2023/05/07" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Austin Songer"] @@ -67,7 +65,12 @@ references = [ risk_score = 47 rule_id = "ee39a9f7-5a79-4b0a-9815-d36b3cf28d3e" severity = "medium" -tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index a09dadfa8..d157ea468 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -2,9 +2,7 @@ creation_date = "2021/05/14" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic", "Austin Songer"] @@ -62,7 +60,12 @@ references = [ risk_score = 21 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613" severity = "low" -tags = ["Tactic: Initial Access", "Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Tactic: Initial Access", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml index d6ad8c201..e301109a9 100644 --- a/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml +++ b/rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/18" integration = ["okta"] maturity = "production" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." -min_stack_version = "8.15.0" -updated_date = "2025/01/15" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -19,7 +17,6 @@ language = "esql" license = "Elastic License v2" name = "Okta User Sessions Started from Different Geolocations" note = """ - ## Triage and analysis ### Investigating Okta User Sessions Started from Different Geolocations @@ -69,11 +66,14 @@ references = [ ] risk_score = 47 rule_id = "2e56e1bc-867a-11ee-b13e-f661ea17fbcd" -setup = """ -The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. -""" +setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "esql" @@ -92,6 +92,7 @@ FROM logs-okta* geo_auth_counts >= 2 ''' + [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -103,7 +104,10 @@ id = "T1078.004" name = "Cloud Accounts" reference = "https://attack.mitre.org/techniques/T1078/004/" + + [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" + diff --git a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml index ecebc0835..aec07d4bd 100644 --- a/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml +++ b/rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -66,7 +64,12 @@ references = [ risk_score = 47 rule_id = "1ceb05c4-7d25-11ee-9562-f661ea17fbcd" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Initial Access", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml index b1b7c5a26..2a87b962d 100644 --- a/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml +++ b/rules/integrations/okta/initial_access_successful_application_sso_from_unknown_client_device.toml @@ -2,9 +2,7 @@ creation_date = "2024/10/07" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -20,27 +18,6 @@ index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" name = "Successful Application SSO from Rare Unknown Client Device" -references = ["https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/"] -risk_score = 47 -rule_id = "1502a836-84b2-11ef-b026-f661ea17fbcc" -severity = "medium" -tags = [ - "Domain: SaaS", - "Data Source: Okta", - "Use Case: Threat Detection", - "Use Case: Identity and Access Audit", - "Tactic: Initial Access", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "new_terms" - -query = ''' -event.dataset: "okta.system" - and event.action: "user.authentication.sso" - and event.outcome: "success" - and okta.client.device: ("Unknown" or "unknown") -''' note = """## Triage and analysis > **Disclaimer**: @@ -76,6 +53,27 @@ Single sign-on (SSO) streamlines user access across applications by using a sing - Notify the security team and relevant stakeholders about the incident for awareness and further investigation. - Review and update Okta's device recognition policies to improve detection of unknown or rare devices, reducing the risk of similar incidents. - Monitor for any further suspicious SSO activities from unknown devices and escalate to the incident response team if additional alerts are triggered.""" +references = ["https://trust.okta.com/security-advisories/okta-classic-application-sign-on-policy-bypass-2024/"] +risk_score = 47 +rule_id = "1502a836-84b2-11ef-b026-f661ea17fbcc" +severity = "medium" +tags = [ + "Domain: SaaS", + "Data Source: Okta", + "Use Case: Threat Detection", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "new_terms" + +query = ''' +event.dataset: "okta.system" + and event.action: "user.authentication.sso" + and event.outcome: "success" + and okta.client.device: ("Unknown" or "unknown") +''' [[rule.threat]] @@ -97,3 +95,5 @@ value = ["client.user.name", "okta.client.user_agent.raw_user_agent"] [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-14d" + + diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index c89b06d5d..3cee4601d 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -66,7 +64,12 @@ references = [ risk_score = 47 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Initial Access", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml index bb7a87f7a..fdf12c3e9 100644 --- a/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml +++ b/rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/07" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -70,7 +68,12 @@ references = [ risk_score = 47 rule_id = "621e92b6-7e54-11ee-bdc0-f661ea17fbcd" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Lateral Movement", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Lateral Movement", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index a3ab2ec43..efa11cf5d 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -3,9 +3,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" promotion = true -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 2e80a0667..859394bc1 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -72,7 +70,12 @@ references = [ risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index e939ceec7..9c8b02f76 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -2,9 +2,7 @@ creation_date = "2020/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -73,7 +71,12 @@ references = [ risk_score = 47 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" severity = "medium" -tags = ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 8339505e3..3d49244c9 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -71,7 +69,12 @@ references = [ risk_score = 47 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Tactic: Persistence", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index 2e4baf9d1..399af2398 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/21" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -72,7 +70,12 @@ references = [ risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" severity = "low" -tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml index ac824eaae..ca42fcb56 100644 --- a/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml +++ b/rules/integrations/okta/persistence_mfa_deactivation_with_no_reactivation.toml @@ -2,9 +2,7 @@ creation_date = "2020/05/20" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -67,7 +65,13 @@ risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" setup = "The Okta Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.\n" severity = "low" -tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Domain: Cloud", "Resources: Investigation Guide"] +tags = [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Domain: Cloud", + "Resources: Investigation Guide", +] type = "eql" query = ''' diff --git a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml index b8bb28bb3..ec410cc91 100644 --- a/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml +++ b/rules/integrations/okta/persistence_new_idp_successfully_added_by_admin.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/06" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -62,7 +60,12 @@ references = [ risk_score = 47 rule_id = "29b53942-7cd4-11ee-b70e-f661ea17fbcd" severity = "medium" -tags = ["Use Case: Identity and Access Audit", "Tactic: Persistence", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index 23f0ae7db..b85da21ef 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -2,9 +2,7 @@ creation_date = "2020/07/01" integration = ["okta"] maturity = "production" -updated_date = "2025/01/15" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -72,7 +70,12 @@ references = [ risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" severity = "medium" -tags = ["Tactic: Persistence", "Use Case: Identity and Access Audit", "Data Source: Okta", "Resources: Investigation Guide"] +tags = [ + "Tactic: Persistence", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Resources: Investigation Guide", +] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml index 7afee2022..b0edb92b5 100644 --- a/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml +++ b/rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml @@ -2,9 +2,7 @@ creation_date = "2023/11/09" integration = ["endpoint", "okta"] maturity = "production" -updated_date = "2025/02/19" -min_stack_version = "8.15.0" -min_stack_comments = "Breaking change at 8.15.0 for the Okta Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml index ced6c3ebd..95c5b7cbd 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml @@ -2,57 +2,21 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has detected an increase in the execution of privileged commands by a user, suggesting potential privileged access activity. -This may indicate an attempt by the user to gain unauthorized access to sensitive or restricted parts of the system. +A machine learning job has detected an increase in the execution of privileged commands by a user, suggesting potential +privileged access activity. This may indicate an attempt by the user to gain unauthorized access to sensitive or +restricted parts of the system. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_linux_high_count_privileged_process_events_by_user" name = "Spike in Privileged Command Execution by a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +52,41 @@ Machine learning models are employed to monitor and analyze user behavior, speci - Notify the security team and relevant stakeholders about the incident, providing details of the detected anomaly and actions taken so far. - Implement additional monitoring on the affected systems and user accounts to detect any further suspicious activities or attempts to regain unauthorized access. - Review and update access controls and permissions to ensure that users have the minimum necessary privileges, reducing the risk of privilege escalation in the future.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "bd1eadf6-3ac6-4e66-91aa-4a1e6711915f" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,7 +94,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml index b2e61a467..cea8bce82 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml @@ -2,57 +2,22 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified an unusually high median command line entropy for privileged commands executed by a user, suggesting possible privileged access activity through command lines. -High entropy often indicates that the commands may be obfuscated or deliberately complex, which can be a sign of suspicious or unauthorized use of privileged access. +A machine learning job has identified an unusually high median command line entropy for privileged commands executed by +a user, suggesting possible privileged access activity through command lines. High entropy often indicates that the +commands may be obfuscated or deliberately complex, which can be a sign of suspicious or unauthorized use of privileged +access. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_linux_high_median_process_command_line_entropy_by_user" name = "High Command Line Entropy Detected for Privileged Commands" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "0cbbb5e0-f93a-47fe-ab72-8213366c38f1" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +53,41 @@ Machine learning models analyze command line inputs to identify high entropy, wh - Implement additional monitoring on the affected system and related accounts to detect any further suspicious activities. - Escalate the incident to the security operations center (SOC) for a comprehensive investigation and to determine if other systems are affected. - Update and reinforce endpoint protection measures to detect and block similar obfuscation or high-entropy command line activities in the future.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "0cbbb5e0-f93a-47fe-ab72-8213366c38f1" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,7 +95,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml index 05b61e3f9..c25efcf12 100644 --- a/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_linux_rare_process_executed_by_user.toml @@ -2,56 +2,20 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "sysmon_linux"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has detected an unusual process run for privileged commands by a user, indicating potential privileged access activity. +A machine learning job has detected an unusual process run for privileged commands by a user, indicating potential +privileged access activity. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_linux_rare_process_executed_by_user" name = "Unusual Process Detected for Privileged Commands by a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "5eac16ab-6d4f-427b-9715-f33e1b745fc7" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +51,41 @@ Machine learning models are employed to identify anomalies in process execution, - Implement additional monitoring on the affected system and user account to detect any further anomalous behavior or attempts at privilege escalation. - Review and update access controls and permissions for the affected user account to ensure they align with the principle of least privilege. - Document the incident, including actions taken and lessons learned, to improve response strategies and prevent recurrence.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "5eac16ab-6d4f-427b-9715-f33e1b745fc7" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Linux logs collected by integrations such as Elastic Defend and Sysmon Linux. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Linux events collected by [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) or [Sysmon Linux](https://docs.elastic.co/en/integrations/sysmon_linux) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add Sysmon Linux integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,7 +93,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml index c482bfc27..225018502 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml @@ -1,58 +1,24 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has detected an unusually high number of active concurrent sessions initiated by a user, indicating potential privileged access activity. -A sudden surge in concurrent active sessions by a user may indicate an attempt to abuse valid credentials for privilege escalation or maintain persistence. -Adversaries might be leveraging multiple sessions to execute privileged operations, evade detection, or perform unauthorized actions across different systems. +A machine learning job has detected an unusually high number of active concurrent sessions initiated by a user, +indicating potential privileged access activity. A sudden surge in concurrent active sessions by a user may indicate an +attempt to abuse valid credentials for privilege escalation or maintain persistence. Adversaries might be leveraging +multiple sessions to execute privileged operations, evade detection, or perform unauthorized actions across different +systems. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_high_sum_concurrent_sessions_by_user" name = "Unusual Spike in Concurrent Active Sessions by a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "a300dea6-e228-40e1-9123-a339e207378b" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +53,40 @@ The detection of unusual spikes in concurrent active sessions leverages machine - Escalate the incident to the security operations team for further investigation and to assess the need for additional security measures or incident response actions. - Implement additional monitoring on the affected systems and user accounts to detect any further suspicious activity or attempts to regain access. - Review and update access controls and permissions to ensure that only authorized users have the necessary privileges, reducing the risk of future privilege escalation attempts.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "a300dea6-e228-40e1-9123-a339e207378b" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -99,7 +99,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml index f46f70d0c..1387bf227 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_host_name_by_user.toml @@ -1,57 +1,22 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a user performing privileged operations in Okta from an uncommon device, indicating potential privileged access activity. -This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges. +A machine learning job has identified a user performing privileged operations in Okta from an uncommon device, +indicating potential privileged access activity. This could signal a compromised account, an attacker using stolen +credentials, or an insider threat leveraging an unauthorized device to escalate privileges. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_rare_host_name_by_user" name = "Unusual Host Name for Okta Privileged Operations Detected" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +53,40 @@ Okta is a widely used identity management service that facilitates secure user a - Implement additional monitoring on the affected account and similar privileged accounts to detect any further suspicious activities. - Review and update access controls and policies to ensure that only authorized devices can perform privileged operations in Okta. - Consider enabling multi-factor authentication (MFA) for all privileged accounts to add an additional layer of security against unauthorized access.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "8c9ae3e2-f0b1-4b2c-9eba-bd87c2db914f" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,7 +94,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml index 2d66b9d67..f79d485a9 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_region_name_by_user.toml @@ -1,57 +1,22 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a user performing privileged operations in Okta from an uncommon geographical location, indicating potential privileged access activity. -This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges. +A machine learning job has identified a user performing privileged operations in Okta from an uncommon geographical +location, indicating potential privileged access activity. This could suggest a compromised account, unauthorized +access, or an attacker using stolen credentials to escalate privileges. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_rare_region_name_by_user" name = "Unusual Region Name for Okta Privileged Operations Detected" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +53,40 @@ Okta is a widely used identity management service that controls access to applic - Review and update access controls and permissions for the affected account to ensure they align with the principle of least privilege. - Monitor for any additional suspicious activity across other accounts and systems to identify potential lateral movement or further compromise. - Document the incident details and response actions taken for future reference and to improve incident response processes.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "a8f7187f-76d6-4c1d-a1d5-1ff301ccc120" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,7 +94,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml index 1583382c4..938ae0eef 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_rare_source_ip_by_user.toml @@ -1,57 +1,22 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, indicating potential privileged access activity. -This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges. +A machine learning job has identified a user performing privileged operations in Okta from an uncommon source IP, +indicating potential privileged access activity. This could suggest an account compromise, misuse of administrative +privileges, or an attacker leveraging a new network location to escalate privileges. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_rare_source_ip_by_user" name = "Unusual Source IP for Okta Privileged Operations Detected" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "fbb10f1e-77cb-42f9-994e-5da17fc3fc15" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +52,40 @@ Okta is a widely used identity management service that controls access to applic - Review and update access logs to ensure all unusual IP addresses are flagged and monitored for any future access attempts. - Implement network-based restrictions to block the identified unusual IP address from accessing the Okta environment. - Conduct a post-incident analysis to identify the root cause and update security policies and procedures to prevent similar incidents in the future.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "fbb10f1e-77cb-42f9-994e-5da17fc3fc15" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,7 +93,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml index f9b0152d1..f84ac248b 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml @@ -1,57 +1,22 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified an unusual spike in Okta group application assignment change events, indicating potential privileged access activity. -Threat actors might be assigning applications to groups to escalate access, maintain persistence, or facilitate lateral movement within an organization’s environment. +A machine learning job has identified an unusual spike in Okta group application assignment change events, indicating +potential privileged access activity. Threat actors might be assigning applications to groups to escalate access, +maintain persistence, or facilitate lateral movement within an organization’s environment. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_spike_in_group_application_assignment_changes" name = "Spike in Group Application Assignment Change Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "3278313c-d6cd-4d49-aa24-644e1da6623c" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -87,13 +52,42 @@ In modern environments, identity and access management systems like Okta manage - Implement additional monitoring on the affected accounts and groups to detect any further suspicious activity. - Review and update access controls and group assignment policies to prevent similar unauthorized changes in the future. - Coordinate with the IT and security teams to ensure that all affected systems and applications are patched and secured against known vulnerabilities.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "3278313c-d6cd-4d49-aa24-644e1da6623c" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -104,7 +98,14 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml index d8e6ac204..14c6f23bd 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml @@ -1,57 +1,22 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential privileged access activity. -Adversaries may be altering group structures to escalate privileges, maintain persistence, or facilitate lateral movement within an organization’s identity management system. +A machine learning job has identified an unusual spike in Okta group lifecycle change events, indicating potential +privileged access activity. Adversaries may be altering group structures to escalate privileges, maintain persistence, +or facilitate lateral movement within an organization’s identity management system. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_spike_in_group_lifecycle_changes" name = "Spike in Group Lifecycle Change Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +52,40 @@ In identity management systems like Okta, group lifecycle changes are crucial fo - Review and update access controls and group management policies to ensure they align with the principle of least privilege, minimizing the risk of privilege escalation. - Coordinate with the IT and security teams to apply patches or updates to any vulnerabilities identified during the investigation that may have been exploited for privilege escalation. - Document the incident, including all actions taken, and conduct a post-incident review to identify lessons learned and improve future response strategies.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "aa28f01d-bc93-4c8f-bc01-6f67f2a0a833" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -99,7 +98,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml index 55ea9e30f..abd5652b0 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_membership_changes.toml @@ -1,57 +1,22 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified an unusual spike in Okta group membership events, indicating potential privileged access activity. -Attackers or malicious insiders might be adding accounts to privileged groups to escalate their access, potentially leading to unauthorized actions or data breaches. +A machine learning job has identified an unusual spike in Okta group membership events, indicating potential privileged +access activity. Attackers or malicious insiders might be adding accounts to privileged groups to escalate their access, +potentially leading to unauthorized actions or data breaches. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_spike_in_group_membership_changes" name = "Spike in Group Membership Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "138520d2-11ff-4288-a80e-a45b36dca4b1" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +52,40 @@ In modern IT environments, group membership management is crucial for controllin - Implement additional monitoring on the affected accounts and privileged groups to detect any further suspicious activity. - Review and update access control policies to ensure that only authorized personnel can modify group memberships, reducing the risk of future unauthorized changes. - Document the incident and response actions taken, and conduct a post-incident review to identify any gaps in the current security posture and improve future response efforts.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "138520d2-11ff-4288-a80e-a45b36dca4b1" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -99,7 +98,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml index ddf6c5d19..51b64715d 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_group_privilege_changes.toml @@ -1,57 +1,22 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential privileged access activity. -Attackers might be elevating privileges by adding themselves or compromised accounts to high-privilege groups, enabling further access or persistence. +A machine learning job has identified an unusual spike in Okta group privilege change events, indicating potential +privileged access activity. Attackers might be elevating privileges by adding themselves or compromised accounts to +high-privilege groups, enabling further access or persistence. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_spike_in_group_privilege_changes" name = "Spike in Group Privilege Change Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "02b4420d-eda2-4529-9e46-4a60eccb7e2d" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -87,13 +52,42 @@ In environments using Okta, group privilege changes are crucial for managing acc - Implement additional monitoring on the affected accounts and privileged groups to detect any further unauthorized changes or access attempts. - Review and update access control policies to ensure that only authorized personnel can modify group memberships, reducing the risk of future privilege escalation. - Document the incident, including all actions taken, to improve response strategies and inform future security measures.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "02b4420d-eda2-4529-9e46-4a60eccb7e2d" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -104,7 +98,14 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml index 6ab4c3870..6a80f4a7b 100644 --- a/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml +++ b/rules/integrations/pad/privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml @@ -1,57 +1,22 @@ [metadata] creation_date = "2025/02/18" -integration = ["pad","okta"] +integration = ["pad", "okta"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating potential privileged access activity. -Threat actors may manipulate user accounts to gain higher access rights or persist within the environment. +A machine learning job has identified an unusual spike in Okta user lifecycle management change events, indicating +potential privileged access activity. Threat actors may manipulate user accounts to gain higher access rights or persist +within the environment. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_okta_spike_in_user_lifecycle_management_changes" name = "Spike in User Lifecycle Management Change Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "178770e0-5c20-4246-b430-e216a2888b23" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. -- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -86,19 +51,55 @@ User lifecycle management in environments like Okta involves creating, modifying - Implement additional monitoring on the affected accounts and related systems to detect any further suspicious activity or attempts to regain unauthorized access. - Escalate the incident to higher-level security management if the scope of the breach is extensive or if sensitive data may have been compromised. - Review and update access management policies and procedures to prevent similar incidents in the future, ensuring that changes to user accounts are logged and regularly reviewed.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "178770e0-5c20-4246-b430-e216a2888b23" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Okta logs collected by integrations such as Okta. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Okta events collected by [Okta](https://docs.elastic.co/en/integrations/okta) integration. +- To add the Okta integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml index feb73369c..bf61284ea 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_group_management_events.toml @@ -2,58 +2,22 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a spike in group management events for a user, indicating potential privileged access activity. -The machine learning has flagged an abnormal rise in group management actions (such as adding or removing users from privileged groups), -which could point to an attempt to escalate privileges or unauthorized modifications to group memberships. +A machine learning job has identified a spike in group management events for a user, indicating potential privileged +access activity. The machine learning has flagged an abnormal rise in group management actions (such as adding or +removing users from privileged groups), which could point to an attempt to escalate privileges or unauthorized +modifications to group memberships. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_high_count_group_management_events" name = "Spike in Group Management Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "751b0329-7295-4682-b9c7-4473b99add69" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -89,19 +53,56 @@ The detection of spikes in group management events leverages machine learning to - Reset the password for the affected user account and enforce multi-factor authentication to enhance security. - Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation. - Implement additional monitoring on the affected account and related privileged groups to detect any further suspicious activities.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "751b0329-7295-4682-b9c7-4473b99add69" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1098" -name = "Account Manipulation" -reference = "https://attack.mitre.org/techniques/T1098/" - [[rule.threat.technique]] id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique]] +id = "T1098" +name = "Account Manipulation" +reference = "https://attack.mitre.org/techniques/T1098/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml index 2021fe615..d287e6828 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_logon_events.toml @@ -2,57 +2,21 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has detected a surge in special logon events for a user, indicating potential privileged access activity. -A sudden spike in these events could suggest an attacker or malicious insider gaining elevated access, possibly for lateral movement or privilege escalation. +A machine learning job has detected a surge in special logon events for a user, indicating potential privileged access +activity. A sudden spike in these events could suggest an attacker or malicious insider gaining elevated access, +possibly for lateral movement or privilege escalation. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_high_count_special_logon_events" name = "Spike in Special Logon Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "097ef0b8-fb21-4e45-ad89-d81666349c6a" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -86,6 +50,41 @@ Special logon events are crucial for tracking privileged access, often indicatin - Implement additional monitoring on the affected systems and accounts to detect any further suspicious activities or attempts to regain access. - Review and update access controls and permissions to ensure that only necessary privileges are granted, reducing the risk of privilege escalation. - Enhance detection capabilities by tuning existing monitoring tools to better identify similar spikes in special logon events, leveraging insights from the current incident.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "097ef0b8-fb21-4e45-ad89-d81666349c6a" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -98,7 +97,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml index a8bba7880..581372213 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_special_privilege_use_events.toml @@ -2,57 +2,21 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has detected an unusual increase in special privilege usage events, such as privileged operations and service calls, for a user, suggesting potential unauthorized privileged access. -A sudden spike in these events may indicate an attempt to escalate privileges, execute unauthorized tasks, or maintain persistence within a system. +A machine learning job has detected an unusual increase in special privilege usage events, such as privileged operations +and service calls, for a user, suggesting potential unauthorized privileged access. A sudden spike in these events may +indicate an attempt to escalate privileges, execute unauthorized tasks, or maintain persistence within a system. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_high_count_special_privilege_use_events" name = "Spike in Special Privilege Use Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "6fb2280a-d91a-4e64-a97e-1332284d9391" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +52,41 @@ Machine learning models monitor special privilege use, identifying anomalies tha - Escalate the incident to the security operations team for a deeper investigation into potential privilege escalation techniques used, referencing MITRE ATT&CK technique T1068. - Review and update access control policies and privilege management practices to ensure they align with the principle of least privilege, reducing the risk of similar incidents. - Conduct a post-incident analysis to identify any gaps in detection or response and enhance the machine learning model's ability to detect similar threats in the future.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "6fb2280a-d91a-4e64-a97e-1332284d9391" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -100,7 +99,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml index a358595a2..ece76dfc0 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_high_count_user_account_management_events.toml @@ -2,58 +2,22 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a spike in user account management events for a user, indicating potential privileged access activity. -This indicates an unusual increase in actions related to managing user accounts (such as creating, modifying, or deleting accounts), -which could be a sign of an attempt to escalate privileges or unauthorized activity involving account management. +A machine learning job has identified a spike in user account management events for a user, indicating potential +privileged access activity. This indicates an unusual increase in actions related to managing user accounts (such as +creating, modifying, or deleting accounts), which could be a sign of an attempt to escalate privileges or unauthorized +activity involving account management. """ from = "now-3h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_high_count_user_account_management_events" name = "Spike in User Account Management Events" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "37cca4d4-92ab-4a33-a4f8-44a7a380ccda" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +52,41 @@ The detection rule leverages machine learning to identify unusual spikes in user - Notify the security team and relevant stakeholders about the incident, providing them with details of the spike in user account management events and any identified malicious activities. - Implement additional monitoring and alerting for the affected user account and related systems to detect any further suspicious activities promptly. - Review and update access controls and user account management policies to prevent similar incidents in the future, ensuring that only authorized personnel have the necessary privileges.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "37cca4d4-92ab-4a33-a4f8-44a7a380ccda" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -100,7 +99,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml index f22552737..3ddc61961 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_device_by_user.toml @@ -2,57 +2,21 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, indicating potential privileged access activity. -This could signal a compromised account, an attacker using stolen credentials, or an insider threat leveraging an unauthorized device to escalate privileges. +A machine learning job has identified a user performing privileged operations in Windows from an uncommon device, +indicating potential privileged access activity. This could signal a compromised account, an attacker using stolen +credentials, or an insider threat leveraging an unauthorized device to escalate privileges. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_rare_device_by_user" name = "Unusual Host Name for Windows Privileged Operations Detected" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "2bca4fcd-5228-4472-9071-148903a31057" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +52,41 @@ Machine learning models analyze patterns of privileged operations in Windows env - Implement additional monitoring on the affected account and device to detect any further suspicious activities. - Review and update access controls and permissions to ensure that only authorized devices and users can perform privileged operations. - Consider implementing multi-factor authentication (MFA) for privileged accounts to enhance security and prevent unauthorized access.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "2bca4fcd-5228-4472-9071-148903a31057" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,7 +94,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml index 473ff3e6b..afb390d22 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_group_name_by_user.toml @@ -2,58 +2,22 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has detected a user accessing an uncommon group name for privileged operations, indicating potential privileged access activity. -This indicates that a user has accessed a group name that is unusual for their typical operations, particularly for actions requiring elevated privileges. -This could point to an attempt to manipulate group memberships or escalate privileges on a system. +A machine learning job has detected a user accessing an uncommon group name for privileged operations, indicating +potential privileged access activity. This indicates that a user has accessed a group name that is unusual for their +typical operations, particularly for actions requiring elevated privileges. This could point to an attempt to manipulate +group memberships or escalate privileges on a system. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_rare_group_name_by_user" name = "Unusual Group Name Accessed by a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -90,6 +54,41 @@ In IT environments, group names often define access levels and permissions. Adve - Implement additional monitoring on the affected user account and the unusual group name to detect any further unauthorized access attempts. - Review and update access control policies to ensure that only authorized users have access to sensitive group names and privileged operations. - Consider implementing additional security measures, such as multi-factor authentication, for accessing sensitive group names to prevent unauthorized access in the future.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "fb5d91d0-3b94-4f91-bf20-b6fbc4b2480a" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -102,11 +101,11 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -114,6 +113,7 @@ id = "T1069" name = "Permission Groups Discovery" reference = "https://attack.mitre.org/techniques/T1069/" + [rule.threat.tactic] id = "TA0007" name = "Discovery" diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml index 11e413892..f7407fd16 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_privilege_assigned_to_user.toml @@ -2,57 +2,21 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations, indicating potential privileged access activity. -This indicates that a user is performing operations requiring elevated privileges but is using a privilege type that is not typically seen in their baseline logs. +A machine learning job has identified a user leveraging an uncommon privilege type for privileged operations, indicating +potential privileged access activity. This indicates that a user is performing operations requiring elevated privileges +but is using a privilege type that is not typically seen in their baseline logs. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_rare_privilege_assigned_to_user" name = "Unusual Privilege Type assigned to a User" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "27569131-560e-441e-b556-0b9180af3332" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +52,41 @@ In modern IT environments, privilege management is crucial for maintaining secur - Implement additional monitoring on the affected user account and similar accounts to detect any further suspicious activities or privilege misuse. - Update and reinforce access control policies to prevent similar privilege escalation attempts, ensuring that privilege assignments are regularly reviewed and validated. - Document the incident details, response actions taken, and lessons learned to improve future incident response and privilege management processes.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "27569131-560e-441e-b556-0b9180af3332" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -100,7 +99,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml index 635df8697..c3078e43d 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_region_name_by_user.toml @@ -2,57 +2,21 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a user performing privileged operations in Windows from an uncommon geographical location, indicating potential privileged access activity. -This could suggest a compromised account, unauthorized access, or an attacker using stolen credentials to escalate privileges. +A machine learning job has identified a user performing privileged operations in Windows from an uncommon geographical +location, indicating potential privileged access activity. This could suggest a compromised account, unauthorized +access, or an attacker using stolen credentials to escalate privileges. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_rare_region_name_by_user" name = "Unusual Region Name for Windows Privileged Operations Detected" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "d2703b82-f92c-4489-a4a7-62aa29a62542" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -88,6 +52,41 @@ The detection leverages machine learning to identify privileged operations from - Notify the security team and relevant stakeholders about the incident for awareness and further action if needed. - Restore any unauthorized changes made during the incident from backups or logs, ensuring system integrity is maintained. - Update security policies and access controls to prevent similar incidents, focusing on restricting privileged operations from uncommon geographic locations.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "d2703b82-f92c-4489-a4a7-62aa29a62542" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -95,7 +94,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml index 6f4313e1d..e62fe19f6 100644 --- a/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml +++ b/rules/integrations/pad/privileged_access_ml_windows_rare_source_ip_by_user.toml @@ -2,57 +2,21 @@ creation_date = "2025/02/18" integration = ["pad", "endpoint", "windows"] maturity = "production" -updated_date = "2025/02/18" -min_stack_version = "8.18.0" -min_stack_comments = "New PAD integration only available starting at 8.18.0." +updated_date = "2025/07/02" [rule] anomaly_threshold = 75 author = ["Elastic"] description = """ -A machine learning job has identified a user performing privileged operations in Windows from an uncommon source IP, indicating potential privileged access activity. -This could suggest an account compromise, misuse of administrative privileges, or an attacker leveraging a new network location to escalate privileges. +A machine learning job has identified a user performing privileged operations in Windows from an uncommon source IP, +indicating potential privileged access activity. This could suggest an account compromise, misuse of administrative +privileges, or an attacker leveraging a new network location to escalate privileges. """ from = "now-1h" interval = "15m" license = "Elastic License v2" machine_learning_job_id = "pad_windows_rare_source_ip_by_user" name = "Unusual Source IP for Windows Privileged Operations Detected" -references = [ - "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", - "https://docs.elastic.co/en/integrations/pad" -] -risk_score = 21 -rule_id = "08be5599-3719-4bbd-8cbc-7e9cff556881" -setup = """## Setup - -The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. - -### Privileged Access Detection Setup -The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. - -#### Prerequisite Requirements: -- Fleet is required for Privileged Access Detection. -- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). -- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. -- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). -- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. - -#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: -- Go to the Kibana homepage. Under Management, click Integrations. -- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. -- Follow the instructions under the **Installation** section. -- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. -""" -severity = "low" -tags = [ - "Use Case: Privileged Access Detection", - "Rule Type: ML", - "Rule Type: Machine Learning", - "Tactic: Privilege Escalation", - "Resources: Investigation Guide" -] -type = "machine_learning" note = """## Triage and analysis > **Disclaimer**: @@ -87,6 +51,41 @@ Machine learning models analyze network patterns to identify anomalies, such as - Escalate the incident to the security operations center (SOC) for further investigation and to determine if additional systems or accounts have been compromised. - Implement additional monitoring on the affected system and user account to detect any further suspicious activity, leveraging enhanced logging and alerting mechanisms. - Review and update access controls and privilege management policies to ensure that only necessary privileges are granted, reducing the risk of privilege escalation in the future.""" +references = [ + "https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html", + "https://docs.elastic.co/en/integrations/pad", +] +risk_score = 21 +rule_id = "08be5599-3719-4bbd-8cbc-7e9cff556881" +setup = """## Setup + +The rule requires the Privileged Access Detection integration assets to be installed, as well as Windows logs collected by integrations such as Elastic Defend and Windows. + +### Privileged Access Detection Setup +The Privileged Access Detection integration detects privileged access activity by identifying abnormalities in Windows, Linux and Okta events. Anomalies are detected using Elastic's Anomaly Detection feature. + +#### Prerequisite Requirements: +- Fleet is required for Privileged Access Detection. +- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). +- Windows events collected by the [Elastic Defend](https://docs.elastic.co/en/integrations/endpoint) and [Windows](https://docs.elastic.co/en/integrations/windows) integration. +- To install Elastic Defend, refer to the [documentation](https://www.elastic.co/guide/en/security/current/install-endpoint.html). +- To add the Windows integration to an Elastic Agent policy, refer to [this](https://www.elastic.co/guide/en/fleet/current/add-integration-to-policy.html) guide. + +#### The following steps should be executed to install assets associated with the Privileged Access Detection integration: +- Go to the Kibana homepage. Under Management, click Integrations. +- In the query bar, search for Privileged Access Detection and select the integration to see more details about it. +- Follow the instructions under the **Installation** section. +- For this rule to work, complete the instructions through **Add preconfigured anomaly detection jobs**. +""" +severity = "low" +tags = [ + "Use Case: Privileged Access Detection", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", +] +type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] @@ -94,7 +93,9 @@ id = "T1078" name = "Valid Accounts" reference = "https://attack.mitre.org/techniques/T1078/" + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" -reference = "https://attack.mitre.org/tactics/TA0004/" \ No newline at end of file +reference = "https://attack.mitre.org/tactics/TA0004/" + diff --git a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml index c4f67be58..c22640094 100644 --- a/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml +++ b/rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml @@ -2,22 +2,56 @@ creation_date = "2024/08/28" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.16.2 for the SentinelOne Integration." -min_stack_version = "8.16.2" -updated_date = "2025/01/24" +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -This rule detects the creation or renaming of the SELinux configuration file. SELinux is a security module that -provides access control security policies. Modifications to the SELinux configuration file may indicate an attempt to -impair defenses by disabling or modifying security tools. +This rule detects the creation or renaming of the SELinux configuration file. SELinux is a security module that provides +access control security policies. Modifications to the SELinux configuration file may indicate an attempt to impair +defenses by disabling or modifying security tools. """ from = "now-9m" index = ["logs-endpoint.events.file*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"] language = "eql" license = "Elastic License v2" name = "SELinux Configuration Creation or Renaming" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating SELinux Configuration Creation or Renaming + +SELinux, a Linux kernel security module, enforces access control policies to protect systems. Adversaries may target the SELinux configuration file to disable or alter these defenses, facilitating unauthorized access or evasion of security measures. The detection rule identifies suspicious activities like file creation or renaming in the SELinux configuration path, signaling potential defense evasion attempts. + +### Possible investigation steps + +- Review the alert details to confirm the event action is either "creation", "file_create_event", "rename", or "file_rename_event" and that the file path is "/etc/selinux/config". +- Check the timestamp of the event to determine when the SELinux configuration file was created or renamed. +- Identify the user account and process responsible for the action by examining the event logs for associated user and process information. +- Investigate the history of changes to the SELinux configuration file to determine if there have been any recent unauthorized modifications. +- Correlate the event with other security alerts or logs to identify any related suspicious activities or patterns on the host. +- Assess the current state of SELinux on the affected system to ensure it is configured correctly and has not been disabled or altered inappropriately. +- If unauthorized changes are confirmed, initiate a response plan to mitigate potential security risks, which may include restoring the original configuration and conducting a broader security assessment of the system. + +### False positive analysis + +- Routine system updates or administrative tasks may trigger file creation or renaming events in the SELinux configuration path. Users can create exceptions for known update processes or trusted administrative scripts to prevent unnecessary alerts. +- Automated configuration management tools like Ansible, Puppet, or Chef might modify the SELinux configuration file as part of their normal operations. Users should identify and whitelist these tools to reduce false positives. +- Initial system setup or reconfiguration activities often involve legitimate changes to the SELinux configuration. Users can temporarily disable the rule during planned maintenance windows or add exceptions for specific time frames to avoid false alerts. +- Security audits or compliance checks may involve accessing or modifying SELinux settings. Users should coordinate with audit teams to recognize these activities and adjust the rule settings accordingly. +- Custom scripts or applications developed in-house that interact with SELinux settings should be reviewed and, if deemed safe, added to an exception list to minimize false positives. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. +- Verify the integrity of the SELinux configuration file by comparing it with a known good backup. If discrepancies are found, restore the file from a trusted backup. +- Conduct a thorough review of recent user and process activity on the affected system to identify any unauthorized changes or suspicious behavior that may have led to the SELinux configuration modification. +- Re-enable SELinux enforcement if it has been disabled, and ensure that the correct security policies are applied to maintain system protection. +- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. +- Implement additional monitoring on the affected system and similar systems to detect any further attempts to modify SELinux configurations or other critical security settings. +- Review and update access controls and permissions to ensure that only authorized personnel have the ability to modify SELinux configurations, reducing the risk of future unauthorized changes.""" risk_score = 21 rule_id = "7b981906-86b7-4544-8033-c30ec6eb45fc" setup = """## Setup @@ -55,65 +89,32 @@ tags = [ "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: SentinelOne", - "Resources: Investigation Guide" + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" + query = ''' file where host.os.type == "linux" and event.action in ("creation", "file_create_event", "rename", "file_rename_event") and file.path : "/etc/selinux/config" and not process.name in ("dockerd", "platform-python") ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating SELinux Configuration Creation or Renaming - -SELinux, a Linux kernel security module, enforces access control policies to protect systems. Adversaries may target the SELinux configuration file to disable or alter these defenses, facilitating unauthorized access or evasion of security measures. The detection rule identifies suspicious activities like file creation or renaming in the SELinux configuration path, signaling potential defense evasion attempts. - -### Possible investigation steps - -- Review the alert details to confirm the event action is either "creation", "file_create_event", "rename", or "file_rename_event" and that the file path is "/etc/selinux/config". -- Check the timestamp of the event to determine when the SELinux configuration file was created or renamed. -- Identify the user account and process responsible for the action by examining the event logs for associated user and process information. -- Investigate the history of changes to the SELinux configuration file to determine if there have been any recent unauthorized modifications. -- Correlate the event with other security alerts or logs to identify any related suspicious activities or patterns on the host. -- Assess the current state of SELinux on the affected system to ensure it is configured correctly and has not been disabled or altered inappropriately. -- If unauthorized changes are confirmed, initiate a response plan to mitigate potential security risks, which may include restoring the original configuration and conducting a broader security assessment of the system. - -### False positive analysis - -- Routine system updates or administrative tasks may trigger file creation or renaming events in the SELinux configuration path. Users can create exceptions for known update processes or trusted administrative scripts to prevent unnecessary alerts. -- Automated configuration management tools like Ansible, Puppet, or Chef might modify the SELinux configuration file as part of their normal operations. Users should identify and whitelist these tools to reduce false positives. -- Initial system setup or reconfiguration activities often involve legitimate changes to the SELinux configuration. Users can temporarily disable the rule during planned maintenance windows or add exceptions for specific time frames to avoid false alerts. -- Security audits or compliance checks may involve accessing or modifying SELinux settings. Users should coordinate with audit teams to recognize these activities and adjust the rule settings accordingly. -- Custom scripts or applications developed in-house that interact with SELinux settings should be reviewed and, if deemed safe, added to an exception list to minimize false positives. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or potential lateral movement by the adversary. -- Verify the integrity of the SELinux configuration file by comparing it with a known good backup. If discrepancies are found, restore the file from a trusted backup. -- Conduct a thorough review of recent user and process activity on the affected system to identify any unauthorized changes or suspicious behavior that may have led to the SELinux configuration modification. -- Re-enable SELinux enforcement if it has been disabled, and ensure that the correct security policies are applied to maintain system protection. -- Escalate the incident to the security operations team for further investigation and to determine if additional systems may be affected. -- Implement additional monitoring on the affected system and similar systems to detect any further attempts to modify SELinux configurations or other critical security settings. -- Review and update access controls and permissions to ensure that only authorized personnel have the ability to modify SELinux configurations, reducing the risk of future unauthorized changes.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1562" name = "Impair Defenses" reference = "https://attack.mitre.org/techniques/T1562/" - [[rule.threat.technique.subtechnique]] id = "T1562.001" name = "Disable or Modify Tools" reference = "https://attack.mitre.org/techniques/T1562/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" + diff --git a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml index 062c98380..c3b9b7108 100644 --- a/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml +++ b/rules/linux/defense_evasion_var_log_file_creation_by_unsual_process.toml @@ -2,16 +2,14 @@ creation_date = "2025/03/11" integration = ["endpoint", "sentinel_one_cloud_funnel"] maturity = "production" -min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration." -min_stack_version = "8.13.0" -updated_date = "2025/04/07" +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -This rule detects the creation of files in the /var/log/ directory via process executables located in -world-writeable locations or via hidden processes. Attackers may attempt to hide their activities by -creating files in the /var/log/ directory, which is commonly used for logging system events. +This rule detects the creation of files in the /var/log/ directory via process executables located in world-writeable +locations or via hidden processes. Attackers may attempt to hide their activities by creating files in the /var/log/ +directory, which is commonly used for logging system events. """ from = "now-9m" index = ["logs-endpoint.events.file*", "logs-sentinel_one_cloud_funnel.*", "endgame-*"] @@ -95,48 +93,48 @@ tags = [ ] timestamp_override = "event.ingested" type = "new_terms" + query = ''' event.category:file and host.os.type:linux and event.action:(creation or file_create_event or file_rename_event or rename) and (process.executable:(/tmp/* or /var/tmp/* or /dev/shm/* or ./* or /boot/*) or process.name:.*) and file.path:/var/log/* and not file.extension:* ''' + [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1564" name = "Hide Artifacts" reference = "https://attack.mitre.org/techniques/T1564/" - [[rule.threat.technique.subtechnique]] id = "T1564.001" name = "Hidden Files and Directories" reference = "https://attack.mitre.org/techniques/T1564/001/" + + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" - [[rule.threat]] framework = "MITRE ATT&CK" - -[rule.threat.tactic] -name = "Execution" -id = "TA0002" -reference = "https://attack.mitre.org/tactics/TA0002/" - [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" - [[rule.threat.technique.subtechnique]] -name = "Unix Shell" id = "T1059.004" +name = "Unix Shell" reference = "https://attack.mitre.org/techniques/T1059/004/" + + +[rule.threat.tactic] +id = "TA0002" +name = "Execution" +reference = "https://attack.mitre.org/tactics/TA0002/" [[rule.threat]] framework = "MITRE ATT&CK" @@ -148,7 +146,8 @@ reference = "https://attack.mitre.org/tactics/TA0003/" [rule.new_terms] field = "new_terms_fields" value = ["file.path", "process.executable"] - [[rule.new_terms.history_window_start]] field = "history_window_start" value = "now-10d" + + diff --git a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml index a5d2203f9..1249a321c 100644 --- a/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml +++ b/rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml @@ -2,9 +2,7 @@ creation_date = "2024/06/17" integration = ["endpoint"] maturity = "production" -min_stack_version = "8.16.0" -min_stack_comments = "Breaking change at 8.16.0 for the Endpoint Integration with respect to ecs field process.group.id" -updated_date = "2025/02/04" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -19,6 +17,41 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Privilege Escalation via SUID/SGID" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Privilege Escalation via SUID/SGID + +SUID/SGID are Unix/Linux permissions that allow users to execute files with the file owner's or group's privileges, often root. Adversaries exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. The detection rule identifies processes running with root privileges but initiated by non-root users, flagging potential misuse of SUID/SGID permissions. + +### Possible investigation steps + +- Review the process details, including process.name and process.args, to understand the nature of the executed command and its intended function. +- Check the process.real_user.id and process.real_group.id to identify the non-root user or group that initiated the process, and assess whether this user should have access to execute such commands. +- Investigate the parent process (process.parent.name) to determine the origin of the execution and whether it aligns with expected behavior or indicates potential compromise. +- Examine the system logs and user activity around the time of the alert to identify any suspicious actions or patterns that could suggest privilege escalation attempts. +- Verify the SUID/SGID permissions of the flagged binary to ensure they are correctly configured and assess whether they have been altered or misconfigured. +- Cross-reference the process with known vulnerabilities or exploits associated with the specific binary or command to determine if it is being targeted for privilege escalation. + +### False positive analysis + +- Processes initiated by legitimate system maintenance tasks or scripts may trigger the rule. Review scheduled tasks and scripts to identify benign activities and consider excluding them from the rule. +- Some system utilities or applications may inherently require SUID/SGID permissions for normal operation. Verify the necessity of these permissions and exclude known safe applications from the rule. +- Development or testing environments often run processes with elevated privileges for debugging purposes. Identify these environments and apply exceptions to avoid false positives. +- Administrative tools or scripts executed by system administrators might appear as privilege escalation attempts. Ensure these are documented and excluded if they are part of routine administrative tasks. +- Processes with the parent name "spine" are already excluded, indicating a known benign pattern. Review similar patterns in your environment and apply similar exclusions where applicable. + +### Response and remediation + +- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. +- Terminate any suspicious processes identified by the detection rule that are running with elevated privileges but were initiated by non-root users. +- Conduct a thorough review of the SUID/SGID binaries on the affected system to identify and remove any unnecessary or misconfigured binaries that could be exploited for privilege escalation. +- Reset credentials and review access permissions for any accounts that may have been compromised or used in the attack to ensure they do not retain unauthorized elevated privileges. +- Apply security patches and updates to the operating system and all installed software to mitigate known vulnerabilities that could be exploited for privilege escalation. +- Implement enhanced monitoring and logging for SUID/SGID execution and privilege escalation attempts to detect and respond to similar threats in the future. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" references = [ "https://gtfobins.github.io/#+suid", "https://www.elastic.co/security-labs/primer-on-persistence-mechanisms", @@ -62,6 +95,7 @@ tags = [ ] timestamp_override = "event.ingested" type = "eql" + query = ''' process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( (process.user.id == "0" and process.real_user.id != "0") or @@ -96,45 +130,10 @@ process where host.os.type == "linux" and event.type == "start" and event.action ) ) and not process.parent.name == "spine" ''' -note = """## Triage and analysis -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Privilege Escalation via SUID/SGID - -SUID/SGID are Unix/Linux permissions that allow users to execute files with the file owner's or group's privileges, often root. Adversaries exploit misconfigured SUID/SGID binaries to gain elevated access or persistence. The detection rule identifies processes running with root privileges but initiated by non-root users, flagging potential misuse of SUID/SGID permissions. - -### Possible investigation steps - -- Review the process details, including process.name and process.args, to understand the nature of the executed command and its intended function. -- Check the process.real_user.id and process.real_group.id to identify the non-root user or group that initiated the process, and assess whether this user should have access to execute such commands. -- Investigate the parent process (process.parent.name) to determine the origin of the execution and whether it aligns with expected behavior or indicates potential compromise. -- Examine the system logs and user activity around the time of the alert to identify any suspicious actions or patterns that could suggest privilege escalation attempts. -- Verify the SUID/SGID permissions of the flagged binary to ensure they are correctly configured and assess whether they have been altered or misconfigured. -- Cross-reference the process with known vulnerabilities or exploits associated with the specific binary or command to determine if it is being targeted for privilege escalation. - -### False positive analysis - -- Processes initiated by legitimate system maintenance tasks or scripts may trigger the rule. Review scheduled tasks and scripts to identify benign activities and consider excluding them from the rule. -- Some system utilities or applications may inherently require SUID/SGID permissions for normal operation. Verify the necessity of these permissions and exclude known safe applications from the rule. -- Development or testing environments often run processes with elevated privileges for debugging purposes. Identify these environments and apply exceptions to avoid false positives. -- Administrative tools or scripts executed by system administrators might appear as privilege escalation attempts. Ensure these are documented and excluded if they are part of routine administrative tasks. -- Processes with the parent name "spine" are already excluded, indicating a known benign pattern. Review similar patterns in your environment and apply similar exclusions where applicable. - -### Response and remediation - -- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the attacker. -- Terminate any suspicious processes identified by the detection rule that are running with elevated privileges but were initiated by non-root users. -- Conduct a thorough review of the SUID/SGID binaries on the affected system to identify and remove any unnecessary or misconfigured binaries that could be exploited for privilege escalation. -- Reset credentials and review access permissions for any accounts that may have been compromised or used in the attack to ensure they do not retain unauthorized elevated privileges. -- Apply security patches and updates to the operating system and all installed software to mitigate known vulnerabilities that could be exploited for privilege escalation. -- Implement enhanced monitoring and logging for SUID/SGID execution and privilege escalation attempts to detect and respond to similar threats in the future. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] framework = "MITRE ATT&CK" - [[rule.threat.technique]] id = "T1068" name = "Exploitation for Privilege Escalation" @@ -144,17 +143,17 @@ reference = "https://attack.mitre.org/techniques/T1068/" id = "T1548" name = "Abuse Elevation Control Mechanism" reference = "https://attack.mitre.org/techniques/T1548/" - [[rule.threat.technique.subtechnique]] id = "T1548.001" name = "Setuid and Setgid" reference = "https://attack.mitre.org/techniques/T1548/001/" + + [rule.threat.tactic] id = "TA0004" name = "Privilege Escalation" reference = "https://attack.mitre.org/tactics/TA0004/" - [[rule.threat]] framework = "MITRE ATT&CK" @@ -162,3 +161,4 @@ framework = "MITRE ATT&CK" id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" + diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index 4cd122d63..5ea5e75e9 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -2,9 +2,7 @@ creation_date = "2023/07/31" integration = ["endpoint"] maturity = "production" -min_stack_version = "8.16.0" -min_stack_comments = "Breaking change at 8.16.0 for the Endpoint Integration with respect to ecs field process.group.id" -updated_date = "2025/02/04" +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -20,6 +18,41 @@ index = ["logs-endpoint.events.process*"] language = "eql" license = "Elastic License v2" name = "Potential Sudo Token Manipulation via Process Injection" +note = """## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Sudo Token Manipulation via Process Injection + +In Linux environments, process injection can be exploited by adversaries to manipulate sudo tokens, allowing unauthorized privilege escalation. Attackers may use debugging tools like gdb to inject code into processes with valid sudo tokens, leveraging ptrace capabilities. The detection rule identifies this threat by monitoring for gdb execution followed by a uid change in the sudo process, indicating potential token manipulation. + +### Possible investigation steps + +- Review the alert details to identify the specific host and process session leader entity ID involved in the potential sudo token manipulation. +- Examine the process tree on the affected host to trace the parent and child processes of the gdb execution, focusing on any unusual or unauthorized processes. +- Check the system logs for any recent sudo commands executed by the user associated with the gdb process to determine if there were any unauthorized privilege escalations. +- Investigate the user account associated with the gdb process to verify if it has legitimate reasons to use debugging tools and if it has been compromised. +- Analyze the timing and context of the uid change event in the sudo process to assess if it aligns with legitimate administrative activities or if it appears suspicious. +- Review the system's ptrace settings to ensure they are configured securely and assess if there have been any recent changes that could have enabled this attack vector. + +### False positive analysis + +- Debugging activities by developers or system administrators using gdb for legitimate purposes can trigger this rule. To manage this, create exceptions for specific user IDs or groups known to perform regular debugging tasks. +- Automated scripts or maintenance tools that utilize gdb for process analysis might cause false positives. Identify these scripts and exclude their associated process names or paths from the rule. +- System monitoring or security tools that perform uid changes as part of their normal operation could be mistaken for malicious activity. Review and whitelist these tools by their process names or specific user IDs. +- Training or testing environments where sudo and gdb are used frequently for educational purposes may generate alerts. Consider excluding these environments by host ID or network segment to reduce noise. +- Scheduled tasks or cron jobs that involve gdb and sudo processes might inadvertently match the rule criteria. Analyze these tasks and exclude them based on their execution times or specific process attributes. + +### Response and remediation + +- Immediately isolate the affected host from the network to prevent further unauthorized access or privilege escalation. +- Terminate any suspicious gdb and sudo processes identified in the alert to stop ongoing process injection attempts. +- Conduct a thorough review of the affected system's process and user activity logs to identify any unauthorized changes or access patterns. +- Reset credentials and sudo tokens for all users on the affected system to prevent further exploitation using compromised tokens. +- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. +- Re-enable ptrace restrictions if they were previously disabled, to limit the ability of attackers to perform process injection. +- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" references = ["https://github.com/nongiach/sudo_inject"] risk_score = 47 rule_id = "ff9bc8b9-f03b-4283-be58-ee0a16f5a11b" @@ -66,41 +99,6 @@ sequence by host.id, process.session_leader.entity_id with maxspan=15s [ process where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and process.name == "sudo" and process.user.id == "0" and process.group.id == "0" ] ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating Potential Sudo Token Manipulation via Process Injection - -In Linux environments, process injection can be exploited by adversaries to manipulate sudo tokens, allowing unauthorized privilege escalation. Attackers may use debugging tools like gdb to inject code into processes with valid sudo tokens, leveraging ptrace capabilities. The detection rule identifies this threat by monitoring for gdb execution followed by a uid change in the sudo process, indicating potential token manipulation. - -### Possible investigation steps - -- Review the alert details to identify the specific host and process session leader entity ID involved in the potential sudo token manipulation. -- Examine the process tree on the affected host to trace the parent and child processes of the gdb execution, focusing on any unusual or unauthorized processes. -- Check the system logs for any recent sudo commands executed by the user associated with the gdb process to determine if there were any unauthorized privilege escalations. -- Investigate the user account associated with the gdb process to verify if it has legitimate reasons to use debugging tools and if it has been compromised. -- Analyze the timing and context of the uid change event in the sudo process to assess if it aligns with legitimate administrative activities or if it appears suspicious. -- Review the system's ptrace settings to ensure they are configured securely and assess if there have been any recent changes that could have enabled this attack vector. - -### False positive analysis - -- Debugging activities by developers or system administrators using gdb for legitimate purposes can trigger this rule. To manage this, create exceptions for specific user IDs or groups known to perform regular debugging tasks. -- Automated scripts or maintenance tools that utilize gdb for process analysis might cause false positives. Identify these scripts and exclude their associated process names or paths from the rule. -- System monitoring or security tools that perform uid changes as part of their normal operation could be mistaken for malicious activity. Review and whitelist these tools by their process names or specific user IDs. -- Training or testing environments where sudo and gdb are used frequently for educational purposes may generate alerts. Consider excluding these environments by host ID or network segment to reduce noise. -- Scheduled tasks or cron jobs that involve gdb and sudo processes might inadvertently match the rule criteria. Analyze these tasks and exclude them based on their execution times or specific process attributes. - -### Response and remediation - -- Immediately isolate the affected host from the network to prevent further unauthorized access or privilege escalation. -- Terminate any suspicious gdb and sudo processes identified in the alert to stop ongoing process injection attempts. -- Conduct a thorough review of the affected system's process and user activity logs to identify any unauthorized changes or access patterns. -- Reset credentials and sudo tokens for all users on the affected system to prevent further exploitation using compromised tokens. -- Apply security patches and updates to the affected system to address any vulnerabilities that may have been exploited. -- Re-enable ptrace restrictions if they were previously disabled, to limit the ability of attackers to perform process injection. -- Escalate the incident to the security operations team for further investigation and to assess the potential impact on other systems within the network.""" [[rule.threat]] diff --git a/rules/windows/credential_access_rare_webdav_destination.toml b/rules/windows/credential_access_rare_webdav_destination.toml index 71454c22d..e7bc190e7 100644 --- a/rules/windows/credential_access_rare_webdav_destination.toml +++ b/rules/windows/credential_access_rare_webdav_destination.toml @@ -2,15 +2,14 @@ creation_date = "2025/04/28" integration = ["endpoint", "system", "windows", "m365_defender", "crowdstrike"] maturity = "production" -updated_date = "2025/04/28" -min_stack_version = "8.17.0" -min_stack_comments = "Elastic ES|QL VALUES aggregation is more performant in 8.16.5 and above." +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may inject -WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced authentication. +Identifies rare connection attempts to a Web Distributed Authoring and Versioning (WebDAV) resource. Attackers may +inject WebDAV paths in files or features opened by a victim user to leak their NTLM credentials via forced +authentication. """ from = "now-3660s" language = "esql" diff --git a/rules/windows/defense_evasion_ntlm_downgrade.toml b/rules/windows/defense_evasion_ntlm_downgrade.toml index 0033971e5..bad4d30eb 100644 --- a/rules/windows/defense_evasion_ntlm_downgrade.toml +++ b/rules/windows/defense_evasion_ntlm_downgrade.toml @@ -2,46 +2,25 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/04/14" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -Identifies registry modification to force the system to fall back to NTLMv1 for authentication. This modification is possible -with local administrator privileges and is commonly referred to as a `NetNTLMv1 downgrade attack`. +Identifies registry modification to force the system to fall back to NTLMv1 for authentication. This modification is +possible with local administrator privileges and is commonly referred to as a `NetNTLMv1 downgrade attack`. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Potential NetNTLMv1 Downgrade Attack" -references = [ - "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level" -] -risk_score = 47 -rule_id = "4d169db7-0323-4157-9ad3-ea5ece9019c9" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.action != "deletion" and - registry.value == "LmCompatibilityLevel" and registry.data.strings in ("2", "1", "0", "0x00000002", "0x00000001", "0x00000000") -''' note = """## Triage and analysis ### Investigating Potential NetNTLMv1 Downgrade Attack @@ -70,6 +49,31 @@ note = """## Triage and analysis - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities. """ +references = [ + "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-lan-manager-authentication-level", +] +risk_score = 47 +rule_id = "4d169db7-0323-4157-9ad3-ea5ece9019c9" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and + registry.value == "LmCompatibilityLevel" and registry.data.strings in ("2", "1", "0", "0x00000002", "0x00000001", "0x00000000") +''' [[rule.threat]] @@ -89,6 +93,7 @@ name = "Downgrade Attack" reference = "https://attack.mitre.org/techniques/T1562/010/" + [rule.threat.tactic] id = "TA0005" name = "Defense Evasion" diff --git a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml index 59e9de334..ed70971a7 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_char_arrays.toml @@ -2,9 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -min_stack_comments = "The ES|QL MATCH operator was introduced in 8.17" -min_stack_version = "8.17.0" -updated_date = "2025/04/14" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml index 18b2f94a1..679359893 100644 --- a/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml +++ b/rules/windows/defense_evasion_posh_obfuscation_reverse_keyword.toml @@ -2,9 +2,7 @@ creation_date = "2025/04/14" integration = ["windows"] maturity = "production" -min_stack_comments = "The ES|QL MATCH operator was introduced in 8.17" -min_stack_version = "8.17.0" -updated_date = "2025/04/14" +updated_date = "2025/07/02" [rule] author = ["Elastic"] diff --git a/rules/windows/defense_evasion_regmod_remotemonologue.toml b/rules/windows/defense_evasion_regmod_remotemonologue.toml index 5e49fd8f1..96c01f54f 100644 --- a/rules/windows/defense_evasion_regmod_remotemonologue.toml +++ b/rules/windows/defense_evasion_regmod_remotemonologue.toml @@ -2,45 +2,25 @@ creation_date = "2025/04/14" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"] maturity = "production" -updated_date = "2025/04/14" -min_stack_version = "8.14.0" -min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." +updated_date = "2025/07/02" [rule] author = ["Elastic"] description = """ -Identifies attempt to perform session hijack via COM object registry modification by setting the RunAs value to Interactive User. +Identifies attempt to perform session hijack via COM object registry modification by setting the RunAs value to +Interactive User. """ from = "now-9m" -index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"] +index = [ + "logs-endpoint.events.registry-*", + "endgame-*", + "logs-m365_defender.event-*", + "logs-sentinel_one_cloud_funnel.*", + "logs-windows.sysmon_operational-*", +] language = "eql" license = "Elastic License v2" name = "Potential RemoteMonologue Attack" -references = [ - "https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1", - "https://github.com/xforcered/RemoteMonologue" -] -risk_score = 73 -rule_id = "c18975f5-676c-4091-b626-81e8938aa2ee" -severity = "high" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Data Source: Elastic Defend", - "Data Source: Elastic Endgame", - "Data Source: Microsoft Defender for Endpoint", - "Data Source: SentinelOne", - "Data Source: Sysmon", - "Resources: Investigation Guide", -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -registry where host.os.type == "windows" and event.action != "deletion" and registry.value == "RunAs" and registry.data.strings : "Interactive User" -''' note = """## Triage and analysis ### Investigating Potential RemoteMonologue Attack @@ -67,6 +47,31 @@ note = """## Triage and analysis - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected. - Implement enhanced monitoring on the affected system and similar endpoints to detect any further attempts to disable NLA or other suspicious activities. """ +references = [ + "https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1", + "https://github.com/xforcered/RemoteMonologue", +] +risk_score = 73 +rule_id = "c18975f5-676c-4091-b626-81e8938aa2ee" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Defend", + "Data Source: Elastic Endgame", + "Data Source: Microsoft Defender for Endpoint", + "Data Source: SentinelOne", + "Data Source: Sysmon", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +registry where host.os.type == "windows" and event.action != "deletion" and registry.value == "RunAs" and registry.data.strings : "Interactive User" +''' [[rule.threat]] diff --git a/rules/windows/persistence_sysmon_wmi_event_subscription.toml b/rules/windows/persistence_sysmon_wmi_event_subscription.toml index f680eea69..48ae5c23a 100644 --- a/rules/windows/persistence_sysmon_wmi_event_subscription.toml +++ b/rules/windows/persistence_sysmon_wmi_event_subscription.toml @@ -2,9 +2,7 @@ creation_date = "2023/02/02" integration = ["windows", "endpoint"] maturity = "production" -updated_date = "2025/04/15" -min_stack_version = "8.15.0" -min_stack_comments = "Elastic Defend WMI events were added in Elastic Defend 8.15.0." +updated_date = "2025/07/02" [rule] author = ["Elastic"] @@ -17,35 +15,6 @@ index = ["winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-endpoint.eve language = "eql" license = "Elastic License v2" name = "Suspicious WMI Event Subscription Created" -references = [ - "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", - "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", -] -risk_score = 47 -rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" -severity = "medium" -tags = [ - "Domain: Endpoint", - "OS: Windows", - "Use Case: Threat Detection", - "Tactic: Persistence", - "Data Source: Sysmon", - "Data Source: Elastic Defend", - "Resources: Investigation Guide" -] -timestamp_override = "event.ingested" -type = "eql" - -query = ''' -any where - ( - (event.dataset == "windows.sysmon_operational" and event.code == "21" and - ?winlog.event_data.Operation : "Created" and ?winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or - - (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and ?process.Ext.api.name == "IWbemServices::PutInstance" and - ?process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) - ) -''' note = """## Triage and analysis > **Disclaimer**: @@ -80,6 +49,35 @@ Windows Management Instrumentation (WMI) is a powerful framework for managing da - Review and reset any compromised credentials, especially if SYSTEM privileges were potentially accessed or escalated. - Monitor the network for any signs of similar activity or attempts to recreate the WMI event subscription, using enhanced logging and alerting mechanisms. - Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on other systems within the network.""" +references = [ + "https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf", + "https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96", +] +risk_score = 47 +rule_id = "e72f87d0-a70e-4f8d-8443-a6407bc34643" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Sysmon", + "Data Source: Elastic Defend", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +any where + ( + (event.dataset == "windows.sysmon_operational" and event.code == "21" and + ?winlog.event_data.Operation : "Created" and ?winlog.event_data.Consumer : ("*subscription:CommandLineEventConsumer*", "*subscription:ActiveScriptEventConsumer*")) or + + (event.dataset == "endpoint.events.api" and event.provider == "Microsoft-Windows-WMI-Activity" and ?process.Ext.api.name == "IWbemServices::PutInstance" and + ?process.Ext.api.parameters.consumer_type in ("ActiveScriptEventConsumer", "CommandLineEventConsumer")) + ) +''' [[rule.threat]]