diff --git a/detection_rules/schemas/v79.py b/detection_rules/schemas/v79.py index 0f64ee20f..0dc8c97fe 100644 --- a/detection_rules/schemas/v79.py +++ b/detection_rules/schemas/v79.py @@ -37,7 +37,7 @@ class SeverityMapping(jsl.Document): class ThresholdMapping(jsl.Document): - field = jsl.StringField(required=False) + field = jsl.StringField(required=True, default="") value = jsl.IntField(minimum=1, required=True) diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml index 9ddb35312..f444650a7 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -48,4 +48,5 @@ name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" [rule.threshold] +field = "" value = 25 diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml index fe3eda4f6..7145f748e 100644 --- a/rules/linux/credential_access_tcpdump_activity.toml +++ b/rules/linux/credential_access_tcpdump_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ troubleshooting. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Network Sniffing via Tcpdump" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index a4101037d..038ae74a7 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/07/01" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to receive or send network traffic. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Attempt to Disable IPTables or Firewall" diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 58d8295f8..c941316fb 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade detection by security controls. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Attempt to Disable Syslog Service" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index d522903a1..c6e16b4ea 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Base16 or Base32 Encoding/Decoding Activity" diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml index 55d967cc5..1d5fee6c1 100644 --- a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Base64 Encoding/Decoding Activity" diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml index d5ba3ca38..45ee70cca 100644 --- a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml @@ -2,7 +2,7 @@ creation_date = "2020/05/04" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic investigations. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" name = "Deletion of Bash Command Line History" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 2e969a3e9..5137a0630 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/22" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies potential attempts to disable Security-Enhanced Linux (SELinux), whic support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and activities. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Potential Disabling of SELinux" diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 1a01dded1..7f251f849 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Malware or other files dropped or created on a system by an adversary may leave a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "File Deletion via Shred" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 58ddf298e..aca3b6db1 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/21" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ by username. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "File Permission Modification in Writable Directory" diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml index 4622d56e0..3b939cd2c 100644 --- a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/17" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = [ filtered by the process executable or username values. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Hex Encoding/Decoding Activity" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index ff1f8e27e..54fa8b457 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/29" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ behavior. These events can be filtered by the process arguments, username, or process name values. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" max_signals = 33 diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 99b10e169..8bb2d8807 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/24" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ Note that some Linux distributions are not built to support the removal of modules at all. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Kernel Module Removal" diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 1cdafc311..fd4e0000d 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ by ordinary users is uncommon. These can be exempted by process name or username. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Enumeration of Kernel Modules" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index 910708456..0e109aeed 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/27" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ process arguments to eliminate potential noise. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Virtual Machine Fingerprinting" diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml index fae78e977..5ee71eb16 100644 --- a/rules/linux/discovery_whoami_commmand.toml +++ b/rules/linux/discovery_whoami_commmand.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ automation tools and frameworks. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "User Discovery via Whoami" diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index d943e23a0..cfb130baa 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/16" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Interactive Terminal Spawned via Perl" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index a7009e64f..4797701bd 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Interactive Terminal Spawned via Python" diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index 0e87cbe3b..acf4ca0f7 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ suspicious. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Connection to External Network via Telnet" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 4039828ba..a3d5b28a3 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ suspicious. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Connection to Internal Network via Telnet" diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml index 6743e6675..02fc27d21 100644 --- a/rules/linux/linux_hping_activity.toml +++ b/rules/linux/linux_hping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ uncommon. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Hping Process Activity" diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml index 6edbb8ed2..74333785a 100644 --- a/rules/linux/linux_iodine_activity.toml +++ b/rules/linux/linux_iodine_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ uncommon. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Potential DNS Tunneling via Iodine" diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml index da7970db7..fcd61dd3e 100644 --- a/rules/linux/linux_mknod_activity.toml +++ b/rules/linux/linux_mknod_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Mknod Process Activity" diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml index e0f83950f..9b15f116e 100644 --- a/rules/linux/linux_netcat_network_connection.toml +++ b/rules/linux/linux_netcat_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ originate from scripts, automation tools, and frameworks. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Netcat Network Activity" diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml index 3de1c6f12..6d87a3da2 100644 --- a/rules/linux/linux_nmap_activity.toml +++ b/rules/linux/linux_nmap_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ false_positives = [ uncommon. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Nmap Process Activity" diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml index 5ef0f79cb..f5e8f9cad 100644 --- a/rules/linux/linux_nping_activity.toml +++ b/rules/linux/linux_nping_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Nping Process Activity" diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml index fdb0c633a..2d81696cb 100644 --- a/rules/linux/linux_process_started_in_temp_directory.toml +++ b/rules/linux/linux_process_started_in_temp_directory.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = [ username. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Unusual Process Execution - Temp" diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml index dcf23c241..f5211e6f6 100644 --- a/rules/linux/linux_socat_activity.toml +++ b/rules/linux/linux_socat_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ false_positives = [ more likely to be suspicious. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Socat Process Activity" diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml index ddf7e9c47..6eeb921b8 100644 --- a/rules/linux/linux_strace_activity.toml +++ b/rules/linux/linux_strace_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ originate from developers or SREs engaged in debugging or system call tracing. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Strace Process Activity" diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml index 2b845cd99..d56fe31a4 100644 --- a/rules/linux/persistence_kernel_module_activity.toml +++ b/rules/linux/persistence_kernel_module_activity.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = [ programs by ordinary users is uncommon. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Persistence via Kernel Module Modification" diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml index 309e66174..4f1b3756f 100644 --- a/rules/linux/persistence_shell_activity_by_web_server.toml +++ b/rules/linux/persistence_shell_activity_by_web_server.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ false_positives = [ behavior. """, ] -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Potential Shell via Web Server" diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml index cd7eab95e..630627157 100644 --- a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ group. An adversary can take advantage of this to either do a shell escape or ex with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" max_signals = 33 diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml index 4e18554d2..e22b942df 100644 --- a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml +++ b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/23" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ user. An adversary can take advantage of this to either do a shell escape or exp with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they're able to execute in elevated contexts in the future. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "lucene" license = "Elastic License" max_signals = 33 diff --git a/rules/linux/privilege_escalation_sudoers_file_mod.toml b/rules/linux/privilege_escalation_sudoers_file_mod.toml index 799cb1577..c8dc10e18 100644 --- a/rules/linux/privilege_escalation_sudoers_file_mod.toml +++ b/rules/linux/privilege_escalation_sudoers_file_mod.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/13" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/25" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. """ -index = ["auditbeat-*"] +index = ["auditbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Sudoers File Modification" diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index d1500ea75..77c27483a 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -32,6 +32,7 @@ event.kind:alert and event.module:(endpoint and not endgame) [[rule.exceptions_list]] id = "endpoint_list" +list_id = "endpoint_list" namespace_type = "agnostic" type = "endpoint" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index e2fa2ed37..ed0b613ab 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -7,10 +7,10 @@ updated_date = "2020/07/08" [rule] author = ["Elastic"] description = """ -Generates a detection alert for each external alert written to the configured indices. Enabling -this rule allows you to immediately begin investigating external alerts in the app. +Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to +immediately begin investigating external alerts in the app. """ -index = ["apm-*-transaction*", "auditbeat-*", "endgame-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] +index = ["apm-*-transaction*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"] language = "kuery" license = "Elastic License" max_signals = 10000 @@ -57,3 +57,4 @@ operator = "equals" value = "99" severity = "critical" + diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index fd83e419d..abbca7e7e 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/19" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or malware, from a remote URL. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Network Connection via Certutil" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 72f64ca72..def097060 100755 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically lin credential management. This technique is sometimes used for credential dumping. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Loading Windows Credential Libraries" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index aad135ad9..b203399ff 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -2,12 +2,12 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection." -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Adding Hidden File Attribute via Attrib" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index a6de720d8..b65cc902d 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection or destroy forensic evidence on a system. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Clearing Windows Event Logs" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 977bddbf8..42a5aefd0 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Delete Volume USN Journal with Fsutil" diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml index 1c6b11577..6b5c50ce4 100644 --- a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent system recovery. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Deleting Backup Catalogs with Wbadmin" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 8fb39ae61..ab02cffaa 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to disable the firewall during troubleshooting or to enable network mobility. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Disable Windows Firewall Rules via Netsh" diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml index af957a6b5..3e2d67d05 100644 --- a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml +++ b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies the use of certutil.exe to encode or decode data. CertUtil is a nativ Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and control or exfiltration. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Encoding or Decoding Files via CertUtil" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 999768519..9d0d6dfc3 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ this program to be started by an Office application like Word or Excel. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started by an Office Application" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 0182da573..673435c93 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by a script or t behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started by a Script Process" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 0483453ac..8d4a0866a 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or t Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started by a System Process" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index fe5653dda..c13272014 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started after being rena indicate an attempt to run unnoticed or undetected. """ false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Using an Alternate Name" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 0e2d97e1f..d4fe4fbf4 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ triggers this rule it can be exempted by process, user or host name. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Microsoft Build Engine Started an Unusual Process" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 4acf54fba..a6fa2e30f 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Binaries signed with trusted digital certificates can execute on Windows systems validation. Adversaries may use these binaries to 'live off the land' and execute malicious files that could bypass application allowlists and signature validation. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Network Connection via Signed Binary" diff --git a/rules/windows/defense_evasion_modification_of_boot_config.toml b/rules/windows/defense_evasion_modification_of_boot_config.toml index a9a5b77d3..ef4724d79 100644 --- a/rules/windows/defense_evasion_modification_of_boot_config.toml +++ b/rules/windows/defense_evasion_modification_of_boot_config.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/16" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies use of bcdedit.exe to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Modification of Boot Configuration" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml index 0a2589397..f6f8267fa 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_vssadmin.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies use of vssadmin.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Volume Shadow Copy Deletion via VssAdmin" diff --git a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml index 347eb6273..d97a60dd5 100644 --- a/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies use of wmic.exe for shadow copy deletion on endpoints. This commonly occurs in tandem with ransomware or other destructive attacks. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Volume Shadow Copy Deletion via WMIC" diff --git a/rules/windows/discovery_net_command_system_account.toml b/rules/windows/discovery_net_command_system_account.toml index 768769e2f..dee53f544 100644 --- a/rules/windows/discovery_net_command_system_account.toml +++ b/rules/windows/discovery_net_command_system_account.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies the SYSTEM account using the Net utility. The Net utility is a component of the Windows operating system. It is used in command line operations for control of users, groups, services, and network connections. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Net command via SYSTEM account" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 34a9fd643..2dece8ce1 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ environment for network connections being made from the command prompt to determine any abnormal use of this tool. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Command Prompt Network Connection" diff --git a/rules/windows/execution_command_shell_started_by_powershell.toml b/rules/windows/execution_command_shell_started_by_powershell.toml index 5360f52b6..9226f2098 100644 --- a/rules/windows/execution_command_shell_started_by_powershell.toml +++ b/rules/windows/execution_command_shell_started_by_powershell.toml @@ -2,12 +2,12 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe." -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "PowerShell spawning Cmd" diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index bff9c2059..cda2b79d9 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -2,12 +2,12 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe" -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Svchost spawning Cmd" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index f9d145f7e..6219becb3 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTM malicious code in a CHM file and deliver it to a victim for execution. CHM content is loaded by the HTML Help executable program (hh.exe). """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Network Connection via Compiled HTML File" diff --git a/rules/windows/execution_local_service_commands.toml b/rules/windows/execution_local_service_commands.toml index 164ba1220..484c02d1c 100644 --- a/rules/windows/execution_local_service_commands.toml +++ b/rules/windows/execution_local_service_commands.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies use of sc.exe to create, modify, or start services on remote hosts. This could be indicative of adversary lateral movement but will be noisy if commonly done by admins. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Local Service Commands" diff --git a/rules/windows/execution_msbuild_making_network_connections.toml b/rules/windows/execution_msbuild_making_network_connections.toml index b9ec2cd94..bc7d549b3 100644 --- a/rules/windows/execution_msbuild_making_network_connections.toml +++ b/rules/windows/execution_msbuild_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies MsBuild.exe making outbound network connections. This may indicate adversarial activity as MsBuild is often leveraged by adversaries to execute code and evade detection. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "MsBuild Making Network Connections" diff --git a/rules/windows/execution_mshta_making_network_connections.toml b/rules/windows/execution_mshta_making_network_connections.toml index d2c4d2ae9..915bf7515 100644 --- a/rules/windows/execution_mshta_making_network_connections.toml +++ b/rules/windows/execution_mshta_making_network_connections.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies mshta.exe making a network connection. This may indicate adversarial activity as mshta.exe is often leveraged by adversaries to execute malicious scripts and evade detection. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Network Connection via Mshta" diff --git a/rules/windows/execution_msxsl_network.toml b/rules/windows/execution_msxsl_network.toml index 313af1ba0..071cd085e 100644 --- a/rules/windows/execution_msxsl_network.toml +++ b/rules/windows/execution_msxsl_network.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies msxsl.exe making a network connection. This may indicate adversarial activity as msxsl.exe is often leveraged by adversaries to execute malicious scripts and evade detection. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Network Connection via MsXsl" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 717d68463..07e5f4532 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ environment to determine the amount of noise to expect from this tool. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "PsExec Network Connection" diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index af12915df..606e297a5 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -16,7 +16,7 @@ false_positives = [ is unusual. """, ] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Network Connection via Regsvr" diff --git a/rules/windows/execution_script_executing_powershell.toml b/rules/windows/execution_script_executing_powershell.toml index 5579eafef..3e079cd56 100644 --- a/rules/windows/execution_script_executing_powershell.toml +++ b/rules/windows/execution_script_executing_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Windows Script Executing PowerShell" diff --git a/rules/windows/execution_suspicious_ms_office_child_process.toml b/rules/windows/execution_suspicious_ms_office_child_process.toml index 1f1c2c5fd..f93227663 100644 --- a/rules/windows/execution_suspicious_ms_office_child_process.toml +++ b/rules/windows/execution_suspicious_ms_office_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies suspicious child processes of frequently targeted Microsoft Office ap These child processes are often launched during exploitation of Office applications or from documents with malicious macros. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Suspicious MS Office Child Process" diff --git a/rules/windows/execution_suspicious_ms_outlook_child_process.toml b/rules/windows/execution_suspicious_ms_outlook_child_process.toml index 4a9c196da..a7d83b821 100644 --- a/rules/windows/execution_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/execution_suspicious_ms_outlook_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies suspicious child processes of Microsoft Outlook. These child processes are often associated with spear phishing activity. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Suspicious MS Outlook Child Process" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index b9b12a27f..dc8c4d49d 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/30" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies suspicious child processes of PDF reader applications. These child processes are often launched via exploitation of PDF applications or social engineering. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Suspicious PDF Reader Child Process" diff --git a/rules/windows/execution_unusual_network_connection_via_rundll32.toml b/rules/windows/execution_unusual_network_connection_via_rundll32.toml index 1b5d9cb12..d2249a31d 100644 --- a/rules/windows/execution_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/execution_unusual_network_connection_via_rundll32.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies unusual instances of rundll32.exe making outbound network connections. This may indicate adversarial activity and may identify malicious DLLs. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Unusual Network Connection via RunDLL32" diff --git a/rules/windows/execution_unusual_process_network_connection.toml b/rules/windows/execution_unusual_process_network_connection.toml index 572834f6a..9d531ee19 100644 --- a/rules/windows/execution_unusual_process_network_connection.toml +++ b/rules/windows/execution_unusual_process_network_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies network activity from unexpected system applications. This may indicate adversarial activity as these applications are often leveraged by adversaries to execute code and evade detection. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Unusual Process Network Connection" diff --git a/rules/windows/execution_via_net_com_assemblies.toml b/rules/windows/execution_via_net_com_assemblies.toml index 617f783bb..09066b96e 100644 --- a/rules/windows/execution_via_net_com_assemblies.toml +++ b/rules/windows/execution_via_net_com_assemblies.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to r (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows utility. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Execution via Regsvcs/Regasm" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index 1bd9b034e..73f27dd62 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ over Server Message Block (SMB), which communicates between hosts using port 445 connections are established by the kernel. Processes making 445/tcp connections may be port scanners, exploits, or suspicious user-level processes moving laterally. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Direct Outbound SMB Connection" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index 012e4597d..11790c66b 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,12 +2,12 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "Detects writing executable files that will be automatically launched by Adobe on launch." -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Adobe Hijack Persistence" diff --git a/rules/windows/persistence_local_scheduled_task_commands.toml b/rules/windows/persistence_local_scheduled_task_commands.toml index 864e1c44b..ce71a86b2 100644 --- a/rules/windows/persistence_local_scheduled_task_commands.toml +++ b/rules/windows/persistence_local_scheduled_task_commands.toml @@ -2,13 +2,13 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] description = "A scheduled task can be used by an adversary to establish persistence, move laterally, and/or escalate privileges." false_positives = ["Legitimate scheduled tasks may be created during installation of new software."] -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Local Scheduled Task Commands" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 307d03354..7a9ded5c3 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Windows services typically run as SYSTEM and can be used as a privilege escalation opportunity. Malware or penetration testers may run a shell as a service to gain SYSTEM permissions. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "System Shells via Services" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index d0a5683af..ccb3eec67 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies attempts to create new local users. This is sometimes done by attackers to increase access to a system or domain. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "User Account Creation" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index 81c05f87f..930219330 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies User Account Control (UAC) bypass via eventvwr.exe. Attackers bypass UAC to stealthily execute code with elevated permissions. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Bypass UAC via Event Viewer" diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index ef731f2bd..71ee6363c 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" ecs_version = ["1.5.0"] maturity = "production" -updated_date = "2020/06/24" +updated_date = "2020/08/03" [rule] author = ["Elastic"] @@ -10,7 +10,7 @@ description = """ Identifies Windows programs run from unexpected parent processes. This could indicate masquerading or other strange activity on a system. """ -index = ["winlogbeat-*"] +index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" name = "Unusual Parent-Child Relationship"