Enhance Setup Guide information (#3256)
(cherry picked from commit d52546eee5)
This commit is contained in:
shashank-elastic
committed by
github-actions[bot]
github-actions[bot]
parent
39346f4b5b
commit
9c271c6591
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,25 +26,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,25 +31,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,25 +31,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -23,8 +23,7 @@ risk_score = 21
|
||||
rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,25 +27,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
+5
-6
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/17"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -61,7 +61,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
### Filebeat Setup
|
||||
Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
|
||||
@@ -72,18 +72,17 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
|
||||
- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).
|
||||
- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).
|
||||
- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).
|
||||
- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
|
||||
- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
|
||||
### Packetbeat Setup
|
||||
Packetbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction.
|
||||
|
||||
#### The following steps should be executed in order to add the Packetbeat on a Linux System:
|
||||
#### The following steps should be executed in order to add the Packetbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html).
|
||||
- To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html).
|
||||
- For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html).
|
||||
- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Packetbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,39 +26,40 @@ risk_score = 47
|
||||
rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Custom Ingest Pipeline
|
||||
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/23"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,7 +24,10 @@ risk_score = 47
|
||||
rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
@@ -35,28 +38,28 @@ the Elastic Agent to monitor events on your host and send data to the Elastic Se
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,25 +31,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,25 +25,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["system"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/17"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -61,8 +61,7 @@ risk_score = 21
|
||||
rule_id = "fa210b61-b627-4e5e-86f4-17e8270656ab"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Filebeat
|
||||
This rule requires data coming in from Filebeat.
|
||||
|
||||
### Filebeat Setup
|
||||
Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
|
||||
@@ -73,10 +72,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
|
||||
- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).
|
||||
- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).
|
||||
- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).
|
||||
- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
- This rule requires the Filebeat System Module to be enabled.
|
||||
- This rule requires the “Filebeat System Module” to be enabled.
|
||||
- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.
|
||||
- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["system"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/17"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -57,8 +57,7 @@ risk_score = 47
|
||||
rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Filebeat
|
||||
This rule requires data coming in from Filebeat.
|
||||
|
||||
### Filebeat Setup
|
||||
Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
|
||||
@@ -69,10 +68,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
|
||||
- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).
|
||||
- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).
|
||||
- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).
|
||||
- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
- This rule requires the Filebeat System Module to be enabled.
|
||||
- This rule requires the “Filebeat System Module” to be enabled.
|
||||
- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.
|
||||
- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,31 +25,33 @@ risk_score = 47
|
||||
rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Auditbeat
|
||||
- Auditd Manager
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Auditd Manager and select the integration to see more details about it.
|
||||
- Click Add Auditd Manager.
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click Save and Continue.
|
||||
- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,31 +25,33 @@ risk_score = 47
|
||||
rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Auditbeat
|
||||
- Auditd Manager
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Auditd Manager and select the integration to see more details about it.
|
||||
- Click Add Auditd Manager.
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click Save and Continue.
|
||||
- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["system"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/17"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -63,7 +63,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
### Filebeat Setup
|
||||
Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
|
||||
@@ -74,10 +74,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
|
||||
- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).
|
||||
- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).
|
||||
- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).
|
||||
- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
- This rule requires the Filebeat System Module to be enabled.
|
||||
- This rule requires the “Filebeat System Module” to be enabled.
|
||||
- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.
|
||||
- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,25 +30,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,39 +27,40 @@ risk_score = 73
|
||||
rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Custom Ingest Pipeline
|
||||
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,25 +24,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -21,39 +21,40 @@ risk_score = 47
|
||||
rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,39 +24,40 @@ risk_score = 21
|
||||
rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,25 +25,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/12"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,39 +24,40 @@ risk_score = 47
|
||||
rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Custom Ingest Pipeline
|
||||
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/24"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,25 +24,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,25 +25,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -22,39 +22,40 @@ risk_score = 47
|
||||
rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,25 +30,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,25 +25,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/09/25"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,39 +27,40 @@ risk_score = 21
|
||||
rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/12"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,39 +29,40 @@ risk_score = 47
|
||||
rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Custom Ingest Pipeline
|
||||
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/12"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,39 +23,40 @@ risk_score = 47
|
||||
rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Custom Ingest Pipeline
|
||||
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,25 +32,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/12"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,39 +24,40 @@ risk_score = 47
|
||||
rule_id = "aa895aea-b69c-4411-b110-8d7599634b30"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Custom Ingest Pipeline
|
||||
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -32,25 +32,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -35,25 +35,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,25 +28,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,25 +28,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,25 +30,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -31,25 +31,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,39 +28,40 @@ risk_score = 47
|
||||
rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,39 +28,40 @@ risk_score = 47
|
||||
rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -22,8 +22,7 @@ risk_score = 47
|
||||
rule_id = "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/12"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,21 +24,21 @@ risk_score = 21
|
||||
rule_id = "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from Auditd Manager integration.
|
||||
This rule requires data coming in from Auditd Manager.
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Auditd Manager and select the integration to see more details about it.
|
||||
- Click Add Auditd Manager.
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click Save and Continue.
|
||||
- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,25 +25,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,25 +27,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,25 +25,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,39 +28,40 @@ risk_score = 73
|
||||
rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "high"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -79,25 +79,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6."
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/11"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -33,40 +33,38 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
Elastic Defend integration does not collect environment variable logging by default.
|
||||
In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration.
|
||||
#### To set up environment variable capture for an Elastic Agent policy:
|
||||
- Go to Security → Manage → Policies.
|
||||
- Select an Elastic Agent policy.
|
||||
- Click Show advanced settings.
|
||||
- Scroll down or search for linux.advanced.capture_env_vars.
|
||||
- Enter the names of env vars you want to capture, separated by commas.
|
||||
- Go to “Security → Manage → Policies”.
|
||||
- Select an “Elastic Agent policy”.
|
||||
- Click “Show advanced settings”.
|
||||
- Scroll down or search for “linux.advanced.capture_env_vars”.
|
||||
- Enter the names of environment variables you want to capture, separated by commas.
|
||||
- For this rule the linux.advanced.capture_env_vars variable should be set to "http_proxy,HTTPS_PROXY,ALL_PROXY".
|
||||
- Click Save.
|
||||
After saving the integration change, the Elastic Agents running this policy will be updated and
|
||||
the rule will function properly.
|
||||
For more information on capturing environment variables refer the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).
|
||||
- Click “Save”.
|
||||
After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly.
|
||||
For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,25 +25,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -76,39 +76,40 @@ risk_score = 47
|
||||
rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2023/09/20"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2023/10/19"
|
||||
updated_date = "2023/11/02"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
|
||||
@@ -22,12 +22,10 @@ risk_score = 47
|
||||
rule_id = "84d1f8db-207f-45ab-a578-921d91c23eb2"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
@@ -40,7 +38,7 @@ the Elastic Agent to monitor events on your host and send data to the Elastic Se
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
|
||||
@@ -29,8 +29,7 @@ risk_score = 21
|
||||
rule_id = "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,25 +25,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -21,39 +21,40 @@ risk_score = 73
|
||||
rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "high"
|
||||
|
||||
@@ -22,8 +22,7 @@ risk_score = 47
|
||||
rule_id = "1df1152b-610a-4f48-9d7a-504f6ee5d9da"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -47,25 +47,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -37,25 +37,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -2,7 +2,7 @@
|
||||
creation_date = "2020/04/15"
|
||||
integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
|
||||
@@ -24,25 +24,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,25 +27,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/12"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -98,36 +98,34 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
Session View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above.
|
||||
#### To confirm that Session View data is enabled:
|
||||
- Go to Manage → Policies, and edit one or more of your Elastic Defend integration policies.
|
||||
- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom.
|
||||
- Check the box for Process events, and turn on the Include session data toggle.
|
||||
- If you want to include file and network alerts in Session View, check the boxes for Network and File events.
|
||||
- If you want to enable terminal output capture, turn on the Capture terminal output toggle.
|
||||
For more information about the additional fields collected when this setting is enabled and
|
||||
the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).
|
||||
- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies.
|
||||
- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom.
|
||||
- Check the box for “Process events”, and turn on the “Include session data” toggle.
|
||||
- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”.
|
||||
- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle.
|
||||
For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,26 +29,26 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,25 +24,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,25 +27,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,25 +28,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -22,31 +22,33 @@ risk_score = 47
|
||||
rule_id = "5c895b4f-9133-4e68-9e23-59902175355c"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Auditbeat
|
||||
- Auditd Manager
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Auditd Manager and select the integration to see more details about it.
|
||||
- Click Add Auditd Manager.
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click Save and Continue.
|
||||
- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,25 +28,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["auditd_manager"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,31 +26,33 @@ risk_score = 47
|
||||
rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Auditbeat
|
||||
- Auditd Manager
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
### Auditd Manager Integration Setup
|
||||
The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel.
|
||||
Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system.
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Auditd Manager and select the integration to see more details about it.
|
||||
- Click Add Auditd Manager.
|
||||
- Go to the Kibana home page and click “Add integrations”.
|
||||
- In the query bar, search for “Auditd Manager” and select the integration to see more details about it.
|
||||
- Click “Add Auditd Manager”.
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Review optional and advanced settings accordingly.
|
||||
- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click Save and Continue.
|
||||
- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable.
|
||||
- Click “Save and Continue”.
|
||||
- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration.
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/09/25"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,26 +27,26 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
severity = "low"
|
||||
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -24,25 +24,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
integration = ["endpoint"]
|
||||
|
||||
[rule]
|
||||
@@ -27,25 +27,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.5.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,25 +26,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -27,25 +27,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -55,25 +55,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -22,8 +22,7 @@ risk_score = 47
|
||||
rule_id = "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,39 +30,40 @@ risk_score = 47
|
||||
rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -30,39 +30,40 @@ risk_score = 47
|
||||
rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
integration = ["endpoint"]
|
||||
|
||||
[rule]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -25,39 +25,40 @@ risk_score = 47
|
||||
rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
"""
|
||||
severity = "medium"
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -28,25 +28,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/07/12"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
integration = ["endpoint"]
|
||||
|
||||
[rule]
|
||||
@@ -26,25 +26,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/07/22"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
integration = ["endpoint"]
|
||||
|
||||
[rule]
|
||||
@@ -29,25 +29,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -132,25 +132,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -3,7 +3,7 @@ creation_date = "2022/07/11"
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/23"
|
||||
updated_date = "2023/11/02"
|
||||
integration = ["endpoint"]
|
||||
|
||||
[rule]
|
||||
@@ -26,25 +26,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/12"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -26,39 +26,40 @@ risk_score = 47
|
||||
rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in either from Elastic Defend, or Auditbeat integration.
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
- Auditbeat
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
### Auditbeat Setup
|
||||
Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
|
||||
|
||||
#### The following steps should be executed in order to add the Auditbeat for Linux System:
|
||||
#### The following steps should be executed in order to add the Auditbeat on a Linux System:
|
||||
- Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages.
|
||||
- To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html).
|
||||
- To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html).
|
||||
- To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html).
|
||||
- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Custom Ingest Pipeline
|
||||
For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html).
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -93,25 +93,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["system"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/17"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -85,8 +85,7 @@ risk_score = 21
|
||||
rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Filebeat
|
||||
This rule requires data coming in from Filebeat.
|
||||
|
||||
### Filebeat Setup
|
||||
Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
|
||||
@@ -97,10 +96,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
|
||||
- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).
|
||||
- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).
|
||||
- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).
|
||||
- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
- This rule requires the Filebeat System Module to be enabled.
|
||||
- This rule requires the “Filebeat System Module” to be enabled.
|
||||
- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.
|
||||
- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -110,25 +110,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["system"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/17"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -84,8 +84,7 @@ risk_score = 21
|
||||
rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Filebeat
|
||||
This rule requires data coming in from Filebeat.
|
||||
|
||||
### Filebeat Setup
|
||||
Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing.
|
||||
@@ -96,10 +95,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst
|
||||
- To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html).
|
||||
- To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html).
|
||||
- For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html).
|
||||
- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html).
|
||||
|
||||
#### Rule Specific Setup Note
|
||||
- This rule requires the Filebeat System Module to be enabled.
|
||||
- This rule requires the “Filebeat System Module” to be enabled.
|
||||
- The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions.
|
||||
- To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html).
|
||||
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -88,25 +88,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -126,25 +126,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -125,25 +125,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6"
|
||||
min_stack_version = "8.6.0"
|
||||
updated_date = "2023/10/16"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[transform]
|
||||
[[transform.osquery]]
|
||||
@@ -111,25 +111,24 @@ setup = """
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
|
||||
|
||||
#### The following steps should be executed in order to add the Elastic Defend integration on a Linux System:
|
||||
- Go to the Kibana home page and click Add integrations.
|
||||
- In the query bar, search for Elastic Defend and select the integration to see more details about it.
|
||||
- Click Add Elastic Defend.
|
||||
- Go to the Kibana home page and click "Add integrations".
|
||||
- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
|
||||
- Click "Add Elastic Defend".
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead.
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click Save and Continue.
|
||||
- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts.
|
||||
- Click "Save and Continue".
|
||||
- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
|
||||
For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
|
||||
|
||||
"""
|
||||
|
||||
@@ -4,7 +4,7 @@ integration = ["endpoint"]
|
||||
maturity = "production"
|
||||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||||
min_stack_version = "8.3.0"
|
||||
updated_date = "2023/10/13"
|
||||
updated_date = "2023/11/02"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
@@ -23,12 +23,10 @@ risk_score = 47
|
||||
rule_id = "f5c005d3-4e17-48b0-9cd7-444d48857f97"
|
||||
setup = """
|
||||
|
||||
This rule requires data coming in from one of the following integrations:
|
||||
- Elastic Defend
|
||||
This rule requires data coming in from Elastic Defend.
|
||||
|
||||
### Elastic Defend Integration Setup
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows
|
||||
the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
|
||||
|
||||
#### Prerequisite Requirements:
|
||||
- Fleet is required for Elastic Defend.
|
||||
@@ -41,7 +39,7 @@ the Elastic Agent to monitor events on your host and send data to the Elastic Se
|
||||
- Configure the integration name and optionally add a description.
|
||||
- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads".
|
||||
- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
|
||||
- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
|
||||
- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
|
||||
For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html).
|
||||
- Click "Save and Continue".
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user