[Fleet] Track integrations in folder and metadata (#1372)

* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests

Removed changes from:
- rules/cyberark/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
- rules/cyberark/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml

(selectively cherry picked from commit 1882f4456c)

detection_rules/main.py

@@ -223,7 +223,7 @@ def validate_all(fail):
 @click.option('--columns', '-c', multiple=True, help='Specify columns to add the table')
 @click.option('--language', type=click.Choice(["eql", "kql"]), default="kql")
 @click.option('--count', is_flag=True, help='Return a count rather than table')
-def search_rules(query, columns, language, count, verbose=True, rules: Dict[str, dict] = None, pager=False):
+def search_rules(query, columns, language, count, verbose=True, rules: Dict[str, TOMLRule] = None, pager=False):
     """Use KQL or EQL to find matching rules."""
     from kql import get_evaluator
     from eql.table import Table
@@ -235,16 +235,16 @@ def search_rules(query, columns, language, count, verbose=True, rules: Dict[str,
     rules = rules or {str(rule.path): rule for rule in RuleCollection.default()}
 
     for file_name, rule_doc in rules.items():
-        flat = {"file": os.path.relpath(file_name)}
-        flat.update(rule_doc)
-        flat.update(rule_doc["metadata"])
-        flat.update(rule_doc["rule"])
+        flat: dict = {"file": os.path.relpath(file_name)}
+        flat.update(rule_doc.contents.to_dict())
+        flat.update(flat["metadata"])
+        flat.update(flat["rule"])
 
         tactic_names = []
         technique_ids = []
         subtechnique_ids = []
 
-        for entry in rule_doc['rule'].get('threat', []):
+        for entry in flat['rule'].get('threat', []):
             if entry["framework"] != "MITRE ATT&CK":
                 continue
 
@@ -253,8 +253,8 @@ def search_rules(query, columns, language, count, verbose=True, rules: Dict[str,
             technique_ids.extend([t['id'] for t in techniques])
             subtechnique_ids.extend([st['id'] for t in techniques for st in t.get('subtechnique', [])])
 
-        flat.update(techniques=technique_ids, tactics=tactic_names, subtechniques=subtechnique_ids,
-                    unique_fields=TOMLRule.get_unique_query_fields(rule_doc['rule']))
+        flat.update(techniques=technique_ids, tactics=tactic_names, subtechniques=subtechnique_ids)
+        #           unique_fields=TOMLRule.get_unique_query_fields(rule_doc['rule']))
         flattened_rules.append(flat)
 
     flattened_rules.sort(key=lambda dct: dct["name"])

rules/README.md

@@ -6,12 +6,25 @@ Rules within this folder are organized by solution or platform. The structure is
 |-------------------------------------|----------------------------------------------------------------------|
 | `.`                                 | Root directory where rules are stored                                |
 | [`apm/`](apm)                       | Rules that use Application Performance Monitoring (APM) data sources |
-| [`aws/`](aws)                       | Rules written for the Amazon Web Services (AWS) module of filebeat   |
-| `cross-platform/`                   | Rules that apply to multiple platforms, such as Windows and Linux    |
+| [`cross-platform/`](cross-platform) | Rules that apply to multiple platforms, such as Windows and Linux    |
+| [`integrations/`](integrations)     | Rules organized by Fleet integration                                 |
 | [`linux/`](linux)                   | Rules for Linux or other Unix based operating systems                |
-| `macos/`                            | Rules for macOS                                                      |
+| [`macos/`](macos)                   | Rules for macOS                                                      |
 | [`ml/`](ml)                         | Rules that use machine learning jobs (ML)                            |
 | [`network/`](network)               | Rules that use network data sources                                  |
-| [`okta/`](okta)                     | Rules written for the Okta module of filebeat                        |
 | [`promotions/`](promotions)         | Rules that promote external alerts into detection engine alerts      |
 | [`windows/`](windows)               | Rules for the Microsoft Windows Operating System                     |
+
+
+Integration specific rules are stored in the [`integrations/`](integrations) directory:
+
+| folder                                                 |  integration                         |
+|--------------------------------------------------------|--------------------------------------|
+| [`aws/`](integrations/aws)                             | Amazon Web Services (AWS)            |
+| [`azure/`](integrations/azure)                         | Microsoft Azure                      |
+| [`cyberarkpas/`](integrations/cyberarkpas)             | Cyber Ark Privileged Access Security |
+| [`gcp/`](integrations/gcp)                             | Google Cloud Platform (GCP)          |
+| [`google_workspace/`](integrations/google_workspace)   | Google Workspace (formerly GSuite)   |
+| [`o365/`](integrations/o365)                           | Microsoft Office                     |
+| [`okta/`](integrations/okta)                           | Oka                                  |
+

rules/integrations/aws/NOTICE.txt

@@ -0,0 +1,26 @@
+This product bundles rules based on https://github.com/FSecureLABS/leonidas
+which is available under a "MIT" license. The rules based on this license are:
+
+- "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622)
+
+MIT License
+
+Copyright (c) 2020 F-Secure LABS
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

rules/integrations/aws/collection_cloudtrail_logging_created.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/16"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/credential_access_iam_user_addition_to_group.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/credential_access_root_console_failure_brute_force.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Nick Jones", "Elastic"]

rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/26"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/16"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/15"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/28"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/27"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_waf_acl_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/09"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/05/05"
 maturity = "production"
-updated_date = "2021/05/05"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/24"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/04/22"
 maturity = "production"
-updated_date = "2021/06/24"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/aws/exfiltration_rds_snapshot_export.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/06/06"
 maturity = "production"
-updated_date = "2021/06/06"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/impact_cloudtrail_logging_updated.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/10"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/05"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/impact_iam_deactivate_mfa_device.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/26"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/aws/impact_iam_group_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/impact_rds_cluster_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/impact_rds_group_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/06/05"
 maturity = "production"
-updated_date = "2021/06/05"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/initial_access_console_login_root.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/11"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/initial_access_password_recovery.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/02"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/initial_access_via_system_manager.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/ml_cloudtrail_error_message_spike.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/13"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 anomaly_threshold = 50
@@ -22,7 +23,12 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "high_distinct_count_error_message"
 name = "Spike in AWS Error Messages"
-note = """## Triage and analysis
+note = """
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+## Triage and analysis
 
 ### Investigating Spikes in CloudTrail Errors
 Detection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:

rules/integrations/aws/ml_cloudtrail_rare_error_code.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/13"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 anomaly_threshold = 50
@@ -22,7 +23,12 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "rare_error_code"
 name = "Rare AWS Error Code"
-note = """## Triage and analysis
+note = """
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+## Triage and analysis
 
 Investigating Unusual CloudTrail Error Activity ###
 Detection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation:

rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/13"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 anomaly_threshold = 50
@@ -23,7 +24,12 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "rare_method_for_a_city"
 name = "Unusual City For an AWS Command"
-note = """## Triage and analysis
+note = """
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+## Triage and analysis
 
 ### Investigating an Unusual CloudTrail Event
 Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:

rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/13"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 anomaly_threshold = 50
@@ -23,7 +24,12 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "rare_method_for_a_country"
 name = "Unusual Country For an AWS Command"
-note = """## Triage and analysis
+note = """
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+## Triage and analysis
 
 ### Investigating an Unusual CloudTrail Event
 Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation:

rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/13"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 anomaly_threshold = 75
@@ -22,9 +23,15 @@ interval = "15m"
 license = "Elastic License v2"
 machine_learning_job_id = "rare_method_for_a_username"
 name = "Unusual AWS Command for a User"
-note = """## Triage and analysis
+note = """
+## Config
+
+The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
+
+## Triage and analysis
 
 ### Investigating an Unusual CloudTrail Event
+
 Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation:
 - Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request.
 - Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance?

rules/integrations/aws/persistence_ec2_network_acl_creation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/04"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/persistence_iam_group_creation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/06/05"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/persistence_rds_cluster_creation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/05/20"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/persistence_rds_group_creation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/06/05"
 maturity = "production"
-updated_date = "2021/06/05"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/aws/persistence_rds_instance_creation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/06/06"
 maturity = "production"
-updated_date = "2021/06/06"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/05/10"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/05/10"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/07/06"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "aws"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/collection_update_event_hub_auth_rule.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/credential_access_key_vault_modified.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/19"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/17"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/defense_evasion_event_hub_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/defense_evasion_network_watcher_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/discovery_blob_container_access_mod.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/20"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/execution_command_virtual_machine.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/17"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/impact_azure_automation_runbook_deleted.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/impact_azure_service_principal_credentials_added.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/05/05"
 maturity = "production"
-updated_date = "2021/05/05"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic", "Austin Songer"]

rules/integrations/azure/impact_resource_group_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/17"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2021/01/04"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic", "Willem D'Haese"]

rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/12/14"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/initial_access_external_guest_user_invite.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/31"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_azure_automation_account_created.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_azure_automation_webhook_created.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/24"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/01"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/20"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/20"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/08/20"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "azure"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/23"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/23"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/23"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/18"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/impact_gcp_iam_role_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/impact_gcp_service_account_deleted.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/impact_gcp_service_account_disabled.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/21"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/gcp/persistence_gcp_service_account_created.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/09/22"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "gcp"
 
 [rule]
 author = ["Elastic"]

rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml

@@ -1,7 +1,8 @@
 [metadata]
 creation_date = "2020/11/17"
 maturity = "production"
-updated_date = "2021/05/10"
+updated_date = "2021/07/20"
+integration = "google_workspace"
 
 [rule]
 author = ["Elastic"]