diff --git a/detection_rules/main.py b/detection_rules/main.py index bc7914716..71551cc23 100644 --- a/detection_rules/main.py +++ b/detection_rules/main.py @@ -223,7 +223,7 @@ def validate_all(fail): @click.option('--columns', '-c', multiple=True, help='Specify columns to add the table') @click.option('--language', type=click.Choice(["eql", "kql"]), default="kql") @click.option('--count', is_flag=True, help='Return a count rather than table') -def search_rules(query, columns, language, count, verbose=True, rules: Dict[str, dict] = None, pager=False): +def search_rules(query, columns, language, count, verbose=True, rules: Dict[str, TOMLRule] = None, pager=False): """Use KQL or EQL to find matching rules.""" from kql import get_evaluator from eql.table import Table @@ -235,16 +235,16 @@ def search_rules(query, columns, language, count, verbose=True, rules: Dict[str, rules = rules or {str(rule.path): rule for rule in RuleCollection.default()} for file_name, rule_doc in rules.items(): - flat = {"file": os.path.relpath(file_name)} - flat.update(rule_doc) - flat.update(rule_doc["metadata"]) - flat.update(rule_doc["rule"]) + flat: dict = {"file": os.path.relpath(file_name)} + flat.update(rule_doc.contents.to_dict()) + flat.update(flat["metadata"]) + flat.update(flat["rule"]) tactic_names = [] technique_ids = [] subtechnique_ids = [] - for entry in rule_doc['rule'].get('threat', []): + for entry in flat['rule'].get('threat', []): if entry["framework"] != "MITRE ATT&CK": continue @@ -253,8 +253,8 @@ def search_rules(query, columns, language, count, verbose=True, rules: Dict[str, technique_ids.extend([t['id'] for t in techniques]) subtechnique_ids.extend([st['id'] for t in techniques for st in t.get('subtechnique', [])]) - flat.update(techniques=technique_ids, tactics=tactic_names, subtechniques=subtechnique_ids, - unique_fields=TOMLRule.get_unique_query_fields(rule_doc['rule'])) + flat.update(techniques=technique_ids, tactics=tactic_names, subtechniques=subtechnique_ids) + # unique_fields=TOMLRule.get_unique_query_fields(rule_doc['rule'])) flattened_rules.append(flat) flattened_rules.sort(key=lambda dct: dct["name"]) diff --git a/rules/README.md b/rules/README.md index a1f9dac57..8e68154e1 100644 --- a/rules/README.md +++ b/rules/README.md @@ -6,12 +6,25 @@ Rules within this folder are organized by solution or platform. The structure is |-------------------------------------|----------------------------------------------------------------------| | `.` | Root directory where rules are stored | | [`apm/`](apm) | Rules that use Application Performance Monitoring (APM) data sources | -| [`aws/`](aws) | Rules written for the Amazon Web Services (AWS) module of filebeat | -| `cross-platform/` | Rules that apply to multiple platforms, such as Windows and Linux | +| [`cross-platform/`](cross-platform) | Rules that apply to multiple platforms, such as Windows and Linux | +| [`integrations/`](integrations) | Rules organized by Fleet integration | | [`linux/`](linux) | Rules for Linux or other Unix based operating systems | -| `macos/` | Rules for macOS | +| [`macos/`](macos) | Rules for macOS | | [`ml/`](ml) | Rules that use machine learning jobs (ML) | | [`network/`](network) | Rules that use network data sources | -| [`okta/`](okta) | Rules written for the Okta module of filebeat | | [`promotions/`](promotions) | Rules that promote external alerts into detection engine alerts | | [`windows/`](windows) | Rules for the Microsoft Windows Operating System | + + +Integration specific rules are stored in the [`integrations/`](integrations) directory: + +| folder | integration | +|--------------------------------------------------------|--------------------------------------| +| [`aws/`](integrations/aws) | Amazon Web Services (AWS) | +| [`azure/`](integrations/azure) | Microsoft Azure | +| [`cyberarkpas/`](integrations/cyberarkpas) | Cyber Ark Privileged Access Security | +| [`gcp/`](integrations/gcp) | Google Cloud Platform (GCP) | +| [`google_workspace/`](integrations/google_workspace) | Google Workspace (formerly GSuite) | +| [`o365/`](integrations/o365) | Microsoft Office | +| [`okta/`](integrations/okta) | Oka | + diff --git a/rules/integrations/aws/NOTICE.txt b/rules/integrations/aws/NOTICE.txt new file mode 100644 index 000000000..ff2efb306 --- /dev/null +++ b/rules/integrations/aws/NOTICE.txt @@ -0,0 +1,26 @@ +This product bundles rules based on https://github.com/FSecureLABS/leonidas +which is available under a "MIT" license. The rules based on this license are: + +- "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622) + +MIT License + +Copyright (c) 2020 F-Secure LABS + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/rules/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml similarity index 97% rename from rules/aws/collection_cloudtrail_logging_created.toml rename to rules/integrations/aws/collection_cloudtrail_logging_created.toml index 5fc7bb37c..2c206af67 100644 --- a/rules/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml similarity index 97% rename from rules/aws/credential_access_aws_iam_assume_role_brute_force.toml rename to rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index 98789e600..1ae59b920 100644 --- a/rules/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml similarity index 97% rename from rules/aws/credential_access_iam_user_addition_to_group.toml rename to rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index c5d7a4de2..50cff5319 100644 --- a/rules/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml similarity index 97% rename from rules/aws/credential_access_root_console_failure_brute_force.toml rename to rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 9034d5f98..f6dedbb79 100644 --- a/rules/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml similarity index 97% rename from rules/aws/credential_access_secretsmanager_getsecretvalue.toml rename to rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml index 4fc267b74..81d799975 100644 --- a/rules/aws/credential_access_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Nick Jones", "Elastic"] diff --git a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml similarity index 97% rename from rules/aws/defense_evasion_cloudtrail_logging_deleted.toml rename to rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index cdc1c2790..7922a6d2c 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml similarity index 97% rename from rules/aws/defense_evasion_cloudtrail_logging_suspended.toml rename to rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 568850c6c..e266a24db 100644 --- a/rules/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml similarity index 97% rename from rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml rename to rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 7c1474608..efde45a49 100644 --- a/rules/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml similarity index 97% rename from rules/aws/defense_evasion_config_service_rule_deletion.toml rename to rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 8519fb23a..81cfc25a2 100644 --- a/rules/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/26" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml similarity index 97% rename from rules/aws/defense_evasion_configuration_recorder_stopped.toml rename to rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 09df4fe0e..d8c92cd24 100644 --- a/rules/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/16" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml similarity index 97% rename from rules/aws/defense_evasion_ec2_flow_log_deletion.toml rename to rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 7d51cdafb..eacfd9f53 100644 --- a/rules/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/15" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml similarity index 97% rename from rules/aws/defense_evasion_ec2_network_acl_deletion.toml rename to rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index 27c6b33d4..b69edabb4 100644 --- a/rules/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml similarity index 97% rename from rules/aws/defense_evasion_guardduty_detector_deletion.toml rename to rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index 3382be44f..81c676be4 100644 --- a/rules/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml similarity index 97% rename from rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml rename to rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 78d8b95e9..437b50c95 100644 --- a/rules/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/27" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml similarity index 97% rename from rules/aws/defense_evasion_waf_acl_deletion.toml rename to rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index ab1d496f6..1f3a8d921 100644 --- a/rules/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml similarity index 97% rename from rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml rename to rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index ab6fbbdd2..d4a592440 100644 --- a/rules/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/09" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml similarity index 97% rename from rules/aws/exfiltration_ec2_full_network_packet_capture_detected.toml rename to rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 27b30d340..358759c04 100644 --- a/rules/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2021/05/05" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml similarity index 97% rename from rules/aws/exfiltration_ec2_snapshot_change_activity.toml rename to rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index 48a801774..2ab12f44b 100644 --- a/rules/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/24" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml similarity index 97% rename from rules/aws/exfiltration_ec2_vm_export_failure.toml rename to rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index 8f438957b..cab193e64 100644 --- a/rules/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/04/22" maturity = "production" -updated_date = "2021/06/24" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml similarity index 96% rename from rules/aws/exfiltration_rds_snapshot_export.toml rename to rules/integrations/aws/exfiltration_rds_snapshot_export.toml index d7c5afcfb..6b68c1302 100644 --- a/rules/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2021/06/06" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml similarity index 97% rename from rules/aws/impact_cloudtrail_logging_updated.toml rename to rules/integrations/aws/impact_cloudtrail_logging_updated.toml index c333ffc71..3ec2baff2 100644 --- a/rules/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/10" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml similarity index 97% rename from rules/aws/impact_cloudwatch_log_group_deletion.toml rename to rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 7aa3cd0da..cb4afe7e4 100644 --- a/rules/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml similarity index 97% rename from rules/aws/impact_cloudwatch_log_stream_deletion.toml rename to rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 6760b73e7..10b0bc3d0 100644 --- a/rules/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml similarity index 97% rename from rules/aws/impact_ec2_disable_ebs_encryption.toml rename to rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 158d23eb7..868f893eb 100644 --- a/rules/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml similarity index 97% rename from rules/aws/impact_iam_deactivate_mfa_device.toml rename to rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index 6ba260ef2..d49e57544 100644 --- a/rules/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/26" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml similarity index 97% rename from rules/aws/impact_iam_group_deletion.toml rename to rules/integrations/aws/impact_iam_group_deletion.toml index 60f8ab568..1d3c402b0 100644 --- a/rules/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_rds_cluster_deletion.toml b/rules/integrations/aws/impact_rds_cluster_deletion.toml similarity index 97% rename from rules/aws/impact_rds_cluster_deletion.toml rename to rules/integrations/aws/impact_rds_cluster_deletion.toml index 53edd45dd..57c6e64de 100644 --- a/rules/aws/impact_rds_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_cluster_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml similarity index 97% rename from rules/aws/impact_rds_group_deletion.toml rename to rules/integrations/aws/impact_rds_group_deletion.toml index f12a4897f..712563703 100644 --- a/rules/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2021/06/05" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml similarity index 97% rename from rules/aws/impact_rds_instance_cluster_stoppage.toml rename to rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index cc042dc00..f6c851a97 100644 --- a/rules/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml similarity index 97% rename from rules/aws/initial_access_console_login_root.toml rename to rules/integrations/aws/initial_access_console_login_root.toml index ef4600158..ce29dc00a 100644 --- a/rules/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/11" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml similarity index 97% rename from rules/aws/initial_access_password_recovery.toml rename to rules/integrations/aws/initial_access_password_recovery.toml index cc7f9aa8d..4ad368ec9 100644 --- a/rules/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/02" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml similarity index 97% rename from rules/aws/initial_access_via_system_manager.toml rename to rules/integrations/aws/initial_access_via_system_manager.toml index f405e67e1..c6b35a04a 100644 --- a/rules/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/ml/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml similarity index 93% rename from rules/ml/ml_cloudtrail_error_message_spike.toml rename to rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index f689639e6..a14f6c370 100644 --- a/rules/ml/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] anomaly_threshold = 50 @@ -22,7 +23,12 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "high_distinct_count_error_message" name = "Spike in AWS Error Messages" -note = """## Triage and analysis +note = """ +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis ### Investigating Spikes in CloudTrail Errors Detection alerts from this rule indicate a large spike in the number of CloudTrail log messages that contain a particular error message. The error message in question was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation: diff --git a/rules/ml/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml similarity index 93% rename from rules/ml/ml_cloudtrail_rare_error_code.toml rename to rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index ad9161306..31633a4f9 100644 --- a/rules/ml/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] anomaly_threshold = 50 @@ -22,7 +23,12 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_error_code" name = "Rare AWS Error Code" -note = """## Triage and analysis +note = """ +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis Investigating Unusual CloudTrail Error Activity ### Detection alerts from this rule indicate a rare and unusual error code that was associated with the response to an AWS API command or method call. Here are some possible avenues of investigation: diff --git a/rules/ml/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml similarity index 93% rename from rules/ml/ml_cloudtrail_rare_method_by_city.toml rename to rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index fc22b0b75..6958be7c2 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] anomaly_threshold = 50 @@ -23,7 +24,12 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_city" name = "Unusual City For an AWS Command" -note = """## Triage and analysis +note = """ +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis ### Investigating an Unusual CloudTrail Event Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation: diff --git a/rules/ml/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml similarity index 93% rename from rules/ml/ml_cloudtrail_rare_method_by_country.toml rename to rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index dc43a0197..03f21c212 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] anomaly_threshold = 50 @@ -23,7 +24,12 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_country" name = "Unusual Country For an AWS Command" -note = """## Triage and analysis +note = """ +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis ### Investigating an Unusual CloudTrail Event Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the geolocation of the source IP address. Here are some possible avenues of investigation: diff --git a/rules/ml/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml similarity index 93% rename from rules/ml/ml_cloudtrail_rare_method_by_user.toml rename to rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 29635ab84..d98359aa1 100644 --- a/rules/ml/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/13" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] anomaly_threshold = 75 @@ -22,9 +23,15 @@ interval = "15m" license = "Elastic License v2" machine_learning_job_id = "rare_method_for_a_username" name = "Unusual AWS Command for a User" -note = """## Triage and analysis +note = """ +## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule. + +## Triage and analysis ### Investigating an Unusual CloudTrail Event + Detection alerts from this rule indicate an AWS API command or method call that is rare and unusual for the calling IAM user. Here are some possible avenues of investigation: - Consider the user as identified by the `user.name` field. Is this command part of an expected workflow for the user context? Examine the user identity in the `aws.cloudtrail.user_identity.arn` field and the access key id in the `aws.cloudtrail.user_identity.access_key_id` field which can help identify the precise user context. The user agent details in the `user_agent.original` field may also indicate what kind of a client made the request. - Consider the source IP address and geolocation for the calling user who issued the command. Do they look normal for the calling user? If the source is an EC2 IP address, is it associated with an EC2 instance in one of your accounts or could it be sourcing from an EC2 instance not under your control? If it is an authorized EC2 instance, is the activity associated with normal behavior for the instance role or roles? Are there any other alerts or signs of suspicious activity involving this instance? diff --git a/rules/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml similarity index 97% rename from rules/aws/persistence_ec2_network_acl_creation.toml rename to rules/integrations/aws/persistence_ec2_network_acl_creation.toml index b109af0f8..6d56ce4ba 100644 --- a/rules/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/04" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml similarity index 97% rename from rules/aws/persistence_iam_group_creation.toml rename to rules/integrations/aws/persistence_iam_group_creation.toml index c9f4c4ec5..a0851382b 100644 --- a/rules/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/06/05" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml similarity index 97% rename from rules/aws/persistence_rds_cluster_creation.toml rename to rules/integrations/aws/persistence_rds_cluster_creation.toml index f189d2479..5f806d24a 100644 --- a/rules/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml similarity index 97% rename from rules/aws/persistence_rds_group_creation.toml rename to rules/integrations/aws/persistence_rds_group_creation.toml index e5cfe8ec1..746a85e59 100644 --- a/rules/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/05" maturity = "production" -updated_date = "2021/06/05" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml similarity index 96% rename from rules/aws/persistence_rds_instance_creation.toml rename to rules/integrations/aws/persistence_rds_instance_creation.toml index 687769cab..efe39b127 100644 --- a/rules/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/06/06" maturity = "production" -updated_date = "2021/06/06" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml similarity index 97% rename from rules/aws/persistence_route_53_domain_transfer_lock_disabled.toml rename to rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index b1e43ea0d..d40018ebb 100644 --- a/rules/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/05/10" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml similarity index 97% rename from rules/aws/persistence_route_53_domain_transferred_to_another_account.toml rename to rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index bf2de57bb..e81b9391c 100644 --- a/rules/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/05/10" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml similarity index 97% rename from rules/aws/privilege_escalation_root_login_without_mfa.toml rename to rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index e1d42995b..37026f7c3 100644 --- a/rules/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml similarity index 97% rename from rules/aws/privilege_escalation_updateassumerolepolicy.toml rename to rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index fe42d5424..14c1f2afc 100644 --- a/rules/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "aws" [rule] author = ["Elastic"] diff --git a/rules/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml similarity index 97% rename from rules/azure/collection_update_event_hub_auth_rule.toml rename to rules/integrations/azure/collection_update_event_hub_auth_rule.toml index f2f32ffd2..9c2442246 100644 --- a/rules/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml similarity index 97% rename from rules/azure/credential_access_key_vault_modified.toml rename to rules/integrations/azure/credential_access_key_vault_modified.toml index c8cb00d0b..4626cf146 100644 --- a/rules/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml similarity index 97% rename from rules/azure/credential_access_storage_account_key_regenerated.toml rename to rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index 3fb65b30c..75fb07e47 100644 --- a/rules/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml similarity index 97% rename from rules/azure/defense_evasion_azure_application_credential_modification.toml rename to rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index 20c3c94af..e3180ce57 100644 --- a/rules/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml similarity index 97% rename from rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml rename to rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index f417c9b2c..3cf3da2c5 100644 --- a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml similarity index 97% rename from rules/azure/defense_evasion_azure_service_principal_addition.toml rename to rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 47b37056b..49c7baaeb 100644 --- a/rules/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml similarity index 97% rename from rules/azure/defense_evasion_event_hub_deletion.toml rename to rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 93f3d7583..575fffb79 100644 --- a/rules/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml similarity index 97% rename from rules/azure/defense_evasion_firewall_policy_deletion.toml rename to rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index 114deff19..a2d68e4ff 100644 --- a/rules/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml similarity index 97% rename from rules/azure/defense_evasion_network_watcher_deletion.toml rename to rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 2673d2267..e63b13746 100644 --- a/rules/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml similarity index 97% rename from rules/azure/discovery_blob_container_access_mod.toml rename to rules/integrations/azure/discovery_blob_container_access_mod.toml index b7dcd4f3c..c6f417ddc 100644 --- a/rules/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml similarity index 97% rename from rules/azure/execution_command_virtual_machine.toml rename to rules/integrations/azure/execution_command_virtual_machine.toml index 4b694c280..d14d11ce1 100644 --- a/rules/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/impact_azure_automation_runbook_deleted.toml b/rules/integrations/azure/impact_azure_automation_runbook_deleted.toml similarity index 96% rename from rules/azure/impact_azure_automation_runbook_deleted.toml rename to rules/integrations/azure/impact_azure_automation_runbook_deleted.toml index ff425325f..2b9b46a0f 100644 --- a/rules/azure/impact_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/impact_azure_automation_runbook_deleted.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml similarity index 97% rename from rules/azure/impact_azure_service_principal_credentials_added.toml rename to rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index b4904a237..c9e558e27 100644 --- a/rules/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/05/05" maturity = "production" -updated_date = "2021/05/05" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic", "Austin Songer"] diff --git a/rules/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml similarity index 97% rename from rules/azure/impact_resource_group_deletion.toml rename to rules/integrations/azure/impact_resource_group_deletion.toml index 1e9505643..4803ecb68 100644 --- a/rules/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml similarity index 97% rename from rules/azure/initial_access_azure_active_directory_high_risk_signin.toml rename to rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index b86f013fb..906d0606e 100644 --- a/rules/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/01/04" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic", "Willem D'Haese"] diff --git a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml similarity index 97% rename from rules/azure/initial_access_azure_active_directory_powershell_signin.toml rename to rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index a76d8128e..5c5b2e492 100644 --- a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/12/14" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml similarity index 98% rename from rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml rename to rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index e49b30313..7b7556d24 100644 --- a/rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml similarity index 97% rename from rules/azure/initial_access_external_guest_user_invite.toml rename to rules/integrations/azure/initial_access_external_guest_user_invite.toml index e6c1cc949..c3d75fff2 100644 --- a/rules/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml similarity index 97% rename from rules/azure/persistence_azure_automation_account_created.toml rename to rules/integrations/azure/persistence_azure_automation_account_created.toml index 798d91e65..cb6dd3dbc 100644 --- a/rules/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml similarity index 96% rename from rules/azure/persistence_azure_automation_runbook_created_or_modified.toml rename to rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index ac281f635..a71006a46 100644 --- a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml similarity index 96% rename from rules/azure/persistence_azure_automation_webhook_created.toml rename to rules/integrations/azure/persistence_azure_automation_webhook_created.toml index a37f7c3ad..7220f459a 100644 --- a/rules/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml similarity index 97% rename from rules/azure/persistence_azure_conditional_access_policy_modified.toml rename to rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index 4e737e79e..ef3b874a3 100644 --- a/rules/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml similarity index 97% rename from rules/azure/persistence_azure_pim_user_added_global_admin.toml rename to rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index 65d81e8d0..5888f921a 100644 --- a/rules/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/24" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml similarity index 97% rename from rules/azure/persistence_azure_privileged_identity_management_role_modified.toml rename to rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 1d6edcc87..44a788198 100644 --- a/rules/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml similarity index 96% rename from rules/azure/persistence_mfa_disabled_for_azure_user.toml rename to rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index fbcb6d8c0..6824c4e47 100644 --- a/rules/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml similarity index 96% rename from rules/azure/persistence_user_added_as_owner_for_azure_application.toml rename to rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index e7804741a..9118cbe46 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml similarity index 97% rename from rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml rename to rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index d21f4a407..77c798d35 100644 --- a/rules/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "azure" [rule] author = ["Elastic"] diff --git a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml similarity index 97% rename from rules/gcp/collection_gcp_pub_sub_subscription_creation.toml rename to rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 8e729a7ec..31a8fc3d2 100644 --- a/rules/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml similarity index 97% rename from rules/gcp/collection_gcp_pub_sub_topic_creation.toml rename to rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 55fd2bc64..bc5ec634f 100644 --- a/rules/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml similarity index 97% rename from rules/gcp/defense_evasion_gcp_firewall_rule_created.toml rename to rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 98486db1a..8ce7d7a1b 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml similarity index 97% rename from rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml rename to rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 2494ce0fd..d7dea736e 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml similarity index 97% rename from rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml rename to rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 8ab15b925..062d69925 100644 --- a/rules/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml similarity index 97% rename from rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml rename to rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index e03f4bd2e..6ea5923aa 100644 --- a/rules/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml similarity index 97% rename from rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml rename to rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index d99130274..b96485a7e 100644 --- a/rules/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml similarity index 97% rename from rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml rename to rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index ca0343a54..98d0c4596 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/23" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml similarity index 97% rename from rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml rename to rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 1fe7b3f4d..47c5e4a7f 100644 --- a/rules/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml similarity index 96% rename from rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml rename to rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index 2bc42b9c3..d8df8e451 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml similarity index 97% rename from rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml rename to rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 49401c18e..65c5763a5 100644 --- a/rules/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml similarity index 97% rename from rules/gcp/exfiltration_gcp_logging_sink_modification.toml rename to rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index b735412de..c0d2cf28d 100644 --- a/rules/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml similarity index 97% rename from rules/gcp/impact_gcp_iam_role_deletion.toml rename to rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index 16f93ee58..686f1efe2 100644 --- a/rules/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml similarity index 97% rename from rules/gcp/impact_gcp_service_account_deleted.toml rename to rules/integrations/gcp/impact_gcp_service_account_deleted.toml index 0f167ac7b..70f42ef98 100644 --- a/rules/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml similarity index 97% rename from rules/gcp/impact_gcp_service_account_disabled.toml rename to rules/integrations/gcp/impact_gcp_service_account_disabled.toml index 4e0c480c3..809316e34 100644 --- a/rules/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml similarity index 97% rename from rules/gcp/impact_gcp_storage_bucket_deleted.toml rename to rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 87c6325a0..ad429ee8c 100644 --- a/rules/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml similarity index 96% rename from rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml rename to rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml index 1048d586f..655257c37 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_network_deleted.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml similarity index 96% rename from rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml rename to rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml index 7e79082d4..766848a51 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_created.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml similarity index 96% rename from rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml rename to rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml index 1e73654b8..26a27c7f9 100644 --- a/rules/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_virtual_private_cloud_route_deleted.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml similarity index 97% rename from rules/gcp/initial_access_gcp_iam_custom_role_creation.toml rename to rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index d27befa4e..491d14b64 100644 --- a/rules/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml similarity index 97% rename from rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml rename to rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 1c2d66959..d33662201 100644 --- a/rules/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml similarity index 97% rename from rules/gcp/persistence_gcp_key_created_for_service_account.toml rename to rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 88ee49bc1..77a9b161b 100644 --- a/rules/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml similarity index 97% rename from rules/gcp/persistence_gcp_service_account_created.toml rename to rules/integrations/gcp/persistence_gcp_service_account_created.toml index 0d7de23d2..6a2c19384 100644 --- a/rules/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "gcp" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml similarity index 97% rename from rules/google-workspace/application_added_to_google_workspace_domain.toml rename to rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml index 3703336a2..eba37c515 100644 --- a/rules/google-workspace/application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml similarity index 97% rename from rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml rename to rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml index cb3299449..503a12930 100644 --- a/rules/google-workspace/domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml similarity index 97% rename from rules/google-workspace/google_workspace_admin_role_deletion.toml rename to rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml index d2b9d8b34..b71aed2ab 100644 --- a/rules/google-workspace/google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml similarity index 98% rename from rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml rename to rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml index 238657064..2f3c167c7 100644 --- a/rules/google-workspace/google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml @@ -2,6 +2,7 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2021/07/21" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/google_workspace_policy_modified.toml b/rules/integrations/google_workspace/google_workspace_policy_modified.toml similarity index 98% rename from rules/google-workspace/google_workspace_policy_modified.toml rename to rules/integrations/google_workspace/google_workspace_policy_modified.toml index 40f32e080..28e5076e1 100644 --- a/rules/google-workspace/google_workspace_policy_modified.toml +++ b/rules/integrations/google_workspace/google_workspace_policy_modified.toml @@ -2,6 +2,7 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2021/07/21" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml similarity index 98% rename from rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml rename to rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml index bfe16810c..670b8fd78 100644 --- a/rules/google-workspace/mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml @@ -2,6 +2,7 @@ creation_date = "2020/11/17" maturity = "production" updated_date = "2021/07/21" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml similarity index 97% rename from rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml rename to rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 49648f5fa..9b7189977 100644 --- a/rules/google-workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml similarity index 97% rename from rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml rename to rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index 10e9100c2..94c04cceb 100644 --- a/rules/google-workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/12" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml similarity index 97% rename from rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml rename to rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index 4b468c4c8..60547015d 100644 --- a/rules/google-workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/google-workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml similarity index 97% rename from rules/google-workspace/persistence_google_workspace_role_modified.toml rename to rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 90669e3b6..1177a0543 100644 --- a/rules/google-workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/17" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "google_workspace" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml similarity index 97% rename from rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml rename to rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 15e82fbbc..fbb16a01b 100644 --- a/rules/microsoft-365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2021/03/29" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] diff --git a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml similarity index 97% rename from rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml rename to rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index a982064ad..4f1db92af 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/06/15" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] diff --git a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml similarity index 97% rename from rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml rename to rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 02f923c55..60ab610b4 100644 --- a/rules/microsoft-365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/12/01" maturity = "production" -updated_date = "2021/05/24" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml similarity index 100% rename from rules/microsoft-365/credential_access_user_excessive_sso_logon_errors.toml rename to rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml similarity index 97% rename from rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index 171edc5a2..2758714af 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml similarity index 97% rename from rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index b289b7583..2406d2fef 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml similarity index 97% rename from rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index 16159c1bb..ef31bd061 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml similarity index 97% rename from rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml rename to rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 3e63453b8..15e68c94a 100644 --- a/rules/microsoft-365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml similarity index 97% rename from rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml rename to rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 693de73a4..395e79f4d 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml similarity index 97% rename from rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml rename to rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index c1a1ec8fb..bc41c6e13 100644 --- a/rules/microsoft-365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml similarity index 97% rename from rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml rename to rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index b5a7d2817..aeeb483c7 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml similarity index 97% rename from rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml rename to rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index 7e9ce2fa4..b201685ef 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/19" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml similarity index 97% rename from rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml rename to rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index 6b7a65ec6..677758050 100644 --- a/rules/microsoft-365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml similarity index 97% rename from rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml rename to rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml index a4b103a03..49dea5f36 100644 --- a/rules/microsoft-365/microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/18" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml similarity index 97% rename from rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml rename to rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml index f67493f98..ad6a0c062 100644 --- a/rules/microsoft-365/microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/microsoft_365_teams_custom_app_interaction_allowed.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml similarity index 97% rename from rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml rename to rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 1646fc7b1..3969604cf 100644 --- a/rules/microsoft-365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml similarity index 97% rename from rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml rename to rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index 3bd94958e..3ef701257 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/30" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml similarity index 97% rename from rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml rename to rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 589df0229..bba076a46 100644 --- a/rules/microsoft-365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "o365" [rule] author = ["Elastic"] diff --git a/rules/okta/attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/attempt_to_deactivate_okta_network_zone.toml similarity index 96% rename from rules/okta/attempt_to_deactivate_okta_network_zone.toml rename to rules/integrations/okta/attempt_to_deactivate_okta_network_zone.toml index c74e881ae..80092f4fe 100644 --- a/rules/okta/attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/attempt_to_deactivate_okta_network_zone.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/attempt_to_delete_okta_network_zone.toml similarity index 96% rename from rules/okta/attempt_to_delete_okta_network_zone.toml rename to rules/integrations/okta/attempt_to_delete_okta_network_zone.toml index fe7d9566a..ebce1cd8f 100644 --- a/rules/okta/attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/attempt_to_delete_okta_network_zone.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml similarity index 96% rename from rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml rename to rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 11c726c5a..8e405ff44 100644 --- a/rules/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml similarity index 96% rename from rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml rename to rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index 4a5bc1124..74fa9456e 100644 --- a/rules/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/05/18" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] diff --git a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml similarity index 97% rename from rules/okta/credential_access_okta_brute_force_or_password_spraying.toml rename to rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 6d680bbeb..4e1754a52 100644 --- a/rules/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/16" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml similarity index 98% rename from rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml rename to rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 3a04c2170..07a6d7b76 100644 --- a/rules/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/05/12" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] diff --git a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml similarity index 96% rename from rules/okta/impact_attempt_to_revoke_okta_api_token.toml rename to rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index a4ab0edb7..75059547b 100644 --- a/rules/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml similarity index 97% rename from rules/okta/impact_possible_okta_dos_attack.toml rename to rules/integrations/okta/impact_possible_okta_dos_attack.toml index 70dba7fc3..344bc46d6 100644 --- a/rules/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml similarity index 97% rename from rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml rename to rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index f10b8ce35..d565631a1 100644 --- a/rules/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/okta_attempt_to_deactivate_okta_application.toml similarity index 96% rename from rules/okta/okta_attempt_to_deactivate_okta_application.toml rename to rules/integrations/okta/okta_attempt_to_deactivate_okta_application.toml index 2f5079f06..873d8aa39 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/okta_attempt_to_deactivate_okta_application.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy.toml similarity index 96% rename from rules/okta/okta_attempt_to_deactivate_okta_policy.toml rename to rules/integrations/okta/okta_attempt_to_deactivate_okta_policy.toml index 8ac981f57..27f1c7dcf 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy_rule.toml similarity index 96% rename from rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml rename to rules/integrations/okta/okta_attempt_to_deactivate_okta_policy_rule.toml index 4cc4e65c0..d659b89ea 100644 --- a/rules/okta/okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/okta_attempt_to_deactivate_okta_policy_rule.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/okta_attempt_to_delete_okta_application.toml similarity index 96% rename from rules/okta/okta_attempt_to_delete_okta_application.toml rename to rules/integrations/okta/okta_attempt_to_delete_okta_application.toml index ff67f8fda..513bc21c3 100644 --- a/rules/okta/okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/okta_attempt_to_delete_okta_application.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/okta_attempt_to_delete_okta_policy.toml similarity index 96% rename from rules/okta/okta_attempt_to_delete_okta_policy.toml rename to rules/integrations/okta/okta_attempt_to_delete_okta_policy.toml index bd23ac267..05130455b 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/okta_attempt_to_delete_okta_policy.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/28" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/okta_attempt_to_delete_okta_policy_rule.toml similarity index 96% rename from rules/okta/okta_attempt_to_delete_okta_policy_rule.toml rename to rules/integrations/okta/okta_attempt_to_delete_okta_policy_rule.toml index e05dd74c4..ba9f4c6e0 100644 --- a/rules/okta/okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/okta_attempt_to_delete_okta_policy_rule.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/okta_attempt_to_modify_okta_application.toml similarity index 96% rename from rules/okta/okta_attempt_to_modify_okta_application.toml rename to rules/integrations/okta/okta_attempt_to_modify_okta_application.toml index e47270407..b2ec1e9ec 100644 --- a/rules/okta/okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_okta_application.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/okta_attempt_to_modify_okta_network_zone.toml similarity index 96% rename from rules/okta/okta_attempt_to_modify_okta_network_zone.toml rename to rules/integrations/okta/okta_attempt_to_modify_okta_network_zone.toml index cb600ff35..98858b363 100644 --- a/rules/okta/okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_okta_network_zone.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/okta_attempt_to_modify_okta_policy.toml similarity index 96% rename from rules/okta/okta_attempt_to_modify_okta_policy.toml rename to rules/integrations/okta/okta_attempt_to_modify_okta_policy.toml index bac0fbf24..0fb7c0cc9 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_okta_policy.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/okta_attempt_to_modify_okta_policy_rule.toml similarity index 96% rename from rules/okta/okta_attempt_to_modify_okta_policy_rule.toml rename to rules/integrations/okta/okta_attempt_to_modify_okta_policy_rule.toml index cdfe2be03..1d27bc0a9 100644 --- a/rules/okta/okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_okta_policy_rule.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml similarity index 96% rename from rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml rename to rules/integrations/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index b81bfbeba..a26e9880c 100644 --- a/rules/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/07/01" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml similarity index 96% rename from rules/okta/okta_threat_detected_by_okta_threatinsight.toml rename to rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml index 1c43d8e0d..cb839b2fe 100644 --- a/rules/okta/okta_threat_detected_by_okta_threatinsight.toml +++ b/rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml similarity index 97% rename from rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml rename to rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index 77db946d6..cd9ed22e1 100644 --- a/rules/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml similarity index 97% rename from rules/okta/persistence_administrator_role_assigned_to_okta_user.toml rename to rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 39c137944..da1202900 100644 --- a/rules/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/11/06" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml similarity index 97% rename from rules/okta/persistence_attempt_to_create_okta_api_token.toml rename to rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 4d548ca2c..a108f451e 100644 --- a/rules/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml similarity index 96% rename from rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml rename to rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index cf36f40ce..afd22d362 100644 --- a/rules/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/20" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml similarity index 97% rename from rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml rename to rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index e956ab402..f77ad1b3f 100644 --- a/rules/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -1,7 +1,8 @@ [metadata] creation_date = "2020/05/21" maturity = "production" -updated_date = "2021/05/10" +updated_date = "2021/07/20" +integration = "okta" [rule] author = ["Elastic"] diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index a6fd4edce..1fbee4962 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -16,6 +16,7 @@ from detection_rules import attack from detection_rules.packaging import load_versions from detection_rules.rule import QueryRuleData from detection_rules.rule_loader import FILE_PATTERN +from detection_rules.schemas import definitions from detection_rules.utils import get_path, load_etc_dump from rta import get_ttp_names from .base import BaseRuleTest @@ -327,7 +328,7 @@ class TestRuleTimelines(BaseRuleTest): class TestRuleFiles(BaseRuleTest): """Test the expected file names.""" - def test_rule_file_names_by_tactic(self): + def test_rule_file_name_tactic(self): """Test to ensure rule files have the primary tactic prepended to the filename.""" bad_name_rules = [] @@ -335,7 +336,8 @@ class TestRuleFiles(BaseRuleTest): rule_path = rule.path.resolve() filename = rule_path.name - if rule_path.parent.name == 'ml': + # machine learning jobs should be in rules/ml or rules/integrations/ + if rule.contents.data.type == definitions.MACHINE_LEARNING: continue threat = rule.contents.data.threat @@ -468,30 +470,33 @@ class TestLicense(BaseRuleTest): self.assertEqual(rule_license, 'Elastic License v2', err_msg) -class TestRuleInvestigationGuide(BaseRuleTest): +class TestIntegrationRules(BaseRuleTest): """Test the note field of a rule.""" - def test_config(self): + def test_integration_guide(self): """Test that rules which require a config note are using standard verbiage.""" config = '## Config\n\n' beats_integration_pattern = config + 'The {} Fleet integration, Filebeat module, or similarly ' \ 'structured data is required to be compatible with this rule.' - required = { - 'aws': beats_integration_pattern.format('AWS'), - 'azure': beats_integration_pattern.format('Azure'), - 'gcp': beats_integration_pattern.format('GCP'), - 'google-workspace': beats_integration_pattern.format('Google Workspace'), - 'microsoft-365': beats_integration_pattern.format('Microsoft 365'), - 'okta': beats_integration_pattern.format('Okta'), + render = beats_integration_pattern.format + integration_notes = { + 'aws': render('AWS'), + 'azure': render('Azure'), + 'cyberarkpas': render('CyberArk Privileged Access Security (PAS)'), + 'gcp': render('GCP'), + 'google_workspace': render('Google Workspace'), + 'o365': render('Microsoft 365'), + 'okta': render('Okta'), } for rule in self.all_rules: - rule_dir = rule.path.parts[-2] - note_str = required.get(rule_dir) + integration = rule.contents.metadata.integration + note_str = integration_notes.get(integration) + if note_str: self.assert_(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') if note_str not in rule.contents.data.note: - self.fail(f'{self.rule_str(rule)} expected config missing\n\n' + self.fail(f'{self.rule_str(rule)} expected {integration} config missing\n\n' f'Expected: {note_str}\n\n' f'Actual: {rule.contents.data.note}')