security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Security Content] Tags Reform (#2725)

Browse Source 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2023-06-22 18:38:56 -03:00
committed by GitHub
parent 7d758fdacd
commit b4c84e8a40
817 changed files with 2148 additions and 2182 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/apm/apm_403_response_to_a_post.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["apm"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_403"]
risk_score = 47
rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e"
severity = "medium"
tags = ["Elastic", "APM"]
tags = ["Data Source: APM"]
timestamp_override = "event.ingested"
type = "query"
rules/apm/apm_405_response_method_not_allowed.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["apm"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_405"]
risk_score = 47
rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef"
severity = "medium"
tags = ["Elastic", "APM"]
tags = ["Data Source: APM"]
timestamp_override = "event.ingested"
type = "query"
rules/apm/apm_sqlmap_user_agent.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["apm"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -27,7 +27,7 @@ references = ["http://sqlmap.org/"]
risk_score = 47
rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
severity = "medium"
tags = ["Elastic", "APM"]
tags = ["Data Source: APM"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
+1 -1
View File
@@ -26,7 +26,7 @@ references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matan
risk_score = 73
rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Command and Control"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"]
type = "eql"
query = '''
rules/cross-platform/command_and_control_non_standard_ssh_port.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -30,7 +30,7 @@ references = ["https://attack.mitre.org/techniques/T1571/"]
risk_score = 21
rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "macOS"]
tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS"]
type = "eql"
query = '''
rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
risk_score = 47
rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2022/08/24"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -25,7 +25,7 @@ name = "Agent Spoofing - Mismatched Agent ID"
risk_score = 73
rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93"
severity = "high"
tags = ["Elastic", "Threat Detection", "Defense Evasion"]
tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2022/08/24"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -25,7 +25,7 @@ name = "Agent Spoofing - Multiple Hosts Using Same Agent"
risk_score = 73
rule_id = "493834ca-f861-414c-8602-150d5505b777"
severity = "high"
tags = ["Elastic", "Threat Detection", "Defense Evasion"]
tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "threshold"
rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2022/05/23"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/15"
updated_date = "2023/06/22"
integration = ["endpoint"]
[rule]
@@ -26,7 +26,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -30,7 +30,7 @@ references = [
risk_score = 47
rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/defense_evasion_timestomp_touch.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/discovery_security_software_grep.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -55,7 +55,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery", "Investigation Guide"]
tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = ["https://objective-see.com/blog/blog_0x4F.html"]
risk_score = 47
rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"]
tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -18,7 +18,7 @@ references = ["https://github.com/neoneggplant/EggShell"]
risk_score = 73
rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e"
severity = "high"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/execution_python_script_in_cmdline.toml
+2 -2
View File
@@ -2,7 +2,7 @@
creation_date = "2021/01/13"
integration = ["endpoint"]
maturity = "development"
updated_date = "2023/02/07"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version
risk_score = 47
rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "macOS", "Windows", "Threat Detection", "Execution"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/execution_revershell_via_shell_cmd.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -58,7 +58,7 @@ references = [
risk_score = 73
rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856"
severity = "high"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/execution_suspicious_jar_child_process.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -60,7 +60,7 @@ references = [
risk_score = 47
rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability"]
timestamp_override = "event.ingested"
type = "eql"
rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -28,7 +28,7 @@ references = [
risk_score = 73
rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86"
severity = "high"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability"]
type = "eql"
query = '''
rules/cross-platform/guided_onboarding_sample_rule.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2022/09/22"
maturity = "production"
min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+"
min_stack_version = "8.7.0"
updated_date = "2023/01/24"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -44,7 +44,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.h
risk_score = 21
rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce"
severity = "low"
tags = ["Elastic", "Example", "Guided Onboarding", "Network", "APM", "Windows", "Elastic Endgame"]
tags = ["Use case: Guided Onboarding", "Data Source: APM", "OS: Windows", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "threshold"
rules/cross-platform/impact_hosts_file_modified.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint", "windows"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -60,7 +60,7 @@ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat
risk_score = 47
rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact", "Investigation Guide"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide"]
timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c"
timeline_title = "Comprehensive File Timeline"
timestamp_override = "event.ingested"
rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml
+4 -8
View File
@@ -3,7 +3,7 @@ creation_date = "2020/09/14"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/08/24"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -29,13 +29,9 @@ risk_score = 47
rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba"
severity = "medium"
tags = [
"Elastic",
"Application",
"Communication",
"Zoom",
"Continuous Monitoring",
"SecOps",
"Configuration Audit",
"Data Source: Zoom",
"Use Case: Configuration Audit",
"Tactic: Initial Access"
]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/multiple_alerts_different_tactics_host.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/11/16"
maturity = "production"
updated_date = "2023/01/11"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -26,7 +26,7 @@ name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host"
risk_score = 73
rule_id = "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c"
severity = "high"
tags = ["Elastic", "Threat Detection", "Higher-Order Rules"]
tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
timestamp_override = "event.ingested"
type = "threshold"
rules/cross-platform/multiple_alerts_involving_user.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/11/16"
maturity = "production"
updated_date = "2023/01/11"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -28,7 +28,7 @@ name = "Multiple Alerts Involving a User"
risk_score = 73
rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7"
severity = "high"
tags = ["Elastic", "Threat Detection", "Higher-Order Rules"]
tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"]
timestamp_override = "event.ingested"
type = "threshold"
rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/04/24"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
risk_score = 47
rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Credential Access", "Persistence"]
tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/persistence_shell_profile_modification.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-
risk_score = 47
rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Persistence"]
tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/01/27"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ name = "SSH Authorized Keys File Modification"
risk_score = 47
rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Lateral Movement", "Persistence"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ name = "Potential Privilege Escalation via Sudoers File Modification"
risk_score = 73
rule_id = "76152ca1-71d0-4003-9e37-0983e12832da"
severity = "high"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -24,7 +24,7 @@ name = "Setuid / Setgid Bit Set via chmod"
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = [
risk_score = 73
rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8"
severity = "high"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"]
type = "threshold"
query = '''
rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -20,7 +20,7 @@ name = "Sudoers File Modification"
risk_score = 47
rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"]
tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
rules/cross-platform/threat_intel_filebeat8x.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/11/24"
maturity = "production"
updated_date = "2022/11/28"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -49,7 +49,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-
risk_score = 99
rule_id = "699e9fdb-b77c-4c01-995c-1c15019b9c43"
severity = "critical"
tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
type = "threat_match"
rules/cross-platform/threat_intel_fleet_integrations.toml
+2 -2
View File
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2021/04/21"
maturity = "production"
updated_date = "2022/11/28"
updated_date = "2023/06/22"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
@@ -49,7 +49,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-
risk_score = 99
rule_id = "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0"
severity = "critical"
tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"]
timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e"
timeline_title = "Generic Threat Match Timeline"
type = "threat_match"
rules/integrations/aws/collection_cloudtrail_logging_created.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
risk_score = 21
rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml
+7 -9
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -71,14 +71,12 @@ risk_score = 47
rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636"
severity = "medium"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Identity and Access",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Credential Access"
]
type = "threshold"
rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
+8 -11
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -69,16 +69,13 @@ risk_score = 21
rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0"
severity = "low"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Identity and Access",
"Credential Access",
"Persistence",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Identity and Access Audit",
"Tactic: Credential Access",
"Tactic: Persistence",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
+6 -10
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.6.0"
updated_date = "2023/04/26"
updated_date = "2023/06/22"
[rule]
author = ["Nick Jones", "Elastic"]
@@ -82,15 +82,11 @@ risk_score = 47
rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622"
severity = "medium"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Data Protection",
"Credential Access",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Tactic: Credential Access",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "new_terms"
rules/integrations/aws/credential_access_root_console_failure_brute_force.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -31,7 +31,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm
risk_score = 73
rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef"
severity = "high"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
type = "threshold"
query = '''
rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -76,7 +76,7 @@ references = [
risk_score = 47
rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -80,7 +80,7 @@ references = [
risk_score = 47
rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -82,7 +82,7 @@ references = [
risk_score = 47
rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -80,7 +80,7 @@ references = [
risk_score = 21
rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
risk_score = 73
rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435"
severity = "high"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -79,7 +79,7 @@ references = [
risk_score = 73
rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872"
severity = "high"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -37,7 +37,7 @@ references = [
risk_score = 47
rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -32,7 +32,7 @@ references = [
risk_score = 21
rule_id = "7b3da11a-60a2-412e-8aa7-011e1eb9ed47"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference
risk_score = 21
rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml → rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -31,7 +31,7 @@ references = [
risk_score = 21
rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -35,7 +35,7 @@ references = [
risk_score = 73
rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef"
severity = "high"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -35,7 +35,7 @@ references = [
risk_score = 21
rule_id = "227dc608-e558-43d9-b521-150772250bae"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_waf_acl_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
risk_score = 47
rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = [
risk_score = 47
rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -36,7 +36,7 @@ references = [
risk_score = 47
rule_id = "c1812764-0788-470f-8e74-eb4a14d47573"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml
+7 -10
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -82,15 +82,12 @@ risk_score = 47
rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56"
severity = "medium"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Asset Visibility",
"Exfiltration",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Asset Visibility",
"Tactic: Exfiltration",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -32,7 +32,7 @@ references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.h
risk_score = 21
rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_rds_snapshot_export.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta
risk_score = 21
rule_id = "119c8877-8613-416d-a98a-96b6664ee73a"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -34,7 +34,7 @@ references = [
risk_score = 47
rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Defense Evasion"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -35,7 +35,7 @@ references = [
risk_score = 21
rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_cloudtrail_logging_updated.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -76,7 +76,7 @@ references = [
risk_score = 21
rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -81,7 +81,7 @@ references = [
risk_score = 47
rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml
+7 -10
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -82,15 +82,12 @@ risk_score = 47
rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17"
severity = "medium"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Log Auditing",
"Impact",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Log Auditing",
"Tactic: Impact",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -36,7 +36,7 @@ references = [
risk_score = 47
rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Data Protection"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -36,7 +36,7 @@ references = [
risk_score = 47
rule_id = "536997f7-ae73-447d-a12d-bff1e8f5f0a0"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Data Protection"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -75,7 +75,7 @@ references = [
risk_score = 47
rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_iam_group_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -35,7 +35,7 @@ references = [
risk_score = 21
rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Xavier Pich"]
@@ -37,7 +37,7 @@ references = [
risk_score = 47
rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_rds_group_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Del
risk_score = 21
rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -39,7 +39,7 @@ references = [
risk_score = 47
rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
risk_score = 47
rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d"
severity = "medium"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/initial_access_console_login_root.toml
+7 -9
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -66,14 +66,12 @@ risk_score = 47
rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef"
severity = "medium"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Identity and Access",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Initial Access"
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/initial_access_password_recovery.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -32,7 +32,7 @@ references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"]
risk_score = 21
rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Initial Access"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/initial_access_via_system_manager.toml
+7 -10
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -80,15 +80,12 @@ risk_score = 21
rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa"
severity = "low"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Log Auditing",
"Initial Access",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Log Auditing",
"Tactic: Initial Access",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
integration = ["aws"]
[rule]
@@ -87,6 +87,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
type = "machine_learning"
rules/integrations/aws/ml_cloudtrail_rare_error_code.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
integration = ["aws"]
[rule]
@@ -89,6 +89,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
type = "machine_learning"
rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
integration = ["aws"]
[rule]
@@ -91,6 +91,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
type = "machine_learning"
rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
integration = ["aws"]
[rule]
@@ -91,6 +91,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
type = "machine_learning"
rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml
+2 -2
View File
@@ -3,7 +3,7 @@ creation_date = "2020/07/13"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
integration = ["aws"]
[rule]
@@ -89,6 +89,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs
risk_score = 21
rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"]
type = "machine_learning"
rules/integrations/aws/persistence_ec2_network_acl_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -37,7 +37,7 @@ references = [
risk_score = 21
rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -33,7 +33,7 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi
risk_score = 21
rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_iam_group_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -35,7 +35,7 @@ references = [
risk_score = 21
rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_rds_cluster_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -37,7 +37,7 @@ references = [
risk_score = 21
rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_rds_group_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre
risk_score = 21
rule_id = "378f9024-8a0c-46a5-aa08-ce147ac73a4e"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_rds_instance_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre
risk_score = 21
rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_redshift_instance_creation.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -33,7 +33,7 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea
risk_score = 21
rule_id = "015cca13-8832-49ac-a01b-a396114809f6"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -35,7 +35,7 @@ references = [
risk_score = 21
rule_id = "12051077-0124-4394-9522-8f4f4db1d674"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera
risk_score = 21
rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc
risk_score = 21
rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_table_created.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -34,7 +34,7 @@ references = [
risk_score = 21
rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/persistence_route_table_modified_or_deleted.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic", "Austin Songer"]
@@ -38,7 +38,7 @@ references = [
risk_score = 21
rule_id = "e7cd5982-17c8-4959-874c-633acde7d426"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
+7 -9
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -71,14 +71,12 @@ risk_score = 73
rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc"
severity = "high"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Identity and Access",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Privilege Escalation"
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -24,7 +24,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol
risk_score = 21
rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio
risk_score = 21
rule_id = "b45ab1d2-712f-4f01-a751-df3826969807"
severity = "low"
tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"]
tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml
+7 -9
View File
@@ -4,7 +4,7 @@ integration = ["aws"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/03/06"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -72,14 +72,12 @@ risk_score = 21
rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd"
severity = "low"
tags = [
"Elastic",
"Cloud",
"AWS",
"Amazon Web Services",
"Continuous Monitoring",
"SecOps",
"Identity and Access",
"Investigation Guide",
"Domain: Cloud",
"Data Source: AWS",
"Data Source: Amazon Web Services",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Privilege Escalation"
]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/azure/collection_update_event_hub_auth_rule.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-acces
risk_score = 47
rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"]
tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Austin Songer"]
@@ -33,7 +33,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/
risk_score = 47
rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"]
tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/azure/credential_access_key_vault_modified.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -36,7 +36,7 @@ references = [
risk_score = 47
rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Data Protection"]
tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/azure/credential_access_storage_account_key_regenerated.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -34,7 +34,7 @@ references = [
risk_score = 21
rule_id = "1e0b832e-957e-43ae-b319-db82d228c908"
severity = "low"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -36,7 +36,7 @@ references = [
risk_score = 47
rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml
+2 -2
View File
@@ -4,7 +4,7 @@ integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
@@ -29,7 +29,7 @@ references = [
risk_score = 21
rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7"
severity = "low"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"]
tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"

Some files were not shown because too many files have changed in this diff Show More