diff --git a/rules/apm/apm_403_response_to_a_post.toml b/rules/apm/apm_403_response_to_a_post.toml index daae75a04..28bea375c 100644 --- a/rules/apm/apm_403_response_to_a_post.toml +++ b/rules/apm/apm_403_response_to_a_post.toml @@ -4,7 +4,7 @@ integration = ["apm"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_403"] risk_score = 47 rule_id = "a87a4e42-1d82-44bd-b0bf-d9b7f91fb89e" severity = "medium" -tags = ["Elastic", "APM"] +tags = ["Data Source: APM"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/apm/apm_405_response_method_not_allowed.toml b/rules/apm/apm_405_response_method_not_allowed.toml index 45f9b179a..4f3b957f2 100644 --- a/rules/apm/apm_405_response_method_not_allowed.toml +++ b/rules/apm/apm_405_response_method_not_allowed.toml @@ -4,7 +4,7 @@ integration = ["apm"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/HTTP_405"] risk_score = 47 rule_id = "75ee75d8-c180-481c-ba88-ee50129a6aef" severity = "medium" -tags = ["Elastic", "APM"] +tags = ["Data Source: APM"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/apm/apm_sqlmap_user_agent.toml b/rules/apm/apm_sqlmap_user_agent.toml index db3ec8ce1..b147173d8 100644 --- a/rules/apm/apm_sqlmap_user_agent.toml +++ b/rules/apm/apm_sqlmap_user_agent.toml @@ -4,7 +4,7 @@ integration = ["apm"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["http://sqlmap.org/"] risk_score = 47 rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820" severity = "medium" -tags = ["Elastic", "APM"] +tags = ["Data Source: APM"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml index 69af0c7d1..5ff9158c8 100644 --- a/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml +++ b/rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml @@ -26,7 +26,7 @@ references = ["https://intelligence.abnormalsecurity.com/blog/google-drive-matan risk_score = 73 rule_id = "a8afdce2-0ec1-11ee-b843-f661ea17fbcd" severity = "high" -tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Command and Control"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control"] type = "eql" query = ''' diff --git a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml index e8169e565..279ac6ac6 100644 --- a/rules/cross-platform/command_and_control_non_standard_ssh_port.toml +++ b/rules/cross-platform/command_and_control_non_standard_ssh_port.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = ["https://attack.mitre.org/techniques/T1571/"] risk_score = 21 rule_id = "bc8ca7e0-92fd-4b7c-b11e-ee0266b8d9c9" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "macOS"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "OS: macOS"] type = "eql" query = ''' diff --git a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml index 64dab70ad..914c8924b 100644 --- a/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml +++ b/rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml index 0b50b84fd..be6661803 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/08/24" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -25,7 +25,7 @@ name = "Agent Spoofing - Mismatched Agent ID" risk_score = 73 rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93" severity = "high" -tags = ["Elastic", "Threat Detection", "Defense Evasion"] +tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml index f3b5ba6f7..4003974f4 100644 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/07/14" maturity = "production" -updated_date = "2022/08/24" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -25,7 +25,7 @@ name = "Agent Spoofing - Multiple Hosts Using Same Agent" risk_score = 73 rule_id = "493834ca-f861-414c-8602-150d5505b777" severity = "high" -tags = ["Elastic", "Threat Detection", "Defense Evasion"] +tags = ["Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml index 4131da915..d92aa479d 100644 --- a/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml +++ b/rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "665e7a4f-c58e-4fc6-bc83-87a7572670ac" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml index 15e1aa0fe..ee9dcebb2 100644 --- a/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml +++ b/rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml index c0acaedfb..ec1d86aa7 100644 --- a/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml +++ b/rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml @@ -3,7 +3,7 @@ creation_date = "2022/05/23" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/15" +updated_date = "2023/06/22" integration = ["endpoint"] [rule] @@ -26,7 +26,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b627cd12-dac4-11ec-9582-f661ea17fbcd" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml index 2f9a05668..c9028b0fc 100644 --- a/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml +++ b/rules/cross-platform/defense_evasion_masquerading_space_after_filename.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/defense_evasion_timestomp_touch.toml b/rules/cross-platform/defense_evasion_timestomp_touch.toml index 79ae02377..2eb32d1ce 100644 --- a/rules/cross-platform/defense_evasion_timestomp_touch.toml +++ b/rules/cross-platform/defense_evasion_timestomp_touch.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b0046934-486e-462f-9487-0d4cf9e429c6" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/discovery_security_software_grep.toml b/rules/cross-platform/discovery_security_software_grep.toml index 99f60919b..5faa2f209 100644 --- a/rules/cross-platform/discovery_security_software_grep.toml +++ b/rules/cross-platform/discovery_security_software_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "870aecc0-cea4-4110-af3f-e02e9b373655" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml index 3c2217ab4..403dc2fa6 100644 --- a/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml +++ b/rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = ["https://objective-see.com/blog/blog_0x4F.html"] risk_score = 47 rule_id = "c85eb82c-d2c8-485c-a36f-534f914b7663" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Discovery"] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml index fe42c3120..2ba283eec 100644 --- a/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml +++ b/rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ references = ["https://github.com/neoneggplant/EggShell"] risk_score = 73 rule_id = "41824afb-d68c-4d0e-bfee-474dac1fa56e" severity = "high" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/execution_python_script_in_cmdline.toml b/rules/cross-platform/execution_python_script_in_cmdline.toml index 8668373dd..e273d34fb 100644 --- a/rules/cross-platform/execution_python_script_in_cmdline.toml +++ b/rules/cross-platform/execution_python_script_in_cmdline.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/13" integration = ["endpoint"] maturity = "development" -updated_date = "2023/02/07" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "ee9f08dc-cf80-4124-94ae-08c405f059ae" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Windows", "Threat Detection", "Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_revershell_via_shell_cmd.toml b/rules/cross-platform/execution_revershell_via_shell_cmd.toml index d75a74b47..0b9250763 100644 --- a/rules/cross-platform/execution_revershell_via_shell_cmd.toml +++ b/rules/cross-platform/execution_revershell_via_shell_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ references = [ risk_score = 73 rule_id = "a1a0375f-22c2-48c0-81a4-7c2d11cc6856" severity = "high" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_suspicious_jar_child_process.toml b/rules/cross-platform/execution_suspicious_jar_child_process.toml index 7713324cb..2e55072bc 100644 --- a/rules/cross-platform/execution_suspicious_jar_child_process.toml +++ b/rules/cross-platform/execution_suspicious_jar_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -60,7 +60,7 @@ references = [ risk_score = 47 rule_id = "8acb7614-1d92-4359-bfcf-478b6d9de150" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml index ef58fbef7..2b0923ea2 100644 --- a/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml +++ b/rules/cross-platform/execution_suspicious_java_netcon_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "c3f5e1d8-910e-43b4-8d44-d748e498ca86" severity = "high" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Execution"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Use Case: Vulnerability"] type = "eql" query = ''' diff --git a/rules/cross-platform/guided_onboarding_sample_rule.toml b/rules/cross-platform/guided_onboarding_sample_rule.toml index d59040ff6..ec4752264 100644 --- a/rules/cross-platform/guided_onboarding_sample_rule.toml +++ b/rules/cross-platform/guided_onboarding_sample_rule.toml @@ -3,7 +3,7 @@ creation_date = "2022/09/22" maturity = "production" min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+" min_stack_version = "8.7.0" -updated_date = "2023/01/24" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -44,7 +44,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.h risk_score = 21 rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce" severity = "low" -tags = ["Elastic", "Example", "Guided Onboarding", "Network", "APM", "Windows", "Elastic Endgame"] +tags = ["Use case: Guided Onboarding", "Data Source: APM", "OS: Windows", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/cross-platform/impact_hosts_file_modified.toml b/rules/cross-platform/impact_hosts_file_modified.toml index 964ef01ad..4b0de5692 100644 --- a/rules/cross-platform/impact_hosts_file_modified.toml +++ b/rules/cross-platform/impact_hosts_file_modified.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -60,7 +60,7 @@ references = ["https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat risk_score = 47 rule_id = "9c260313-c811-4ec8-ab89-8f6530e0246c" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Windows", "macOS", "Threat Detection", "Impact", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: Windows", "OS: macOS", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide"] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" timestamp_override = "event.ingested" diff --git a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml index 70ea4c373..d07b08dd5 100644 --- a/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml +++ b/rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/14" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/08/24" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,13 +29,9 @@ risk_score = 47 rule_id = "58ac2aa5-6718-427c-a845-5f3ac5af00ba" severity = "medium" tags = [ - "Elastic", - "Application", - "Communication", - "Zoom", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", + "Data Source: Zoom", + "Use Case: Configuration Audit", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/multiple_alerts_different_tactics_host.toml b/rules/cross-platform/multiple_alerts_different_tactics_host.toml index 829b4cc15..67ee0e381 100644 --- a/rules/cross-platform/multiple_alerts_different_tactics_host.toml +++ b/rules/cross-platform/multiple_alerts_different_tactics_host.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2023/01/11" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ name = "Multiple Alerts in Different ATT&CK Tactics on a Single Host" risk_score = 73 rule_id = "b946c2f7-df06-4c00-a5aa-1f6fbc7bb72c" severity = "high" -tags = ["Elastic", "Threat Detection", "Higher-Order Rules"] +tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/cross-platform/multiple_alerts_involving_user.toml b/rules/cross-platform/multiple_alerts_involving_user.toml index 89281e6ad..a982df44d 100644 --- a/rules/cross-platform/multiple_alerts_involving_user.toml +++ b/rules/cross-platform/multiple_alerts_involving_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2022/11/16" maturity = "production" -updated_date = "2023/01/11" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,7 +28,7 @@ name = "Multiple Alerts Involving a User" risk_score = 73 rule_id = "0d160033-fab7-4e72-85a3-3a9d80c8bff7" severity = "high" -tags = ["Elastic", "Threat Detection", "Higher-Order Rules"] +tags = ["Use Case: Threat Detection", "Rule Type: Higher-Order Rule"] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml index 6891f66ef..de6f80900 100644 --- a/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml +++ b/rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/24" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "93f47b6f-5728-4004-ba00-625083b3dcb0" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Credential Access", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/persistence_shell_profile_modification.toml b/rules/cross-platform/persistence_shell_profile_modification.toml index 9a5a16c13..080abf479 100644 --- a/rules/cross-platform/persistence_shell_profile_modification.toml +++ b/rules/cross-platform/persistence_shell_profile_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = ["https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware- risk_score = 47 rule_id = "e6c1a552-7776-44ad-ae0f-8746cc07773c" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Linux", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml index 93f3cfb90..32a8f060f 100644 --- a/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml +++ b/rules/cross-platform/persistence_ssh_authorized_keys_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/01/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "SSH Authorized Keys File Modification" risk_score = 47 rule_id = "2215b8bd-1759-4ffa-8ab8-55c8e6b32e7f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Lateral Movement", "Persistence"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml index 846cf07e4..c4e819338 100644 --- a/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml +++ b/rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Potential Privilege Escalation via Sudoers File Modification" risk_score = 73 rule_id = "76152ca1-71d0-4003-9e37-0983e12832da" severity = "high" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml index 740127d9d..9d95a1ecc 100644 --- a/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml +++ b/rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ name = "Setuid / Setgid Bit Set via chmod" risk_score = 21 rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a" severity = "low" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml index 074142b51..05f12f10b 100644 --- a/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml +++ b/rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 73 rule_id = "f37f3054-d40b-49ac-aa9b-a786c74c58b8" severity = "high" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"] type = "threshold" query = ''' diff --git a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml index dc9206d56..6caf8f54c 100644 --- a/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml +++ b/rules/cross-platform/privilege_escalation_sudoers_file_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Sudoers File Modification" risk_score = 47 rule_id = "931e25a5-0f5e-4ae0-ba0d-9e94eff7e3a4" severity = "medium" -tags = ["Elastic", "Host", "Linux", "macOS", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/cross-platform/threat_intel_filebeat8x.toml b/rules/cross-platform/threat_intel_filebeat8x.toml index f4ed5a4ff..0ab1a1c4e 100644 --- a/rules/cross-platform/threat_intel_filebeat8x.toml +++ b/rules/cross-platform/threat_intel_filebeat8x.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/11/24" maturity = "production" -updated_date = "2022/11/28" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -49,7 +49,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat- risk_score = 99 rule_id = "699e9fdb-b77c-4c01-995c-1c15019b9c43" severity = "critical" -tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" type = "threat_match" diff --git a/rules/cross-platform/threat_intel_fleet_integrations.toml b/rules/cross-platform/threat_intel_fleet_integrations.toml index b1fa2e898..be8331f52 100644 --- a/rules/cross-platform/threat_intel_fleet_integrations.toml +++ b/rules/cross-platform/threat_intel_fleet_integrations.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/04/21" maturity = "production" -updated_date = "2022/11/28" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -49,7 +49,7 @@ references = [ "https://www.elastic.co/guide/en/beats/filebeat/current/filebeat- risk_score = 99 rule_id = "0c9a14d9-d65d-486f-9b5b-91e4e6b22bd0" severity = "critical" -tags = ["Elastic", "Windows", "Elastic Endgame", "Network", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] +tags = ["OS: Windows", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timeline_id = "495ad7a7-316e-4544-8a0f-9c098daee76e" timeline_title = "Generic Threat Match Timeline" type = "threat_match" diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 4d7915562..080344a3d 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 21 rule_id = "594e0cbf-86cc-45aa-9ff7-ff27db27d3ed" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml index 39354f0d3..a0013bba4 100644 --- a/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml +++ b/rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -71,14 +71,12 @@ risk_score = 47 rule_id = "ea248a02-bc47-4043-8e94-2885b19b2636" severity = "medium" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Credential Access" ] type = "threshold" diff --git a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml index a5c1a2416..32deee2fc 100644 --- a/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml +++ b/rules/integrations/aws/credential_access_iam_user_addition_to_group.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -69,16 +69,13 @@ risk_score = 21 rule_id = "333de828-8190-4cf5-8d7c-7575846f6fe0" severity = "low" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Credential Access", - "Persistence", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", + "Tactic: Persistence", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml index f35bc5553..ccc5f89fe 100644 --- a/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml +++ b/rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.6.0" -updated_date = "2023/04/26" +updated_date = "2023/06/22" [rule] author = ["Nick Jones", "Elastic"] @@ -82,15 +82,11 @@ risk_score = 47 rule_id = "a00681e3-9ed6-447c-ab2c-be648821c622" severity = "medium" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Data Protection", - "Credential Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Tactic: Credential Access", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml index 1d54fd999..9b6bb94e8 100644 --- a/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml +++ b/rules/integrations/aws/credential_access_root_console_failure_brute_force.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.htm risk_score = 73 rule_id = "4d50a94f-2844-43fa-8395-6afbd5e1c5ef" severity = "high" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" query = ''' diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 4f9a194e1..008d61b51 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ references = [ risk_score = 47 rule_id = "7024e2a0-315d-4334-bb1a-441c593e16ab" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml index 785ec9f43..552181c21 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ references = [ risk_score = 47 rule_id = "1aa8fa52-44a7-4dae-b058-f3333b91c8d7" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index 696ba5d72..4e78d4238 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ references = [ risk_score = 47 rule_id = "f772ec8a-e182-483c-91d2-72058f76a44c" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml index 5a9f7ad1c..29d5757d4 100644 --- a/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml +++ b/rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -80,7 +80,7 @@ references = [ risk_score = 21 rule_id = "7024e2a0-315d-4334-bb1a-552d604f27bc" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml index 1ed1ad02c..6551ae4ea 100644 --- a/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml +++ b/rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 73 rule_id = "fbd44836-0d69-4004-a0b4-03c20370c435" severity = "high" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index 8958fa290..94d833e85 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -79,7 +79,7 @@ references = [ risk_score = 73 rule_id = "9395fd2c-9947-4472-86ef-4aceb2f7e872" severity = "high" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index bb1d28d8d..a0995f265 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ references = [ risk_score = 47 rule_id = "8623535c-1e17-44e1-aa97-7a0699c3037d" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 75799de63..63df8627e 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -32,7 +32,7 @@ references = [ risk_score = 21 rule_id = "7b3da11a-60a2-412e-8aa7-011e1eb9ed47" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 612028692..6602ce057 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference risk_score = 21 rule_id = "1ba5160d-f5a2-4624-b0ff-6a1dc55d2516" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml similarity index 92% rename from rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml rename to rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml index 727ec27fa..26ddc3cac 100644 --- a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/defense_evasion_escalation_aws_suspicious_saml_activity.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -31,7 +31,7 @@ references = [ risk_score = 21 rule_id = "979729e7-0c52-4c4c-b71e-88103304a79f" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index b75055525..ff9618dab 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 73 rule_id = "523116c0-d89d-4d7c-82c2-39e6845a78ef" severity = "high" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 89fc6bc06..b43499b90 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "227dc608-e558-43d9-b521-150772250bae" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 360eba14b..603dcc022 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 47 rule_id = "91d04cd4-47a9-4334-ab14-084abe274d49" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index 92129e66c..bc2241fe4 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 47 rule_id = "5beaebc1-cc13-4bfc-9949-776f9e0dc318" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml index 823ba46a2..28ae27071 100644 --- a/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml +++ b/rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "c1812764-0788-470f-8e74-eb4a14d47573" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Exfiltration", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml index a9a7ad1c5..928f1b162 100644 --- a/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml +++ b/rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -82,15 +82,12 @@ risk_score = 47 rule_id = "98fd7407-0bd5-5817-cda0-3fcc33113a56" severity = "medium" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Asset Visibility", - "Exfiltration", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Asset Visibility", + "Tactic: Exfiltration", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml index 3523cd588..cc2c30690 100644 --- a/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml +++ b/rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -32,7 +32,7 @@ references = ["https://docs.aws.amazon.com/vm-import/latest/userguide/vmexport.h risk_score = 21 rule_id = "e919611d-6b6f-493b-8314-7ed6ac2e413b" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index baa9333ff..b35bb5787 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Sta risk_score = 21 rule_id = "119c8877-8613-416d-a98a-96b6664ee73a" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Exfiltration"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index 3d26e2dc3..502f53adc 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "bf1073bf-ce26-4607-b405-ba1ed8e9e204" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Defense Evasion"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index 4121f1293..1280fe920 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "87594192-4539-4bc4-8543-23bc3d5bd2b4" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml index 2eb7537fe..fce9a66a9 100644 --- a/rules/integrations/aws/impact_cloudtrail_logging_updated.toml +++ b/rules/integrations/aws/impact_cloudtrail_logging_updated.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ references = [ risk_score = 21 rule_id = "3e002465-876f-4f04-b016-84ef48ce7e5d" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index 4fe13fb99..bb2e94eed 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ references = [ risk_score = 47 rule_id = "68a7a5a5-a2fc-4a76-ba9f-26849de881b4" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 9d9a3a417..bb5149224 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -82,15 +82,12 @@ risk_score = 47 rule_id = "d624f0ae-3dd1-4856-9aad-ccfe4d4bfa17" severity = "medium" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Log Auditing", - "Impact", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Tactic: Impact", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml index 68a785158..1236984cc 100644 --- a/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml +++ b/rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "bb9b13b2-1700-48a8-a750-b43b0a72ab69" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Data Protection"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 5e6baee07..2bb04050d 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "536997f7-ae73-447d-a12d-bff1e8f5f0a0" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Data Protection"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml index e4bf5b5e6..1f38decb2 100644 --- a/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml +++ b/rules/integrations/aws/impact_iam_deactivate_mfa_device.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -75,7 +75,7 @@ references = [ risk_score = 47 rule_id = "d8fc1cca-93ed-43c1-bbb6-c0dd3eff2958" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Resources: Investigation Guide", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 865787b8d..32c36862d 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "867616ec-41e5-4edc-ada2-ab13ab45de8a" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml index 9cd696284..04a0ce323 100644 --- a/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml +++ b/rules/integrations/aws/impact_kms_cmk_disabled_or_scheduled_for_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Xavier Pich"] @@ -37,7 +37,7 @@ references = [ risk_score = 47 rule_id = "6951f15e-533c-4a60-8014-a3c3ab851a1b" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Log Auditing", "Impact"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Log Auditing", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index 72f9a8974..eb4a0c013 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Del risk_score = 21 rule_id = "863cdf31-7fd3-41cf-a185-681237ea277b" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml index ce42e046c..d4ef16cde 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_deletion.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ references = [ risk_score = 47 rule_id = "9055ece6-2689-4224-a0e0-b04881e1f8ad" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml index 18a126a3a..cf2a46a33 100644 --- a/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml +++ b/rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "ecf2b32c-e221-4bd4-aa3b-c7d59b3bc01d" severity = "medium" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_console_login_root.toml b/rules/integrations/aws/initial_access_console_login_root.toml index a3502f0a9..4ffe7f51e 100644 --- a/rules/integrations/aws/initial_access_console_login_root.toml +++ b/rules/integrations/aws/initial_access_console_login_root.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -66,14 +66,12 @@ risk_score = 47 rule_id = "e2a67480-3b79-403d-96e3-fdd2992c50ef" severity = "medium" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_password_recovery.toml b/rules/integrations/aws/initial_access_password_recovery.toml index 7d34b63ec..167e309f5 100644 --- a/rules/integrations/aws/initial_access_password_recovery.toml +++ b/rules/integrations/aws/initial_access_password_recovery.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = ["https://www.cadosecurity.com/an-ongoing-aws-phishing-campaign/"] risk_score = 21 rule_id = "69c420e8-6c9e-4d28-86c0-8a2be2d1e78c" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/initial_access_via_system_manager.toml b/rules/integrations/aws/initial_access_via_system_manager.toml index 03b6d4403..d54ecc791 100644 --- a/rules/integrations/aws/initial_access_via_system_manager.toml +++ b/rules/integrations/aws/initial_access_via_system_manager.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,15 +80,12 @@ risk_score = 21 rule_id = "37b211e8-4e2f-440f-86d8-06cc8f158cfa" severity = "low" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Log Auditing", - "Initial Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Log Auditing", + "Tactic: Initial Access", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index b961c26f5..98b5bd2cd 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" integration = ["aws"] [rule] @@ -87,6 +87,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "78d3d8d9-b476-451d-a9e0-7a5addd70670" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml index 1f7539dae..e9cf7f940 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_error_code.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" integration = ["aws"] [rule] @@ -89,6 +89,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "19de8096-e2b0-4bd8-80c9-34a820813fff" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml index 11d9834e8..b48411c34 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" integration = ["aws"] [rule] @@ -91,6 +91,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "809b70d3-e2c3-455e-af1b-2626a5a1a276" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index 97d493262..47d143110 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" integration = ["aws"] [rule] @@ -91,6 +91,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "dca28dee-c999-400f-b640-50a081cc0fd1" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml index 49b689edb..97cc7c73e 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/13" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" integration = ["aws"] [rule] @@ -89,6 +89,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ac706eae-d5ec-4b14-b4fd-e8ba8086f0e1" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "ML", "Machine Learning", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Rule Type: ML", "Rule Type: Machine Learning", "Resources: Investigation Guide"] type = "machine_learning" diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index f03da940e..c88b09e02 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ references = [ risk_score = 21 rule_id = "39144f38-5284-4f8e-a2ae-e3fd628d90b0" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 871a40b6c..0b93db1a5 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -33,7 +33,7 @@ references = ["https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ec2-securi risk_score = 21 rule_id = "29052c19-ff3e-42fd-8363-7be14d7c5469" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index 421cb95a8..9be4b0e8e 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "169f3a93-efc7-4df2-94d6-0d9438c310d1" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index f84982cfc..1477799cd 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ references = [ risk_score = 21 rule_id = "e14c5fd7-fdd7-49c2-9e5b-ec49d817bc8d" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 2b0fa332b..84363d703 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "378f9024-8a0c-46a5-aa08-ce147ac73a4e" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index 38711ae15..2b06cc806 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_Cre risk_score = 21 rule_id = "f30f3443-4fbb-4c27-ab89-c3ad49d62315" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_redshift_instance_creation.toml b/rules/integrations/aws/persistence_redshift_instance_creation.toml index 6472b13ba..77e34b3a2 100644 --- a/rules/integrations/aws/persistence_redshift_instance_creation.toml +++ b/rules/integrations/aws/persistence_redshift_instance_creation.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = ["https://docs.aws.amazon.com/redshift/latest/APIReference/API_Crea risk_score = 21 rule_id = "015cca13-8832-49ac-a01b-a396114809f6" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility", "Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml index 39c6b9a4d..2af669a16 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "12051077-0124-4394-9522-8f4f4db1d674" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml index 0d5f86107..428c05327 100644 --- a/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml +++ b/rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Opera risk_score = 21 rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml index cb3e3f744..4b7c2c295 100644 --- a/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml +++ b/rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -29,7 +29,7 @@ references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Assoc risk_score = 21 rule_id = "e3c27562-709a-42bd-82f2-3ed926cced19" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Asset Visibility", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index 26880ac20..2009f4a47 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "e12c0318-99b1-44f2-830c-3a38a43207ca" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index e67a42e09..c431b3707 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -38,7 +38,7 @@ references = [ risk_score = 21 rule_id = "e7cd5982-17c8-4959-874c-633acde7d426" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Network Security", "Persistence"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Network Security Monitoring", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml index 133b5ac46..ff82788f4 100644 --- a/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml +++ b/rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -71,14 +71,12 @@ risk_score = 73 rule_id = "bc0c6f0d-dab0-47a3-b135-0925f0a333bc" severity = "high" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Privilege Escalation" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index 2480e87e4..f8f83f9fb 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -24,7 +24,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRol risk_score = 21 rule_id = "93075852-b0f5-4b8b-89c3-a226efae5726" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml index fa084f6d0..5739a3aae 100644 --- a/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml +++ b/rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -30,7 +30,7 @@ references = ["https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessio risk_score = 21 rule_id = "b45ab1d2-712f-4f01-a751-df3826969807" severity = "low" -tags = ["Elastic", "Cloud", "AWS", "Amazon Web Services", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: AWS", "Data Source: Amazon Web Services", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml index 8462e903f..e3c6d08ae 100644 --- a/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml +++ b/rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml @@ -4,7 +4,7 @@ integration = ["aws"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -72,14 +72,12 @@ risk_score = 21 rule_id = "a60326d7-dca7-4fb7-93eb-1ca03a1febbd" severity = "low" tags = [ - "Elastic", - "Cloud", - "AWS", - "Amazon Web Services", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: AWS", + "Data Source: Amazon Web Services", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Privilege Escalation" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml index 75a62dbb0..e6087f04f 100644 --- a/rules/integrations/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/integrations/azure/collection_update_event_hub_auth_rule.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-acces risk_score = 47 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml index bc417b96d..d23828226 100644 --- a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -33,7 +33,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/credential_access_key_vault_modified.toml b/rules/integrations/azure/credential_access_key_vault_modified.toml index ecbd1d138..60f60148c 100644 --- a/rules/integrations/azure/credential_access_key_vault_modified.toml +++ b/rules/integrations/azure/credential_access_key_vault_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "792dd7a6-7e00-4a0a-8a9a-a7c24720b5ec" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Data Protection"] +tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml index e863856d3..4373e0661 100644 --- a/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/integrations/azure/credential_access_storage_account_key_regenerated.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "1e0b832e-957e-43ae-b319-db82d228c908" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml index 93deee3e5..54c17bac9 100644 --- a/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml +++ b/rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml index e15492d2e..48d4d5cdd 100644 --- a/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml +++ b/rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "8ddab73b-3d15-4e5d-9413-47f05553c1d7" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml index ca0aece00..2811fd302 100644 --- a/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml +++ b/rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 47 rule_id = "d79c4b2a-6134-4edd-86e6-564a92a933f9" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index dfefee018..47626334d 100644 --- a/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = ["https://docs.microsoft.com/en-us/azure/azure-monitor/platform/dia risk_score = 47 rule_id = "5370d4cd-2bb3-4d71-abf5-1e1d0ff5a2de" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: Azure", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml index 667bb3548..230a3c55e 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -77,13 +77,11 @@ risk_score = 21 rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50" severity = "low" tags = [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 142e1ff2b..a12e6f744 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "e0f36de1-0342-453d-95a9-a068b257b053" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index bb9fafdd9..438edb64f 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://docs.microsoft.com/en-us/azure/firewall-manager/policy-ov risk_score = 21 rule_id = "e02bd3ea-72c6-4181-ac2b-0f83d17ad969" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index aef515c47..4569cd69a 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "09d028a5-dcde-409f-8ae0-557cef1b7082" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 3d103759a..1d762fb49 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "8b64d36a-1307-4b2e-a77b-a0027e4d27c8" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index 1f58ca3e1..1e460c72f 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = ["https://docs.microsoft.com/en-us/azure/network-watcher/network-wa risk_score = 47 rule_id = "323cb487-279d-4218-bcbd-a568efe930c6" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml index 13a18a2c3..d3ce5bbd3 100644 --- a/rules/integrations/azure/defense_evasion_suppression_rule_created.toml +++ b/rules/integrations/azure/defense_evasion_suppression_rule_created.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "f0bc081a-2346-4744-a6a4-81514817e888" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/discovery_blob_container_access_mod.toml b/rules/integrations/azure/discovery_blob_container_access_mod.toml index 4a7ea87e8..d0643bd18 100644 --- a/rules/integrations/azure/discovery_blob_container_access_mod.toml +++ b/rules/integrations/azure/discovery_blob_container_access_mod.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://docs.microsoft.com/en-us/azure/storage/blobs/anonymous-re risk_score = 21 rule_id = "2636aa6c-88b5-4337-9c31-8d0192a8ef45" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/execution_command_virtual_machine.toml b/rules/integrations/azure/execution_command_virtual_machine.toml index 2d75923fb..c23a07b5e 100644 --- a/rules/integrations/azure/execution_command_virtual_machine.toml +++ b/rules/integrations/azure/execution_command_virtual_machine.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ references = [ risk_score = 47 rule_id = "60884af6-f553-4a6c-af13-300047455491" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Execution"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml index 992715b4d..beb326d83 100644 --- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml +++ b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -34,7 +34,7 @@ references = ["https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pd risk_score = 47 rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 7db31d20f..6fb47608b 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "83a1931d-8136-46fc-b7b9-2db4f639e014" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Asset Visibility"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Asset Visibility", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_resource_group_deletion.toml b/rules/integrations/azure/impact_resource_group_deletion.toml index bc4ef9f63..e84b27820 100644 --- a/rules/integrations/azure/impact_resource_group_deletion.toml +++ b/rules/integrations/azure/impact_resource_group_deletion.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index 294e12873..b8dfb12a9 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -32,7 +32,7 @@ references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/ risk_score = 21 rule_id = "573f6e7a-7acf-4bcd-ad42-c4969124d3c0" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Network Security", "Impact"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Network Security Monitoring", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml index 9bb9c0fcf..7a19dec88 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Willem D'Haese"] @@ -75,13 +75,11 @@ risk_score = 73 rule_id = "37994bca-0611-4500-ab67-5588afe73b77" severity = "high" tags = [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml index 03a67b2b7..18bec5776 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -70,13 +70,11 @@ risk_score = 47 rule_id = "26edba02-6979-4bce-920a-70b080a7be81" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml index 0313ade90..759a39fb3 100644 --- a/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml +++ b/rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -74,13 +74,11 @@ risk_score = 21 rule_id = "a605c51a-73ad-406d-bf3a-f24cc41d5c97" severity = "low" tags = [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml index 15ae654d3..5ca7e3139 100644 --- a/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml +++ b/rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml @@ -4,7 +4,7 @@ integration = ["azure", "o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/01" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -75,14 +75,12 @@ risk_score = 47 rule_id = "1c6a8c7a-5cb6-4a82-ba27-d5a5b8a40a38" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "Microsoft 365", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft 365", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Initial Access" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/initial_access_external_guest_user_invite.toml b/rules/integrations/azure/initial_access_external_guest_user_invite.toml index 944e6112a..bd4236456 100644 --- a/rules/integrations/azure/initial_access_external_guest_user_invite.toml +++ b/rules/integrations/azure/initial_access_external_guest_user_invite.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/ risk_score = 21 rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_automation_account_created.toml b/rules/integrations/azure/persistence_azure_automation_account_created.toml index 9a5811e0c..c8018b94f 100644 --- a/rules/integrations/azure/persistence_azure_automation_account_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_account_created.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 21 rule_id = "df26fd74-1baa-4479-b42e-48da84642330" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml index 6d5246515..9b4723dc0 100644 --- a/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "16280f1e-57e6-4242-aa21-bb4d16f13b2f" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml index e7d727c31..d0d03fc2d 100644 --- a/rules/integrations/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/integrations/azure/persistence_azure_automation_webhook_created.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 21 rule_id = "e9ff9c1c-fe36-4d0d-b3fd-9e0bf4853a62" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml index 8bd532060..a679e83b9 100644 --- a/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml +++ b/rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://docs.microsoft.com/en-us/azure/active-directory/condition risk_score = 47 rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml index d8e290291..aed4975d3 100644 --- a/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml +++ b/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f" severity = "medium" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml index 0a5fe2581..913b40985 100644 --- a/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml +++ b/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 73 rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8" severity = "high" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml index 81d97d101..6e2bcb3b6 100644 --- a/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml +++ b/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -71,13 +71,11 @@ risk_score = 47 rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml index 23b071d52..73504c667 100644 --- a/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml +++ b/rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -65,13 +65,11 @@ risk_score = 47 rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Azure", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Azure", + "Use Case: Identity and Access Audit", + "Resources: Investigation Guide", + "Tactic: Persistence" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml index 8d5a6f01a..976609b89 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ The Azure Fleet integration, Filebeat module, or similarly structured data is re risk_score = 21 rule_id = "774f5e28-7b75-4a58-b94e-41bf060fdd86" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml index 1af76d4d1..83a6a7834 100644 --- a/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml +++ b/rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "38e5acdd-5f20-4d99-8fe4-f0a1a592077f" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml index e75b4cabc..09f19c7c6 100644 --- a/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml +++ b/rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml @@ -4,7 +4,7 @@ integration = ["azure"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "1c966416-60c1-436b-bfd0-e002fddbfd89" severity = "low" -tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index 5dfb9226c..4f6840a97 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Initial version of the Container Workload Protection alerts" min_stack_version = "8.8.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ risk_score = 47 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512" rule_name_override = "message" severity = "medium" -tags = ["Elastic", "Container Workload Protection", "Kubernetes"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml index aac8de27e..77b0d8b6a 100644 --- a/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_collection_sensitive_files_compression_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Sensitive Files Compression Inside A Container" risk_score = 47 rule_id = "475b42f0-61fb-4ef0-8a85-597458bfb0a1" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Container", "Threat Detection", "Collection", "Credential Access"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml index 6b703f0f6..d1b2210cb 100644 --- a/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml +++ b/rules/integrations/cloud_defend/credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/16" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -15,7 +15,7 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "Sensitive Keys Or Passwords Searched For Inside A Container" -tags = ["Elastic", "Host", "Linux", "Container", "Threat Detection", "Credential Access"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] references = [ "https://sysdig.com/blog/cve-2021-25741-kubelet-falco/", ] diff --git a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml index c1bc020ad..cae35970e 100644 --- a/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/discovery_suspicious_network_tool_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/08" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Network Tool Launched Inside A Container" -tags = [ "Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Command and Control", "Reconnaissance", "Container"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Command and Control", "Tactic: Reconnaissance"] risk_score = 47 rule_id = "1a289854-5b78-49fe-9440-8a8096b1ab50" severity = "medium" diff --git a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml index 4f3ea15c6..50f1e3610 100644 --- a/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_container_management_binary_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/05" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Container Management Utility Run Inside A Container" risk_score = 21 rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml index ae9595e42..6a8e4acd1 100644 --- a/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_file_made_executable_via_chmod_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "File Made Executable via Chmod Inside A Container" risk_score = 47 rule_id = "ec604672-bed9-43e1-8871-cf591c052550" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Defense Evasion", "Container"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml index 612f168ac..78e59f5f2 100644 --- a/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_exec_to_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/16" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -37,7 +37,7 @@ references = [ risk_score = 73 rule_id = "420e5bb4-93bf-40a3-8f4a-4cc1af90eca1" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml index 6719cafe5..12ba616f3 100644 --- a/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_interactive_shell_spawned_from_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/16" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ interval = "5m" language = "eql" license = "Elastic License v2" name = "Suspicious Interactive Shell Spawned From Inside A Container" -tags = ["Elastic", "Host", "Linux", "Container", "Threat Detection", "Execution"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] risk_score = 73 rule_id = "8d3d0794-c776-476b-8674-ee2e685f6470" severity = "high" diff --git a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml index 822a6c360..3557818cd 100644 --- a/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/execution_netcat_listener_established_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/16" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Netcat Listener Established Inside A Container" risk_score = 73 rule_id = "a52a9439-d52c-401c-be37-2785235c6547" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Container"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml index ead2f3420..09e02b6b1 100644 --- a/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml +++ b/rules/integrations/cloud_defend/initial_access_ssh_connection_established_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/16" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "f5488ac1-099e-4008-a6cb-fb638a0f0828" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access", "Lateral Movement", "Container"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml index 6678a1547..3b63f7787 100644 --- a/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml +++ b/rules/integrations/cloud_defend/lateral_movement_ssh_process_launched_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 73 rule_id = "03a514d9-500e-443e-b6a9-72718c548f6c" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement", "Persistence", "Container"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml index 8419abe08..9e40863fb 100644 --- a/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml +++ b/rules/integrations/cloud_defend/persistence_ssh_authorized_keys_modification_inside_a_container.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "New Integration: Cloud Defend" min_stack_version = "8.8.0" -updated_date = "2023/05/16" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ name = "SSH Authorized Keys File Modified Inside a Container" risk_score = 73 rule_id = "f7769104-e8f9-4931-94a2-68fc04eadec3" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lateral Movement", "Container"] +tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml index dc41dc672..59d455b44 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml @@ -4,7 +4,7 @@ integration = ["cyberarkpas"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -35,7 +35,7 @@ risk_score = 73 rule_id = "3f0e5410-a4bf-4e8c-bcfc-79d67a285c54" rule_name_override = "event.action" severity = "high" -tags = ["Elastic", "cyberarkpas", "SecOps", "Log Auditing", "Threat Detection", "Privilege Escalation"] +tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml index 355db6016..9c63474aa 100644 --- a/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml +++ b/rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml @@ -4,7 +4,7 @@ integration = ["cyberarkpas"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -35,7 +35,7 @@ risk_score = 73 rule_id = "c5f81243-56e0-47f9-b5bb-55a5ed89ba57" rule_name_override = "event.action" severity = "high" -tags = ["Elastic", "cyberarkpas", "SecOps", "Log Auditing", "Threat Detection", "Privilege Escalation"] +tags = ["Data Source: CyberArk PAS", "Use Case: Log Auditing", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index bc655fad2..750c639c3 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -24,7 +24,7 @@ risk_score = 47 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" severity = "medium" -tags = ["Elastic", "Endpoint Security"] +tags = ["Data Source: Elastic Defend"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index d5e08a00d..afc316a77 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "d62b64a8-a7c9-43e5-aee3-15a725a794e7" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index 690b6a5be..de979e300 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/admin"] risk_score = 21 rule_id = "a10d3d9d-0f65-48f1-8b25-af175e2594f5" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml index 51e0d3d15..f19f55da1 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "30562697-9859-4ae0-a8c5-dab45d664170" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml index 0f01d0eb1..68d787f49 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "ff9b571e-61d6-4f6c-9561-eb4cca3bafe1" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml index 777cd30be..3f219874a 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "2783d84f-5091-4d7d-9319-9fceda8fa71b" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 76c51c88f..5e66bedff 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = ["https://cloud.google.com/logging/docs/buckets", "https://cloud.go risk_score = 47 rule_id = "5663b693-0dea-4f2e-8275-f1ae5ff2de8e" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index 6b1d74dec..cb5235891 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/logging/docs/export"] risk_score = 47 rule_id = "51859fa0-d86b-4214-bf48-ebb30ed91305" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 36aa29ced..03c2b9b4a 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "cc89312d-6f47-48e4-a87c-4977bd4633c3" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index e7219ed62..df8980906 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/pubsub/docs/overview"] risk_score = 21 rule_id = "3202e172-01b1-4738-a932-d024c514ba72" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml index d9c3e6468..b1f8119e7 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "97359fd8-757d-4b1d-9af1-ef29e4a8680e" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access", "Defense Evasion"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml index 4a6ee10ff..93d434aa0 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = ["https://cloud.google.com/storage/docs/access-control/iam-permissi risk_score = 47 rule_id = "2326d1b2-9acf-4dee-bd21-867ea7378b4d" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml index 93f8014b6..9d7467ce9 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/vpc"] risk_score = 47 rule_id = "c58c3081-2e1d-4497-8491-e73a45d1a6d6" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml index 4e941a02a..d8ab78834 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 21 rule_id = "9180ffdf-f3d0-4db3-bf66-7a14bcff71b8" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml index 2f4e070e9..9084f33dc 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/vpc/docs/routes", "https://cloud.google. risk_score = 47 rule_id = "a17bcc91-297b-459b-b5ce-bc7460d8f82a" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Configuration Audit", "Defense Evasion"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml index 3763a2fca..28408b639 100644 --- a/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml +++ b/rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/logging/docs/export#how_sinks_work"] risk_score = 21 rule_id = "184dfe52-2999-42d9-b9d1-d1ca54495a61" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Log Auditing"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Log Auditing", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index 37960c9b4..4bd608d68 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-roles"] risk_score = 21 rule_id = "e2fb5b18-e33c-4270-851e-c3d675c9afcd" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml index e41433217..15b278eef 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_deleted.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "8fb75dda-c47a-4e34-8ecd-34facf7aad13" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml index c0ae8ac8e..5f4640b98 100644 --- a/rules/integrations/gcp/impact_gcp_service_account_disabled.toml +++ b/rules/integrations/gcp/impact_gcp_service_account_disabled.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 47 rule_id = "bca7d28e-4a48-47b1-adb7-5074310e9a61" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index 4a2a02aca..b4c74cf81 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = ["https://cloud.google.com/storage/docs/key-terms#buckets"] risk_score = 47 rule_id = "bc0f2d83-32b8-4ae2-b0e6-6a45772e9331" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index f2cf4cf04..a412746fc 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://cloud.google.com/iam/docs/understanding-custom-roles"] risk_score = 47 rule_id = "aa8007f0-d1df-49ef-8520-407857594827" severity = "medium" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index 3a184dfc9..894d12936 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "9890ee61-d061-403d-9bf6-64934c51f638" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml index 9fe1615e0..8ee735064 100644 --- a/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml +++ b/rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ references = [ risk_score = 21 rule_id = "0e5acaae-6a64-4bbc-adb8-27649c03f7e1" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/gcp/persistence_gcp_service_account_created.toml b/rules/integrations/gcp/persistence_gcp_service_account_created.toml index 42b77d64f..4207b15ff 100644 --- a/rules/integrations/gcp/persistence_gcp_service_account_created.toml +++ b/rules/integrations/gcp/persistence_gcp_service_account_created.toml @@ -4,7 +4,7 @@ integration = ["gcp"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = ["https://cloud.google.com/iam/docs/service-accounts"] risk_score = 21 rule_id = "7ceb2216-47dd-4e64-9433-cddc99727623" severity = "low" -tags = ["Elastic", "Cloud", "GCP", "Google Cloud Platform", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: GCP", "Data Source: Google Cloud Platform", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml index 93155766d..87875196e 100644 --- a/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml +++ b/rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ references = ["https://support.google.com/a/answer/1247799?hl=en"] risk_score = 47 rule_id = "07b5f85a-240f-11ed-b3d9-f661ea17fbce" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Collection", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml index 73fd2d979..0cfba8bdd 100644 --- a/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml +++ b/rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ references = ["https://support.google.com/a/answer/2685650?hl=en"] risk_score = 47 rule_id = "9510add4-3392-11ed-bd01-f661ea17fbce" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Collection", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Collection", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml index 85ecf10fc..32f0a1a92 100644 --- a/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml +++ b/rules/integrations/google_workspace/credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/03/21" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -43,13 +43,10 @@ risk_score = 73 rule_id = "980b70a0-c820-11ed-8799-f661ea17fbcc" severity = "high" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Credential Access", + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Credential Access", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml index 25c33c306..98380cea7 100644 --- a/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml +++ b/rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -86,14 +86,11 @@ risk_score = 47 rule_id = "495e5f2e-2480-11ed-bea8-f661ea17fbce" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Impair Defenses", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Resources: Investigation Guide", + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml index ac115e5e4..f97647f94 100644 --- a/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml +++ b/rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -81,14 +81,11 @@ risk_score = 73 rule_id = "cf549724-c577-4fd6-8f9b-d1b8ec519ec0" severity = "high" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Defense Evasion", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml index 327a5107e..073d40ed6 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -81,14 +81,11 @@ risk_score = 47 rule_id = "7caa8e60-2df0-11ed-b814-f661ea17fbce" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Defense Evasion", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml index eb072420f..703af0aef 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ references = [ risk_score = 47 rule_id = "21bafdf0-cf17-11ed-bd57-f661ea17fbcc" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Defense Evasion", "Initial Access"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Defense Evasion", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml index c2744c472..5e34dce62 100644 --- a/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml +++ b/rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -90,14 +90,11 @@ risk_score = 47 rule_id = "a2795334-2499-11ed-9e1a-f661ea17fbce" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Defense Evasion", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Defense Evasion", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml index d251f0261..d369794ed 100644 --- a/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml +++ b/rules/integrations/google_workspace/google_workspace_alert_center_promotion.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Google Workspace feature only present in 8.4+ stack versions" min_stack_version = "8.4.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -38,7 +38,7 @@ risk_score = 73 rule_id = "f1a6d0f4-95b8-11ed-9517-f661ea17fbcc" rule_name_override = "google_workspace.alert.type" severity = "high" -tags = ["Elastic", "Cloud", "Google Workspace", "Log Auditing", "Threat Detection"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Log Auditing", "Use Case: Threat Detection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml index 3c6be7417..14aedf960 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -81,14 +81,11 @@ risk_score = 47 rule_id = "93e63c3e-4154-4fc6-9f86-b411e0987bbf" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Impact", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Impact", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml index 7276b0ccd..482baaafd 100644 --- a/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml +++ b/rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,14 +83,11 @@ risk_score = 47 rule_id = "cad4500a-abd7-4ef3-b5d3-95524de7cfe1" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Impact", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Impact", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml index 38b669a69..74015523b 100644 --- a/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml +++ b/rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -85,14 +85,11 @@ risk_score = 47 rule_id = "38f384e0-aef8-11ed-9a38-f661ea17fbcc" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Initial Access", - "Investigation Guide", + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Initial Access", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml index af61df703..3d9429701 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_object_copied_from_external_drive_and_access_granted_to_custom_application.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ references = [ risk_score = 47 rule_id = "f33e68a4-bd19-11ed-b02f-f661ea17fbcc" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Initial Access"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml index c64c32250..76b673f2d 100644 --- a/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml +++ b/rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ references = ["https://support.google.com/a/answer/1110339"] risk_score = 21 rule_id = "00678712-b2df-11ed-afe9-f661ea17fbcc" severity = "low" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml index 11c83fc75..d59bb7ceb 100644 --- a/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml +++ b/rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -85,14 +85,11 @@ risk_score = 47 rule_id = "785a404b-75aa-4ffd-8be5-3334a5a544dd" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Persistence", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml index 5aadb0dcf..9a5cac6ae 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -85,14 +85,11 @@ risk_score = 47 rule_id = "5e161522-2545-11ed-ac47-f661ea17fbce" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Persistence", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml index 1050fc91b..a99d25729 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -88,14 +88,11 @@ risk_score = 73 rule_id = "68994a6c-c7ba-4e82-b476-26a26877adf6" severity = "high" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Persistence", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml index d48276ea1..570539eeb 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ references = ["https://developers.google.com/admin-sdk/directory/v1/guides/deleg risk_score = 47 rule_id = "acbc8bb9-2486-49a8-8779-45fb5f9a93ee" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml index fc6e6818c..770238e7a 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "ad3f2807-2b3e-47d7-b282-f84acbbe14be" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml index 5cd5e9ad5..21f071d54 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml @@ -83,14 +83,11 @@ risk_score = 47 rule_id = "a99f82f5-8e77-4f8b-b3ce-10c0f6afbc73" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Persistence", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml index 5eff1a21a..672b61c78 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ references = ["https://support.google.com/a/answer/2406043?hl=en"] risk_score = 47 rule_id = "6f435062-b7fc-4af9-acea-5b1ead65c5a5" severity = "medium" -tags = ["Elastic", "Cloud", "Google Workspace", "Continuous Monitoring", "SecOps", "Identity and Access", "Investigation Guide"] +tags = ["Domain: Cloud", "Data Source: Google Workspace", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml index 133875101..fc0fc2576 100644 --- a/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml +++ b/rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -87,14 +87,11 @@ risk_score = 21 rule_id = "cc6a8a20-2df2-11ed-8378-f661ea17fbce" severity = "low" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Persistence", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Configuration Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml index 1d260c43d..5a0fc0bd2 100644 --- a/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml +++ b/rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml @@ -4,7 +4,7 @@ integration = ["google_workspace"] maturity = "production" min_stack_comments = "Breaking changes for Google Workspace integration." min_stack_version = "8.4.0" -updated_date = "2023/04/12" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -81,14 +81,11 @@ risk_score = 47 rule_id = "e555105c-ba6d-481f-82bb-9b633e7b4827" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Google Workspace", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Persistence", - "Investigation Guide" + "Domain: Cloud", + "Data Source: Google Workspace", + "Use Case: Identity and Access Audit", + "Tactic: Persistence", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml index e564b3a6f..b04db4c49 100644 --- a/rules/integrations/kubernetes/discovery_denied_service_account_request.toml +++ b/rules/integrations/kubernetes/discovery_denied_service_account_request.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "63c056a0-339a-11ed-a261-0242ac120002" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Discovery"] +tags = ["Data Source: Kubernetes", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml index 0645a542e..2c1f88b33 100644 --- a/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml +++ b/rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "12a2f15d-597e-4334-88ff-38a02cb1330b" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Discovery"] +tags = ["Data Source: Kubernetes", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml index d96fca23f..083439142 100644 --- a/rules/integrations/kubernetes/execution_user_exec_to_pod.toml +++ b/rules/integrations/kubernetes/execution_user_exec_to_pod.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ references = [ risk_score = 47 rule_id = "14de811c-d60f-11ec-9fd7-f661ea17fbce" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution"] +tags = ["Data Source: Kubernetes", "Tactic: Execution"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml index 7b83def5d..c7d7e3001 100644 --- a/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml +++ b/rules/integrations/kubernetes/initial_access_anonymous_request_authorized.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "63c057cc-339a-11ed-a261-0242ac120002" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Initial Access", "Defense Evasion"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Initial Access", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml index f44fd89de..2d6496307 100644 --- a/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml +++ b/rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ references = [ risk_score = 47 rule_id = "65f9bccd-510b-40df-8263-334f03174fed" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Persistence"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml index 4082158ea..6389cbb8e 100644 --- a/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml +++ b/rules/integrations/kubernetes/privilege_escalation_container_created_with_excessive_linux_capabilities.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ references = [ risk_score = 47 rule_id = "7164081a-3930-11ed-a261-0242ac120002" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml index 99e42c477..6b261fa4c 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ references = [ risk_score = 47 rule_id = "764c8437-a581-4537-8060-1fdb0e92c92d" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml index e9413d90d..770e16e07 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ references = [ risk_score = 47 rule_id = "12cbf709-69e8-4055-94f9-24314385c27e" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml index 568d9d558..d40d9a87a 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -39,7 +39,7 @@ references = [ risk_score = 47 rule_id = "df7fda76-c92b-4943-bc68-04460a5ea5ba" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml index b61e9294f..b91cc2315 100644 --- a/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml +++ b/rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ references = [ risk_score = 47 rule_id = "2abda169-416b-4bb3-9a6b-f8d239fd78ba" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml index 5ec506a12..39639d75a 100644 --- a/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml +++ b/rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ references = [ risk_score = 47 rule_id = "c7908cac-337a-4f38-b50d-5eeb78bdb531" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml index 9aeda568b..97e333ac0 100644 --- a/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml +++ b/rules/integrations/kubernetes/privilege_escalation_suspicious_assignment_of_controller_service_account.toml @@ -4,7 +4,7 @@ integration = ["kubernetes"] maturity = "production" min_stack_comments = "New fields added to Kubernetes Integration" min_stack_version = "8.4.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "63c05204-339a-11ed-a261-0242ac120002" severity = "medium" -tags = ["Elastic", "Kubernetes", "Continuous Monitoring", "Execution", "Privilege Escalation"] +tags = ["Data Source: Kubernetes", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml index 6e72358a1..bae3ada03 100644 --- a/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml +++ b/rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Gary Blackwell", "Austin Songer"] @@ -37,7 +37,7 @@ references = [ risk_score = 47 rule_id = "ec8efb0c-604d-42fa-ac46-ed1cfbc38f78" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Collection"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml index 1b48d347b..46acb624e 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Willem D'Haese", "Austin Songer"] @@ -30,7 +30,7 @@ references = ["https://blueteamblog.com/7-ways-to-monitor-your-office-365-logs-u risk_score = 73 rule_id = "26f68dba-ce29-497b-8e13-b4fde1db5a2d" severity = "high" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" query = ''' diff --git a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml index 52c9e4434..5f06a52a8 100644 --- a/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml +++ b/rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "3efee4f0-182a-40a8-a835-102c68a4175d" severity = "high" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" query = ''' diff --git a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml index 23048c727..cccd01522 100644 --- a/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml +++ b/rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -29,7 +29,7 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 73 rule_id = "2de10e77-c144-4e69-afb7-344e7127abd0" severity = "high" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" query = ''' diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml index d30b57784..c418c04f6 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "60f3adec-1df9-4104-9c75-b97d9f078b25" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml index 53221a5d5..f0147f15d 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "d743ff2a-203e-4a46-a3e3-40512cfe8fbb" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml index f541eef84..3c1f78020 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "ca79768e-40e1-4e45-a097-0e5fbc876ac2" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml index 713d48719..f4cdcd126 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 21 rule_id = "03024bd9-d23f-4ec1-8674-3cf1a21e130b" severity = "low" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml index 572b25881..38bd2cf8f 100644 --- a/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml +++ b/rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = ["https://twitter.com/misconfig/status/1476144066807140355"] risk_score = 47 rule_id = "675239ea-c1bc-4467-a6d3-b9e2cc7f676d" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Initial Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml index 26eb780e0..7eab6e482 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "ff4dd44a-0ac6-44c4-8609-3f81bc820f02" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml index bbb4884a8..ede1ab7c7 100644 --- a/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "272a6484-2663-46db-a532-ef734bf9a796" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml b/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml similarity index 90% rename from rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml rename to rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml index a0b5faddc..ad5ac0706 100644 --- a/rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml +++ b/rules/integrations/o365/exfiltration_microsoft_365_mass_download_by_a_single_user.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "development" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "571ff456-aa7f-4e48-8a88-39698bb5418f" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Exfiltration"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml index 93be776cd..e4406be07 100644 --- a/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml +++ b/rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "721999d0-7ab2-44bf-b328-6e63367b9b29" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 0362a15e4..86638000c 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "b2951150-658f-4a60-832f-a00d1e6c6745" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml index 3a21fc34f..ecd641404 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "d68eb1b5-5f1c-4b6d-9e63-5b6b145cd4aa" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml index d3aabc563..665552860 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "97314185-2568-4561-ae81-f3e480e5e695" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml index c27ed5396..b9f3ff185 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "a989fa1b-9a11-4dd8-a3e9-f0de9c6eb5f2" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml index 05f8a4f74..960fc712c 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml @@ -2,7 +2,7 @@ creation_date = "2021/07/15" integration = ["o365"] maturity = "development" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "9c49fe22-4e86-4384-a9a0-602f4d54088d" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml index e41247f6c..5841c41a3 100644 --- a/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml +++ b/rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "0136b315-b566-482f-866c-1d8e2477ba16" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml index 45b2c0c20..b90856dfa 100644 --- a/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml +++ b/rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "5930658c-2107-4afc-91af-e0e55b7f7184" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Initial Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml index 0b056bdf5..858fec97b 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "bba1b212-b85c-41c6-9b28-be0e5cdfc9b1" severity = "high" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Lateral Movement"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml index cfd2b79bc..6cfc929ce 100644 --- a/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml +++ b/rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "0e52157a-8e96-4a95-a6e3-5faae5081a74" severity = "high" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Lateral Movement"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 33d5dd566..72fb548f5 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -24,7 +24,7 @@ The Office 365 Logs Fleet integration, Filebeat module, or similarly structured risk_score = 21 rule_id = "0ce6487d-8069-4888-9ddd-61b52490cebc" severity = "low" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml index 3bcb7abcf..d441a433a 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "514121ce-c7b6-474a-8237-68ff71672379" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Data Protection", "Persistence"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml index 21c7bb2e5..33a666d14 100644 --- a/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml +++ b/rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "98995807-5b09-4e37-8a54-5cae5dc932d7" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml index f6c652615..336accf9d 100644 --- a/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml +++ b/rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml index 50cd1d0bc..e0b4b1af4 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,13 +32,10 @@ risk_score = 47 rule_id = "bbd1a775-8267-41fa-9232-20e5582596ac" severity = "medium" tags = [ - "Elastic", - "Cloud", - "Microsoft 365", - "Continuous Monitoring", - "SecOps", - "Configuration Audit", - "Persistence", + "Domain: Cloud", + "Data Source: Microsoft 365", + "Use Case: Configuration Audit", + "Tactic: Persistence", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml index 1fa59199a..a263a54f6 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://docs.microsoft.com/en-us/microsoftteams/manage-external-a risk_score = 47 rule_id = "27f7c15a-91f8-4c3d-8b9e-1f99cc030a51" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml index 8fad19023..da3379715 100644 --- a/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml +++ b/rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 47 rule_id = "5e552599-ddec-4e14-bad1-28aa42404388" severity = "medium" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Configuration Audit"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Configuration Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml index 44da822d4..41046f826 100644 --- a/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml +++ b/rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml @@ -4,7 +4,7 @@ integration = ["o365"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -30,7 +30,7 @@ references = [ risk_score = 21 rule_id = "684554fc-0777-47ce-8c9b-3d01f198d7f8" severity = "low" -tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Domain: Cloud", "Data Source: Microsoft 365", "Use Case: Identity and Access Audit", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml index 23ee888e7..03817bb34 100644 --- a/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml +++ b/rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "3805c3dc-f82c-4f8d-891e-63c24d3102b0" severity = "high" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml index b27863f95..4df61eaf1 100644 --- a/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml +++ b/rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "e08ccd49-0380-4b2b-8d71-8000377d6e49" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml index c1f2cd56c..225994793 100644 --- a/rules/integrations/okta/credential_access_mfa_push_brute_force.toml +++ b/rules/integrations/okta/credential_access_mfa_push_brute_force.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "97a8e584-fd3b-421f-9b9d-9c9d9e57e9d7" severity = "high" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "eql" query = ''' diff --git a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml index 0c14db3cf..3dc76ee54 100644 --- a/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml +++ b/rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "42bf698b-4738-445b-8231-c834ddefd8a0" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Credential Access"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/credential_access_user_impersonation_access.toml b/rules/integrations/okta/credential_access_user_impersonation_access.toml index c1607f741..ea45a609f 100644 --- a/rules/integrations/okta/credential_access_user_impersonation_access.toml +++ b/rules/integrations/okta/credential_access_user_impersonation_access.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,13 +30,10 @@ risk_score = 73 rule_id = "cdbebdc1-dc97-43c6-a538-f26a20c0a911" severity = "high" tags = [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Credential Access", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml index 321563905..9387f463f 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "8a5c1e5f-ad63-481e-b53a-ef959230f7f1" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml index 3f9e4adcb..c11e2e89f 100644 --- a/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "c749e367-a069-4a73-b1f2-43a3798153ad" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml index 39c5531c3..a15b64710 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "b719a170-3bdb-4141-b0e3-13e3cf627bfe" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml index b57284de9..26d30c1f7 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,13 +35,10 @@ risk_score = 47 rule_id = "cc92c835-da92-45c9-9f29-b4992ad621a0" severity = "medium" tags = [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Defense Evasion", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml index 290913405..ce46bec20 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "b4bb1440-0fcb-4ed1-87e5-b06d58efc5e9" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml index 4293c5ad2..cdab4bd3a 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "d5d86bf5-cf0c-4c06-b688-53fdc072fdfd" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml index eba5e4378..5966835be 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "e48236ca-b67a-4b4e-840c-fdc7782bc0c3" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Network Security", "Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Network Security Monitoring", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml index bb30144f9..6a9d8ca61 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "6731fbf2-8f28-49ed-9ab9-9a918ceb5a45" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml index faaacd213..547fe176b 100644 --- a/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml +++ b/rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,13 +35,10 @@ risk_score = 21 rule_id = "000047bb-b27a-47ec-8b62-ef1a5d2c9e19" severity = "low" tags = [ - "Elastic", - "Identity", - "Okta", - "Continuous Monitoring", - "SecOps", - "Identity and Access", - "Defense Evasion", + "Use Case: Identity and Access Audit", + "Data Source: Okta", + "Use Case: Identity and Access Audit", + "Tactic: Defense Evasion", ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml index 359d06d14..1cf95e7b3 100644 --- a/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml +++ b/rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "@BenB196", "Austin Songer"] @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "e90ee3af-45fc-432e-a850-4a58cf14a457" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Defense Evasion"] type = "threshold" query = ''' diff --git a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml index 0a908bf3e..74ccb7d6d 100644 --- a/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml +++ b/rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 21 rule_id = "676cff2b-450b-4cf1-8ed2-c0c58a4a2dd7" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml index 4838eafdb..887f506c9 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "edb91186-1c7e-4db8-b53e-bfa33a1a0a8a" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml index 5af6bf928..7178d23a5 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 21 rule_id = "d48e1c13-4aca-4d1f-a7b1-a9161c0ad86f" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml index 71b8faabb..04cc2f0fa 100644 --- a/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml +++ b/rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "c74fd275-ab2c-4d49-8890-e2943fa65c09" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring", "Impact"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/impact_possible_okta_dos_attack.toml b/rules/integrations/okta/impact_possible_okta_dos_attack.toml index cac1bf6f2..b3073630c 100644 --- a/rules/integrations/okta/impact_possible_okta_dos_attack.toml +++ b/rules/integrations/okta/impact_possible_okta_dos_attack.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "e6e3ecff-03dd-48ec-acbd-54a04de10c68" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Impact"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index bfbc85bcd..566636821 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "4edd3e1a-3aa0-499b-8147-4d2ea43b1613" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml index 10741ef19..6f41ce6d5 100644 --- a/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml +++ b/rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "f994964f-6fce-4d75-8e79-e16ccc412588" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml index 36d293bb9..4dfba7b0c 100644 --- a/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml +++ b/rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/13" +updated_date = "2023/06/22" promotion = true [rule] @@ -37,7 +37,7 @@ risk_score = 47 rule_id = "6885d2ae-e008-4762-b98a-e8e1cd3a81e9" rule_name_override = "okta.display_message" severity = "medium" -tags = ["Elastic", "Identity", "Identity and Access", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml index d9006607e..c6b80a4df 100644 --- a/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml +++ b/rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "b8075894-0b62-46e5-977c-31275da34419" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml index 03cd607a3..377b354b4 100644 --- a/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml +++ b/rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "f06414a6-f2a4-466d-8eba-10f85e8abf71" severity = "medium" -tags = ["Elastic", "Okta", "SecOps", "Monitoring", "Continuous Monitoring"] +tags = ["Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml index 8b492628d..abf0487d8 100644 --- a/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml +++ b/rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "96b9f4ea-0e8c-435b-8d53-2096e75fcac5" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Monitoring"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml index 21243653f..81d5cc46a 100644 --- a/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 21 rule_id = "cd89602e-9db0-48e3-9391-ae3bf241acd8" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml index c96b2fb0c..c9cfc03bf 100644 --- a/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml +++ b/rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 21 rule_id = "729aa18d-06a6-41c7-b175-b65b739b1181" severity = "low" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml index dfcc0a441..c89f3ee46 100644 --- a/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml +++ b/rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml @@ -4,7 +4,7 @@ integration = ["okta"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "cd16fb10-0261-46e8-9932-a0336278cdbe" severity = "medium" -tags = ["Elastic", "Identity", "Okta", "Continuous Monitoring", "SecOps", "Identity and Access", "Persistence"] +tags = ["Use Case: Identity and Access Audit", "Data Source: Okta", "Use Case: Identity and Access Audit", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml index 824829a24..8f502951b 100644 --- a/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml +++ b/rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ references = [ risk_score = 47 rule_id = "eb6a3790-d52d-11ec-8ce9-f661ea17fbce" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control"] type = "eql" query = ''' diff --git a/rules/linux/command_and_control_linux_iodine_activity.toml b/rules/linux/command_and_control_linux_iodine_activity.toml index 52cdcb741..e41e88c53 100644 --- a/rules/linux/command_and_control_linux_iodine_activity.toml +++ b/rules/linux/command_and_control_linux_iodine_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://code.kryo.se/iodine/"] risk_score = 73 rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 597c3bad2..6289ca832 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -23,7 +23,7 @@ name = "Suspicious Network Activity to the Internet by Previously Unknown Execut risk_score = 21 rule_id = "53617418-17b4-4e9c-8a2c-8deb8086ca4b" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Network", "Command and Control", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" query = ''' diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 683f35768..42fc8d341 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Command and Control", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/credential_access_bruteforce_password_guessing.toml b/rules/linux/credential_access_bruteforce_password_guessing.toml index ad0e3842e..daf89c10b 100644 --- a/rules/linux/credential_access_bruteforce_password_guessing.toml +++ b/rules/linux/credential_access_bruteforce_password_guessing.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ The rule identifies consecutive SSH login failures followed by a successful logi risk_score = 47 rule_id = "8cb84371-d053-4f4f-bce0-c74990e28f28" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" query = ''' sequence by host.id, source.ip, user.name with maxspan=3s diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 0d512ee7f..7b2fa8982 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Collection", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index e16b589b6..1f312acce 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "e7cb3cfd-aaa3-4d7b-af18-23b89955062c" severity = "medium" -tags = ["Elastic", "Elastic Endgame", "Host", "Linux", "Threat Detection", "Credential Access"] +tags = ["Data Source: Elastic Endgame", "Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index 2eef5c37b..b2c88a612 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -59,7 +59,7 @@ In case this rule generates too much noise and external brute forcing is of not risk_score = 21 rule_id = "fa210b61-b627-4e5e-86f4-17e8270656ab" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" query = ''' sequence by host.id, source.ip, user.name with maxspan=5s diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 8c85d85aa..58959516d 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/21" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ The rule identifies consecutive internal SSH login failures targeting a user acc risk_score = 47 rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" query = ''' sequence by host.id, source.ip, user.name with maxspan=5s diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml index f8e374c5b..b8b9f94ac 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_root.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/23" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ The rule identifies consecutive SSH login failures targeting a privileged (root) risk_score = 73 rule_id = "a5f0d057-d540-44f5-924d-c6a2ae92f045" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access"] type = "eql" query = ''' sequence by host.id, source.ip with maxspan=10s diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 544586840..251136b6b 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "ef100a2e-ecd4-4f72-9d1e-2f779ff3c311" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Vulnerability"] type = "eql" query = ''' sequence by process.parent.name,host.name with maxspan=1m diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index 11f78c920..46b550960 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index c0e73e5b0..0d8ca0ff8 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Attempt to Disable IPTables or Firewall" risk_score = 21 rule_id = "83e9c2b3-24ef-4c1d-a8cd-5ebafb5dfa2f" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 49ca2656b..b0e4c43c8 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Attempt to Disable Syslog Service" risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 783c23e1d..c73b72719 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ name = "Base16 or Base32 Encoding/Decoding Activity" risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 35e82ab87..cf0c62d02 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/26" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index ed3f1ae20..08ca49ce6 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Potential Disabling of SELinux" risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index 1c6f387ca..6fbc4e818 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "30bfddd7-2954-4c9d-bbc6-19a99ca47e23" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 3bea31c1c..432b50e09 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "File Deletion via Shred" risk_score = 21 rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index e2a48988f..8f3cb1725 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ name = "File Permission Modification in Writable Directory" risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index e26d2f500..90956eccf 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 383e2e322..4e3d12efb 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index ba1df50a6..81bcb2b24 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/08" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = ["http://man7.org/linux/man-pages/man8/modprobe.8.html"] risk_score = 73 rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index 04610acf7..45e4b0aaf 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index e806747a8..6955e3ffa 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "dc71c186-9fe4-4437-a4d0-85ebb32b8204" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index 91deda60f..99a98babe 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "5c9ec990-37fa-4d5c-abfc-8d432f3dedd0" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 949d3f810..0ad3a98fa 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "97db8b42-69d8-4bf3-9fd4-c69a1d895d68" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index 9f0d8c2df..57f139d27 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index ad8eeb94b..40a714acd 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 4600a92fc..3f705126c 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 9554609ed..b80211b64 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/08" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ name = "Enumeration of Kernel Modules" risk_score = 47 rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/discovery_kernel_module_enumeration_via_proc.toml b/rules/linux/discovery_kernel_module_enumeration_via_proc.toml index af9cac455..e9bebd37c 100644 --- a/rules/linux/discovery_kernel_module_enumeration_via_proc.toml +++ b/rules/linux/discovery_kernel_module_enumeration_via_proc.toml @@ -44,7 +44,7 @@ Add the newly installed `auditd manager` to an agent policy, and deploy the agen risk_score = 47 rule_id = "80084fa9-8677-4453-8680-b891d3c0c778" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index 2287687cd..95dc3fcbf 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Hping"] risk_score = 73 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index 501d93685..06832b8ee 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = ["https://en.wikipedia.org/wiki/Nmap"] risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index faa8bb43d..dbe7bd059 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ name = "Virtual Machine Fingerprinting" risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index de4178c3b..bb03cdf41 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/25" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ references = [ risk_score = 47 rule_id = "cac91072-d165-11ec-a764-f661ea17fbce" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index 42bfba2ae..3dd357b84 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ references = [ risk_score = 47 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index 9bb038d4c..5091182e4 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Interactive Terminal Spawned via Perl" risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index 660b9bc2f..87a66270d 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ references = [ risk_score = 73 rule_id = "3688577a-d196-11ec-90b0-f661ea17fbce" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index 5183bae40..ea2c4d77f 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 73 rule_id = "3f3f9fe2-d095-11ec-95dc-f661ea17fbce" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "BPFDoor", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: BPFDoor", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 4074c2302..42fb7d710 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/05/05" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -20,7 +20,7 @@ name = "Interactive Terminal Spawned via Python" risk_score = 73 rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" type = "eql" diff --git a/rules/linux/execution_reverse_shell_via_named_pipe.toml b/rules/linux/execution_reverse_shell_via_named_pipe.toml index 68de8f855..4211ea5c1 100644 --- a/rules/linux/execution_reverse_shell_via_named_pipe.toml +++ b/rules/linux/execution_reverse_shell_via_named_pipe.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "dd7f1524-643e-11ed-9e35-f661ea17fbcd" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 95e6d1f30..8fd34ab54 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -97,7 +97,7 @@ references = [ risk_score = 47 rule_id = "52376a86-ee86-4967-97ae-1a05f55816f0" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "GTFOBins", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index cee198c62..6f90d8dcd 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Suspicious Mining Process Creation Event" risk_score = 47 rule_id = "e2258f48-ba75-4248-951b-7c885edf18c2" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 1b0f53152..4cca91fc3 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" integration = ["endpoint"] [rule] @@ -23,7 +23,7 @@ references = [ risk_score = 73 rule_id = "ef04a476-07ec-48fc-8f3d-5e1742de76d3" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution", "TripleCross", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Threat: TripleCross", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index 1c865de15..ef74a0d0e 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 1cf29a5cb..7975cf5b6 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -23,7 +23,7 @@ name = "Suspicious File Changes Activity Detected" risk_score = 73 rule_id = "28738f9f-7427-4d23-bc69-756708b5f624" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] type = "eql" query = ''' sequence by host.id, process.entity_id, file.extension with maxspan=1s diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index 44d61b9a4..08d5d5650 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -25,7 +25,7 @@ name = "Potential Linux Ransomware Note Creation Detected" risk_score = 73 rule_id = "c8935a8b-634a-4449-98f7-bb24d3b2c0af" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact"] type = "eql" query = ''' sequence by host.id, process.entity_id with maxspan=1s diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index 6a05ba18b..74760ae93 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ This rule identifies a high number (10) of process terminations via pkill from t risk_score = 47 rule_id = "67f8443a-4ff3-4a70-916d-3cfa3ae9f02b" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] type = "threshold" query = ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index d8141aa84..720ed8c60 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 7c688d19d..c8361bfa2 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 0ae49e23e..664bfd5c4 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" integration = ["endpoint"] [rule] @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "b910f25a-2d44-47f2-a873-aabdc0d355e6" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Lightning Framework", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Lightning Framework", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 0538db141..7fbf40bc2 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = ["https://blog.angelalonso.es/2016/09/anatomy-of-real-linux-intrusi risk_score = 47 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access", "Persistence", "Lateral Movement", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Persistence", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 81d79fa26..bf1d58d5c 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "ff10d4d8-fea7-422d-afb1-e5a2702369a9" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Privilege Escalation", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index 634fbb50a..9361da221 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" integration = ["endpoint"] [rule] @@ -22,7 +22,7 @@ references = [ risk_score = 73 rule_id = "df6f62d9-caab-4b88-affa-044f4395a1e0" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit"] type = "eql" query = ''' diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 58a2e7406..ae918434f 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/26" +updated_date = "2023/06/22" integration = ["endpoint"] [rule] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "1c84dd64-7e6c-4bad-ac73-a5014ee37042" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Orbit", "Lightning Framework", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Orbit", "Threat: Lightning Framework", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index ce357b6d3..2474e83c7 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "474fd20e-14cc-49c5-8160-d9ab4ba16c8b" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index 591662183..fb12391ca 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" integration = ["endpoint"] [rule] @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "2339f03c-f53f-40fa-834b-40c5983fc41f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Rootkit", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Threat: Rootkit", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 489c66972..3af88a646 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index 2274d8dc3..4029160d4 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -20,7 +20,7 @@ name = "Potential Linux Backdoor User Account Creation" risk_score = 47 rule_id = "494ebba4-ecb7-4be4-8c6f-654c686549ad" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 240c351fe..092130a43 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -19,7 +19,7 @@ name = "Linux Group Creation" risk_score = 21 rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 5a9b2aae1..e7608af01 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "f16fca20-4d6c-43f9-aec1-20b6de3b0aeb" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Initial Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index e71f8f5e2..75695484b 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -19,7 +19,7 @@ name = "Linux User Account Creation" risk_score = 21 rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index 048c4ec13..190c0c6e9 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -20,7 +20,7 @@ name = "Linux User Added to Privileged Group" risk_score = 47 rule_id = "43d6ec12-2b1c-47b5-8f35-e9de65551d3b" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" query = ''' diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index 1590b6bd4..5b6867233 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "96d11d31-9a79-480f-8401-da28b194608f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] type = "new_terms" query = ''' diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 4d9fa68ca..28c2e3524 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "4ec47004-b34a-42e6-8003-376a123ea447" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index b419378c7..3e007149e 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "0f4d35e4-925e-4959-ab24-911be207ee6f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] type = "new_terms" query = ''' diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 87a5df263..5554e6077 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "aebaa51f-2a91-4f6a-850b-b601db2293f4" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 37b1ac28a..6bac9f0b1 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -26,7 +26,7 @@ references = [ risk_score = 21 rule_id = "7fb500fa-8e24-4bd1-9480-2a819352602c" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index dfe85e37b..32660fb56 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "17b0a495-4d9f-414c-8ad0-92f018b8e001" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 6c7d2d475..74a69ddc2 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index 79d8776f9..7b0057029 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://seclists.org/oss-sec/2022/q1/80", "https://haxx.in/files/ risk_score = 73 rule_id = "8da41fc9-7735-4b24-9cc6-c78dfc9fc9c9" severity = "high" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index de190da0d..ca073a26c 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/01" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-t risk_score = 47 rule_id = "9a3a3689-8ed1-4cdb-83fb-9506db54c61f" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 3b9902dae..44077b2c1 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" severity = "medium" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml index a7e9eedcd..3ed437d91 100644 --- a/rules/macos/credential_access_access_to_browser_credentials_procargs.toml +++ b/rules/macos/credential_access_access_to_browser_credentials_procargs.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://securelist.com/calisto-trojan-for-macos/86543/"] risk_score = 73 rule_id = "20457e4f-d1de-4b92-ae69-142e27a4342a" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_credentials_keychains.toml b/rules/macos/credential_access_credentials_keychains.toml index 2f1aaebad..d0002a983 100644 --- a/rules/macos/credential_access_credentials_keychains.toml +++ b/rules/macos/credential_access_credentials_keychains.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml index d41ca30f8..b075ed59f 100644 --- a/rules/macos/credential_access_dumping_hashes_bi_cmds.toml +++ b/rules/macos/credential_access_dumping_hashes_bi_cmds.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "02ea4563-ec10-4974-b7de-12e65aa4f9b3" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_dumping_keychain_security.toml b/rules/macos/credential_access_dumping_keychain_security.toml index 85d09b4bf..f1530bc54 100644 --- a/rules/macos/credential_access_dumping_keychain_security.toml +++ b/rules/macos/credential_access_dumping_keychain_security.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://ss64.com/osx/security.html"] risk_score = 73 rule_id = "565d6ca5-75ba-4c82-9b13-add25353471c" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_kerberosdump_kcc.toml b/rules/macos/credential_access_kerberosdump_kcc.toml index ace073d9f..3c036ec21 100644 --- a/rules/macos/credential_access_kerberosdump_kcc.toml +++ b/rules/macos/credential_access_kerberosdump_kcc.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml index fde2a36d0..37df0cf25 100644 --- a/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml +++ b/rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 73 rule_id = "9092cd6c-650f-4fa3-8a8a-28256c7489c9" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_mitm_localhost_webproxy.toml b/rules/macos/credential_access_mitm_localhost_webproxy.toml index 872f7158e..2dd508c05 100644 --- a/rules/macos/credential_access_mitm_localhost_webproxy.toml +++ b/rules/macos/credential_access_mitm_localhost_webproxy.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "10a500bb-a28f-418e-ba29-ca4c8d1a9f2f" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml index 642a62a88..682ffaede 100644 --- a/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml +++ b/rules/macos/credential_access_potential_macos_ssh_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://themittenmac.com/detecting-ssh-activity-via-process-monit risk_score = 47 rule_id = "ace1e989-a541-44df-93a8-a8b0591b63c0" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "threshold" query = ''' diff --git a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml index a404e86cc..f0cbe5205 100644 --- a/rules/macos/credential_access_promt_for_pwd_via_osascript.toml +++ b/rules/macos/credential_access_promt_for_pwd_via_osascript.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "38948d29-3d5d-42e3-8aec-be832aaaf8eb" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/credential_access_systemkey_dumping.toml b/rules/macos/credential_access_systemkey_dumping.toml index 73ab18fb6..b3c02ca10 100644 --- a/rules/macos/credential_access_systemkey_dumping.toml +++ b/rules/macos/credential_access_systemkey_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://github.com/AlessandroZ/LaZagne/blob/master/Mac/lazagne/so risk_score = 73 rule_id = "d75991f2-b989-419d-b797-ac1e54ec2d61" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_apple_softupdates_modification.toml b/rules/macos/defense_evasion_apple_softupdates_modification.toml index 69ba7f1d4..e48eed32d 100644 --- a/rules/macos/defense_evasion_apple_softupdates_modification.toml +++ b/rules/macos/defense_evasion_apple_softupdates_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-mon risk_score = 47 rule_id = "f683dcdf-a018-4801-b066-193d4ae6c8e5" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml index 9ec1463be..f9861b430 100644 --- a/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml +++ b/rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "f0b48bbc-549e-4bcf-8ee0-a7a72586c6a7" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml index 406470e80..53fc4bea1 100644 --- a/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml +++ b/rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "4da13d6e-904f-4636-81d8-6ab14b4e6ae9" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_install_root_certificate.toml b/rules/macos/defense_evasion_install_root_certificate.toml index 3e5071eb5..e048367a2 100644 --- a/rules/macos/defense_evasion_install_root_certificate.toml +++ b/rules/macos/defense_evasion_install_root_certificate.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = ["https://ss64.com/osx/security-cert.html"] risk_score = 47 rule_id = "bc1eeacf-2972-434f-b782-3a532b100d67" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_modify_environment_launchctl.toml b/rules/macos/defense_evasion_modify_environment_launchctl.toml index b5cf69d66..3cdf8e1b7 100644 --- a/rules/macos/defense_evasion_modify_environment_launchctl.toml +++ b/rules/macos/defense_evasion_modify_environment_launchctl.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "7453e19e-3dbf-4e4e-9ae0-33d6c6ed15e1" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml index f5b45a616..c2999880f 100644 --- a/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml +++ b/rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "eea82229-b002-470e-a9e1-00be38b14d32" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml index 7b889e155..d1668608e 100644 --- a/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml +++ b/rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "c02c8b9f-5e1d-463c-a1b0-04edcdfe1a3d" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/defense_evasion_safari_config_change.toml b/rules/macos/defense_evasion_safari_config_change.toml index de8f67592..1003829f5 100644 --- a/rules/macos/defense_evasion_safari_config_change.toml +++ b/rules/macos/defense_evasion_safari_config_change.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://objectivebythesea.com/v2/talks/OBTS_v2_Zohar.pdf"] risk_score = 47 rule_id = "6482255d-f468-45ea-a5b3-d3a7de1331ae" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml index 742ae3a5f..3400980fc 100644 --- a/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml +++ b/rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 73 rule_id = "d22a85c6-d2ad-4cc4-bf7b-54787473669a" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml index e9e3a497a..0c02a8bd4 100644 --- a/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml +++ b/rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://theevilbit.github.io/posts/cve_2020_9771/"] risk_score = 73 rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion", "CVE_2020_9771"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml index 0cb1d180e..8c5e8526d 100644 --- a/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml +++ b/rules/macos/defense_evasion_unload_endpointsecurity_kext.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -17,7 +17,7 @@ name = "Attempt to Unload Elastic Endpoint Security Kernel Extension" risk_score = 73 rule_id = "70fa1af4-27fd-4f26-bd03-50b6af6b9e24" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/discovery_users_domain_built_in_commands.toml b/rules/macos/discovery_users_domain_built_in_commands.toml index 0cd8ff516..a8d17d37f 100644 --- a/rules/macos/discovery_users_domain_built_in_commands.toml +++ b/rules/macos/discovery_users_domain_built_in_commands.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "6e9b351e-a531-4bdc-b73e-7034d6eed7ff" severity = "low" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Discovery"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Discovery"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml index 7053ddcd0..c4f6aa3bb 100644 --- a/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml +++ b/rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "35330ba2-c859-4c98-8b7f-c19159ea0e58" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Defense Evasion", "Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Execution"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml index a523e0c62..5ad017dd4 100644 --- a/rules/macos/execution_initial_access_suspicious_browser_childproc.toml +++ b/rules/macos/execution_initial_access_suspicious_browser_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "080bc66a-5d56-4d1f-8071-817671716db9" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access", "Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/execution_installer_package_spawned_network_event.toml b/rules/macos/execution_installer_package_spawned_network_event.toml index 82a1917e9..55e5a464d 100644 --- a/rules/macos/execution_installer_package_spawned_network_event.toml +++ b/rules/macos/execution_installer_package_spawned_network_event.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "99239e7d-b0d4-46e3-8609-acafcf99f68c" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Command and Control"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Command and Control"] type = "eql" query = ''' diff --git a/rules/macos/execution_script_via_automator_workflows.toml b/rules/macos/execution_script_via_automator_workflows.toml index dc1d974fa..2e36f553f 100644 --- a/rules/macos/execution_script_via_automator_workflows.toml +++ b/rules/macos/execution_script_via_automator_workflows.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 47 rule_id = "5d9f8cfc-0d03-443e-a167-2b0597ce0965" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"] type = "eql" query = ''' diff --git a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml index 904bf6e58..765c0bda1 100644 --- a/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml +++ b/rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "47f76567-d58a-4fed-b32b-21f571e28910" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Command and Control", "Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Command and Control", "Tactic: Execution"] type = "eql" query = ''' diff --git a/rules/macos/execution_shell_execution_via_apple_scripting.toml b/rules/macos/execution_shell_execution_via_apple_scripting.toml index d31d72b9c..0da7b12eb 100644 --- a/rules/macos/execution_shell_execution_via_apple_scripting.toml +++ b/rules/macos/execution_shell_execution_via_apple_scripting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "d461fac0-43e8-49e2-85ea-3a58fe120b4f" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution"] type = "eql" query = ''' diff --git a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml index 29f9874dc..328f6d6b0 100644 --- a/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml +++ b/rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://blog.malwarebytes.com/cybercrime/2017/02/microsoft-office risk_score = 47 rule_id = "66da12b1-ac83-40eb-814c-07ed1d82b7b9" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Initial Access"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Initial Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml index e3242ebfa..442cc4df9 100644 --- a/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml +++ b/rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://github.com/its-a-feature/bifrost"] risk_score = 73 rule_id = "16904215-2c95-4ac8-bf5c-12354e047192" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_mounting_smb_share.toml b/rules/macos/lateral_movement_mounting_smb_share.toml index ae500fd7f..d2489265c 100644 --- a/rules/macos/lateral_movement_mounting_smb_share.toml +++ b/rules/macos/lateral_movement_mounting_smb_share.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://www.freebsd.org/cgi/man.cgi?mount_smbfs", "https://ss64.c risk_score = 21 rule_id = "661545b4-1a90-4f45-85ce-2ebd7c6a15d0" severity = "low" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml index 355f6ed95..73212d197 100644 --- a/rules/macos/lateral_movement_remote_ssh_login_enabled.toml +++ b/rules/macos/lateral_movement_remote_ssh_login_enabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = [ risk_score = 47 rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/lateral_movement_vpn_connection_attempt.toml b/rules/macos/lateral_movement_vpn_connection_attempt.toml index 4bac49ec9..68dbbe65a 100644 --- a/rules/macos/lateral_movement_vpn_connection_attempt.toml +++ b/rules/macos/lateral_movement_vpn_connection_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "15dacaa0-5b90-466b-acab-63435a59701a" severity = "low" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_account_creation_hide_at_logon.toml b/rules/macos/persistence_account_creation_hide_at_logon.toml index 91637f90a..b59b6d204 100644 --- a/rules/macos/persistence_account_creation_hide_at_logon.toml +++ b/rules/macos/persistence_account_creation_hide_at_logon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://support.apple.com/en-us/HT203998"] risk_score = 47 rule_id = "41b638a1-8ab6-4f8e-86d9-466317ef2db5" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_creation_change_launch_agents_file.toml b/rules/macos/persistence_creation_change_launch_agents_file.toml index 25a9794e9..195dc06dd 100644 --- a/rules/macos/persistence_creation_change_launch_agents_file.toml +++ b/rules/macos/persistence_creation_change_launch_agents_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "082e3f8c-6f80-485c-91eb-5b112cb79b28" severity = "low" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/macos/persistence_creation_hidden_login_item_osascript.toml b/rules/macos/persistence_creation_hidden_login_item_osascript.toml index 08a0bd51f..f7005d673 100644 --- a/rules/macos/persistence_creation_hidden_login_item_osascript.toml +++ b/rules/macos/persistence_creation_hidden_login_item_osascript.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "f24bcae1-8980-4b30-b5dd-f851b055c9e7" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Execution"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Execution"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml index 8c68b7350..1aaa555bf 100644 --- a/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml +++ b/rules/macos/persistence_creation_modif_launch_deamon_sequence.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "9d19ece6-c20e-481a-90c5-ccca596537de" severity = "low" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml index 7c6c6505f..19e371650 100644 --- a/rules/macos/persistence_credential_access_authorization_plugin_creation.toml +++ b/rules/macos/persistence_credential_access_authorization_plugin_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "e6c98d38-633d-4b3e-9387-42112cd5ac10" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_crontab_creation.toml b/rules/macos/persistence_crontab_creation.toml index f1e931f5e..6575216f1 100644 --- a/rules/macos/persistence_crontab_creation.toml +++ b/rules/macos/persistence_crontab_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "530178da-92ea-43ce-94c2-8877a826783d" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml index 02f62bd67..da5566d6d 100644 --- a/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml +++ b/rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "083fa162-e790-4d85-9aeb-4fea04188adb" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_directory_services_plugins_modification.toml b/rules/macos/persistence_directory_services_plugins_modification.toml index 541014d24..ec48631d4 100644 --- a/rules/macos/persistence_directory_services_plugins_modification.toml +++ b/rules/macos/persistence_directory_services_plugins_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://blog.chichou.me/2019/11/21/two-macos-persistence-tricks-a risk_score = 47 rule_id = "89fa6cb7-6b53-4de2-b604-648488841ab8" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_docker_shortcuts_plist_modification.toml b/rules/macos/persistence_docker_shortcuts_plist_modification.toml index a49e9bcee..4f466670a 100644 --- a/rules/macos/persistence_docker_shortcuts_plist_modification.toml +++ b/rules/macos/persistence_docker_shortcuts_plist_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "c81cefcb-82b9-4408-a533-3c3df549e62d" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_emond_rules_file_creation.toml b/rules/macos/persistence_emond_rules_file_creation.toml index 1c92f9e8c..311f521ba 100644 --- a/rules/macos/persistence_emond_rules_file_creation.toml +++ b/rules/macos/persistence_emond_rules_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "a6bf4dd4-743e-4da8-8c03-3ebd753a6c90" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_emond_rules_process_execution.toml b/rules/macos/persistence_emond_rules_process_execution.toml index 0c3ca76be..f678dba18 100644 --- a/rules/macos/persistence_emond_rules_process_execution.toml +++ b/rules/macos/persistence_emond_rules_process_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://www.xorrior.com/emond-persistence/"] risk_score = 47 rule_id = "3e3d15c6-1509-479a-b125-21718372157e" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_enable_root_account.toml b/rules/macos/persistence_enable_root_account.toml index 705bf9c64..98b4222b8 100644 --- a/rules/macos/persistence_enable_root_account.toml +++ b/rules/macos/persistence_enable_root_account.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://ss64.com/osx/dsenableroot.html"] risk_score = 47 rule_id = "cc2fd2d0-ba3a-4939-b87f-2901764ed036" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml index 8760f3cb1..1c03e3128 100644 --- a/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml +++ b/rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "092b068f-84ac-485d-8a55-7dd9e006715f" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml index a8287867c..4fa2fbfe5 100644 --- a/rules/macos/persistence_finder_sync_plugin_pluginkit.toml +++ b/rules/macos/persistence_finder_sync_plugin_pluginkit.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "37f638ea-909d-4f94-9248-edd21e4a9906" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_folder_action_scripts_runtime.toml b/rules/macos/persistence_folder_action_scripts_runtime.toml index 382b9eeba..e31616cca 100644 --- a/rules/macos/persistence_folder_action_scripts_runtime.toml +++ b/rules/macos/persistence_folder_action_scripts_runtime.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://posts.specterops.io/folder-actions-for-persistence-on-mac risk_score = 47 rule_id = "c292fa52-4115-408a-b897-e14f684b3cb7" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/macos/persistence_login_logout_hooks_defaults.toml b/rules/macos/persistence_login_logout_hooks_defaults.toml index f25aef2ea..91e6919b7 100644 --- a/rules/macos/persistence_login_logout_hooks_defaults.toml +++ b/rules/macos/persistence_login_logout_hooks_defaults.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "5d0265bf-dea9-41a9-92ad-48a8dcd05080" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_loginwindow_plist_modification.toml b/rules/macos/persistence_loginwindow_plist_modification.toml index 48bc130a1..31f409056 100644 --- a/rules/macos/persistence_loginwindow_plist_modification.toml +++ b/rules/macos/persistence_loginwindow_plist_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = ["https://github.com/D00MFist/PersistentJXA/blob/master/LoginScript risk_score = 47 rule_id = "ac412404-57a5-476f-858f-4e8fbb4f48d8" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml index d4ad1db2a..e498dd359 100644 --- a/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml +++ b/rules/macos/persistence_modification_sublime_app_plugin_or_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5"] risk_score = 21 rule_id = "88817a33-60d3-411f-ba79-7c905d865b2a" severity = "low" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml index 5c1c6ae3f..ff4a62c43 100644 --- a/rules/macos/persistence_periodic_tasks_file_mdofiy.toml +++ b/rules/macos/persistence_periodic_tasks_file_mdofiy.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "48ec9452-e1fd-4513-a376-10a1a26d2c83" severity = "low" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 6972af776..94de6900c 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ references = [ risk_score = 47 rule_id = "48d7f54d-c29e-4430-93a9-9db6b5892270" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_screensaver_plist_file_modification.toml b/rules/macos/persistence_screensaver_plist_file_modification.toml index a38ae8f38..ff6aea3e0 100644 --- a/rules/macos/persistence_screensaver_plist_file_modification.toml +++ b/rules/macos/persistence_screensaver_plist_file_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 47 rule_id = "e6e8912f-283f-4d0d-8442-e0dcaf49944b" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/persistence_suspicious_calendar_modification.toml b/rules/macos/persistence_suspicious_calendar_modification.toml index ddccd67ae..303856d73 100644 --- a/rules/macos/persistence_suspicious_calendar_modification.toml +++ b/rules/macos/persistence_suspicious_calendar_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "cb71aa62-55c8-42f0-b0dd-afb0bb0b1f51" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/persistence_via_atom_init_file_modification.toml b/rules/macos/persistence_via_atom_init_file_modification.toml index c51fa7c4b..2923b645c 100644 --- a/rules/macos/persistence_via_atom_init_file_modification.toml +++ b/rules/macos/persistence_via_atom_init_file_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 21 rule_id = "b4449455-f986-4b5a-82ed-e36b129331f7" severity = "low" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml index ef8121471..384565270 100644 --- a/rules/macos/privilege_escalation_applescript_with_admin_privs.toml +++ b/rules/macos/privilege_escalation_applescript_with_admin_privs.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://discussions.apple.com/thread/2266150"] risk_score = 47 rule_id = "827f8d8f-4117-4ae4-b551-f56d54b9da6b" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml index 7160b85e2..cf3cc7ee6 100644 --- a/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml +++ b/rules/macos/privilege_escalation_explicit_creds_via_scripting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "f0eb70e9-71e9-40cd-813f-bf8e8c812cb1" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Execution", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml index 029802577..09346426e 100644 --- a/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml +++ b/rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,14 +26,11 @@ risk_score = 73 rule_id = "f85ce03f-d8a8-4c83-acdc-5c8cd0592be7" severity = "high" tags = [ - "Elastic", - "Host", - "macOS", - "Threat Detection", - "Privilege Escalation", - "CVE-2020-9615", - "CVE-2020-9614", - "CVE-2020-9613", + "Domain: Endpoint", + "OS: macOS", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Use Case: Vulnerability" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_local_user_added_to_admin.toml b/rules/macos/privilege_escalation_local_user_added_to_admin.toml index a77ec46a8..05f425c19 100644 --- a/rules/macos/privilege_escalation_local_user_added_to_admin.toml +++ b/rules/macos/privilege_escalation_local_user_added_to_admin.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://managingosx.wordpress.com/2010/01/14/add-a-user-to-the-ad risk_score = 47 rule_id = "565c2b44-7a21-4818-955f-8d4737967d2e" severity = "medium" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/macos/privilege_escalation_root_crontab_filemod.toml b/rules/macos/privilege_escalation_root_crontab_filemod.toml index 1d5ed5594..74431a892 100644 --- a/rules/macos/privilege_escalation_root_crontab_filemod.toml +++ b/rules/macos/privilege_escalation_root_crontab_filemod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "0ff84c42-873d-41a2-a4ed-08d74d352d01" severity = "high" -tags = ["Elastic", "Host", "macOS", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml index dd9e89dc1..8c6044884 100644 --- a/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml +++ b/rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 50 @@ -29,7 +29,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f66-07827ac3bdd9" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml index dcfe4f7f8..b6604a9e4 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 50 @@ -32,7 +32,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "746edc4c-c54c-49c6-97a1-651223819448" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml index 9883058e1..8a1f8a970 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_urls.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 50 @@ -35,7 +35,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8f55-07827ac3acc9" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml index fe8345c72..535ec4df8 100644 --- a/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml +++ b/rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 50 @@ -33,7 +33,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "91f02f01-969f-4167-8d77-07827ac4cee0" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", "Command and Control"] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Command and Control"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml index 8d666c870..fe67011bb 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -59,7 +59,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "99dcf974-6587-4f65-9252-d866a3fdfd9c" severity = "low" -tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml index 28231abd1..5ff295ae4 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -27,7 +27,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d7d5c059-c19a-4a96-8ae3-41496ef3bcf9" severity = "low" -tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml index 500036f0b..3239c4169 100644 --- a/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml +++ b/rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -52,7 +52,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "e26aed74-c816-40d3-a810-48d6fbd8b2fd" severity = "low" -tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Credential Access", "Defense Evasion"] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml index 4b2e6b13b..840a6e9bb 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ name = "Unusual Linux Process Calling the Metadata Service" risk_score = 21 rule_id = "9d302377-d226-4e12-b54c-1906b5aec4f6" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml index d3b61b3cb..067f3c66f 100644 --- a/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ name = "Unusual Linux User Calling the Metadata Service" risk_score = 21 rule_id = "1faec04b-d902-4f89-8aff-92cd9043c16f" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/credential_access_ml_suspicious_login_activity.toml b/rules/ml/credential_access_ml_suspicious_login_activity.toml index a5c60af9f..6c2d56fc7 100644 --- a/rules/ml/credential_access_ml_suspicious_login_activity.toml +++ b/rules/ml/credential_access_ml_suspicious_login_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -24,7 +24,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "4330272b-9724-4bc6-a3ca-f1532b81e5c2" severity = "low" -tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Credential Access"] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml index bb2175614..144f87ae7 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ name = "Unusual Windows Process Calling the Metadata Service" risk_score = 21 rule_id = "abae61a8-c560-4dbd-acca-1e1438bff36b" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml index 9696d8eed..3594d5bc0 100644 --- a/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml +++ b/rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/22" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ name = "Unusual Windows User Calling the Metadata Service" risk_score = 21 rule_id = "df197323-72a8-46a9-a08e-3f5b04a4a97a" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Credential Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/discovery_ml_linux_system_information_discovery.toml b/rules/ml/discovery_ml_linux_system_information_discovery.toml index 6df09f483..907ebfd13 100644 --- a/rules/ml/discovery_ml_linux_system_information_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_information_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,7 +28,7 @@ name = "Unusual Linux System Information Discovery Activity" risk_score = 21 rule_id = "d4af3a06-1e0a-48ec-b96a-faf2309fae46" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml index 51987adea..b17481a08 100644 --- a/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/03" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/24" +updated_date = "2023/06/22" [rule] anomaly_threshold = 25 @@ -28,7 +28,7 @@ name = "Unusual Linux Network Configuration Discovery" risk_score = 21 rule_id = "f9590f47-6bd5-4a49-bd49-a2f886476fb9" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml index 54e514dda..78dd2101b 100644 --- a/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_network_connection_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,7 +28,7 @@ name = "Unusual Linux Network Connection Discovery" risk_score = 21 rule_id = "c28c4d8c-f014-40ef-88b6-79a1d67cd499" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_process_discovery.toml b/rules/ml/discovery_ml_linux_system_process_discovery.toml index 031aa72dc..7d5cc31b4 100644 --- a/rules/ml/discovery_ml_linux_system_process_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_process_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,7 +28,7 @@ name = "Unusual Linux Process Discovery Activity" risk_score = 21 rule_id = "5c983105-4681-46c3-9890-0c66d05e776b" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/discovery_ml_linux_system_user_discovery.toml b/rules/ml/discovery_ml_linux_system_user_discovery.toml index bbaa0ce25..6c6dd7f8f 100644 --- a/rules/ml/discovery_ml_linux_system_user_discovery.toml +++ b/rules/ml/discovery_ml_linux_system_user_discovery.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2023/04/24" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,7 +28,7 @@ name = "Unusual Linux User Discovery Activity" risk_score = 21 rule_id = "59756272-1998-4b8c-be14-e287035c4d10" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Discovery"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Discovery"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/execution_ml_windows_anomalous_script.toml b/rules/ml/execution_ml_windows_anomalous_script.toml index ca93170d0..cb71b9e52 100644 --- a/rules/ml/execution_ml_windows_anomalous_script.toml +++ b/rules/ml/execution_ml_windows_anomalous_script.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "1781d055-5c66-4adf-9d60-fc0fa58337b6" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Execution"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml index 009b08d75..ca7fca546 100644 --- a/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -46,7 +46,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "745b0119-0560-43ba-860a-7235dd8cee8d" severity = "low" -tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Initial Access"] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml index 6c50a25ef..7b80e48e6 100644 --- a/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml +++ b/rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -24,7 +24,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "d4b73fa0-9d43-465e-b8bf-50230da6718b" severity = "low" -tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Initial Access"] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/initial_access_ml_auth_rare_user_logon.toml b/rules/ml/initial_access_ml_auth_rare_user_logon.toml index 6a458db97..6595b4e46 100644 --- a/rules/ml/initial_access_ml_auth_rare_user_logon.toml +++ b/rules/ml/initial_access_ml_auth_rare_user_logon.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/06/10" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -53,7 +53,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "138c5dd5-838b-446e-b1ac-c995c7f8108a" severity = "low" -tags = ["Elastic", "Authentication", "Threat Detection", "ML", "Machine Learning", "Initial Access"] +tags = ["Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml index fe32409ec..d6ae498c1 100644 --- a/rules/ml/initial_access_ml_linux_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_linux_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -40,7 +40,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b347b919-665f-4aac-b9e8-68369bf2340c" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Initial Access"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml index 08a327623..d7fabf32b 100644 --- a/rules/ml/initial_access_ml_windows_anomalous_user_name.toml +++ b/rules/ml/initial_access_ml_windows_anomalous_user_name.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -41,7 +41,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c59-fc0fa58336a5" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Initial Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml index 463392561..b5b3997b0 100644 --- a/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml +++ b/rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -34,7 +34,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9e93-fc0fa69550c9" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Initial Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Initial Access"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/ml_high_count_network_denies.toml b/rules/ml/ml_high_count_network_denies.toml index 65e9d0227..ef0fe996f 100644 --- a/rules/ml/ml_high_count_network_denies.toml +++ b/rules/ml/ml_high_count_network_denies.toml @@ -3,7 +3,7 @@ creation_date = "2021/04/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 75 @@ -31,5 +31,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "eaa77d63-9679-4ce3-be25-3ba8b795e5fa" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_high_count_network_events.toml b/rules/ml/ml_high_count_network_events.toml index a87679ba9..586a13ca5 100644 --- a/rules/ml/ml_high_count_network_events.toml +++ b/rules/ml/ml_high_count_network_events.toml @@ -3,7 +3,7 @@ creation_date = "2021/04/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 75 @@ -31,5 +31,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "b240bfb8-26b7-4e5e-924e-218144a3fa71" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_activity.toml b/rules/ml/ml_linux_anomalous_network_activity.toml index 681c97eb6..57cceb316 100644 --- a/rules/ml/ml_linux_anomalous_network_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -33,6 +33,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "52afbdc5-db15-485e-bc24-f5707f820c4b" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_linux_anomalous_network_port_activity.toml b/rules/ml/ml_linux_anomalous_network_port_activity.toml index f1daac558..f31032bb0 100644 --- a/rules/ml/ml_linux_anomalous_network_port_activity.toml +++ b/rules/ml/ml_linux_anomalous_network_port_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -23,6 +23,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", ] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_packetbeat_rare_server_domain.toml b/rules/ml/ml_packetbeat_rare_server_domain.toml index ba2766bcf..281b50b98 100644 --- a/rules/ml/ml_packetbeat_rare_server_domain.toml +++ b/rules/ml/ml_packetbeat_rare_server_domain.toml @@ -3,7 +3,7 @@ creation_date = "2020/03/25" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 50 @@ -32,6 +32,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "17e68559-b274-4948-ad0b-f8415bb31126" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_rare_destination_country.toml b/rules/ml/ml_rare_destination_country.toml index c4ee8fe0f..fb78f53cc 100644 --- a/rules/ml/ml_rare_destination_country.toml +++ b/rules/ml/ml_rare_destination_country.toml @@ -3,7 +3,7 @@ creation_date = "2021/04/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 75 @@ -36,5 +36,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "35f86980-1fb1-4dff-b311-3be941549c8d" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_spike_in_traffic_to_a_country.toml b/rules/ml/ml_spike_in_traffic_to_a_country.toml index c2474db01..30e06c92a 100644 --- a/rules/ml/ml_spike_in_traffic_to_a_country.toml +++ b/rules/ml/ml_spike_in_traffic_to_a_country.toml @@ -3,7 +3,7 @@ creation_date = "2021/04/05" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] anomaly_threshold = 75 @@ -69,5 +69,5 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "c7db5533-ca2a-41f6-a8b0-ee98abe0f573" severity = "low" -tags = ["Elastic", "Network", "Threat Detection", "ML", "Machine Learning", ] +tags = ["Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/ml_windows_anomalous_network_activity.toml b/rules/ml/ml_windows_anomalous_network_activity.toml index 2d7b49eac..13adcd989 100644 --- a/rules/ml/ml_windows_anomalous_network_activity.toml +++ b/rules/ml/ml_windows_anomalous_network_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -36,6 +36,6 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "ba342eb2-583c-439f-b04d-1fdd7c1417cc" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", ] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", ] type = "machine_learning" diff --git a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml index cbc568061..d432c97b9 100644 --- a/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -65,7 +65,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "647fc812-7996-4795-8869-9c4ea595fe88" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Persistence"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/persistence_ml_rare_process_by_host_linux.toml b/rules/ml/persistence_ml_rare_process_by_host_linux.toml index 051e78948..d2e156a9b 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_linux.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_linux.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -65,7 +65,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "46f804f5-b289-43d6-a881-9387cf594f75" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Persistence"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/persistence_ml_rare_process_by_host_windows.toml b/rules/ml/persistence_ml_rare_process_by_host_windows.toml index 9f82526f9..fd95220d8 100644 --- a/rules/ml/persistence_ml_rare_process_by_host_windows.toml +++ b/rules/ml/persistence_ml_rare_process_by_host_windows.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -106,7 +106,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6d448b96-c922-4adb-b51c-b767f1ea5b76" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml index 05aba4591..8359c61e3 100644 --- a/rules/ml/persistence_ml_windows_anomalous_path_activity.toml +++ b/rules/ml/persistence_ml_windows_anomalous_path_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -30,7 +30,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "445a342e-03fb-42d0-8656-0367eb2dead5" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml index aca7f3feb..f3ab471ea 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -115,7 +115,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "6e40d56f-5c0e-4ac6-aece-bee96645b172" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence", "Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Tactic: Execution"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml index aea5bace6..48f3ffe2d 100644 --- a/rules/ml/persistence_ml_windows_anomalous_process_creation.toml +++ b/rules/ml/persistence_ml_windows_anomalous_process_creation.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -118,7 +118,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence", "Resources: Investigation Guide"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/persistence_ml_windows_anomalous_service.toml b/rules/ml/persistence_ml_windows_anomalous_service.toml index 0e056ee15..131dd0754 100644 --- a/rules/ml/persistence_ml_windows_anomalous_service.toml +++ b/rules/ml/persistence_ml_windows_anomalous_service.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,7 +28,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9c71-fc0fa58338c7" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Persistence"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml index 4544e1999..eb0f58161 100644 --- a/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml +++ b/rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -26,7 +26,7 @@ name = "Unusual Sudo Activity" risk_score = 21 rule_id = "1e9fc667-9ff1-4b33-9f40-fefca8537eb0" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] type = "machine_learning" [[rule.threat]] framework = "MITRE ATT&CK" diff --git a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml index 5bee403d4..443c2340f 100644 --- a/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml +++ b/rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/03/25" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -28,7 +28,7 @@ references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs risk_score = 21 rule_id = "1781d055-5c66-4adf-9d82-fc0fa58449c8" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "ML", "Machine Learning", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Privilege Escalation"] type = "machine_learning" [[rule.threat]] diff --git a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml index 116f541af..10f43cbc1 100644 --- a/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml +++ b/rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/03" maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -27,7 +27,7 @@ name = "Anomalous Linux Compiler Activity" risk_score = 21 rule_id = "cd66a419-9b3f-4f57-8ff8-ac4cd2d5f530" severity = "low" -tags = ["Elastic", "Host", "Linux", "Threat Detection", "ML", "Machine Learning", "Resource Development"] +tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Rule Type: ML", "Rule Type: Machine Learning", "Tactic: Resource Development"] type = "machine_learning" [[rule.threat]] diff --git a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml index 658d5ad8c..3f9873c49 100644 --- a/rules/network/command_and_control_accepted_default_telnet_port_connection.toml +++ b/rules/network/command_and_control_accepted_default_telnet_port_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,14 +32,12 @@ risk_score = 47 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269" severity = "medium" tags = [ - "Elastic", - "Host", - "Network", - "Threat Detection", - "Command and Control", - "Host", - "Lateral Movement", - "Initial Access", + "Domain: Endpoint", + + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Tactic: Lateral Movement", + "Tactic: Initial Access", ] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" diff --git a/rules/network/command_and_control_cobalt_strike_beacon.toml b/rules/network/command_and_control_cobalt_strike_beacon.toml index 10e310b65..b263ebec5 100644 --- a/rules/network/command_and_control_cobalt_strike_beacon.toml +++ b/rules/network/command_and_control_cobalt_strike_beacon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 73 rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c" severity = "high" -tags = ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml index ab396a84f..a7df6f7a2 100644 --- a/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml +++ b/rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ references = [ risk_score = 99 rule_id = "e7075e8d-a966-458e-a183-85cd331af255" severity = "critical" -tags = ["Command and Control", "Post-Execution", "Threat Detection", "Elastic", "Network", "Host"] +tags = ["Tactic: Command and Control", "Threat: Cobalt Strike", "Use Case: Threat Detection", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_download_rar_powershell_from_internet.toml b/rules/network/command_and_control_download_rar_powershell_from_internet.toml index 0f0a8973c..ee28e0f59 100644 --- a/rules/network/command_and_control_download_rar_powershell_from_internet.toml +++ b/rules/network/command_and_control_download_rar_powershell_from_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ references = [ risk_score = 47 rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92" severity = "medium" -tags = ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_fin7_c2_behavior.toml b/rules/network/command_and_control_fin7_c2_behavior.toml index e7418a06a..a2eca9823 100644 --- a/rules/network/command_and_control_fin7_c2_behavior.toml +++ b/rules/network/command_and_control_fin7_c2_behavior.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 73 rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3" severity = "high" -tags = ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_halfbaked_beacon.toml b/rules/network/command_and_control_halfbaked_beacon.toml index 0d6bb6db8..a07f1b473 100644 --- a/rules/network/command_and_control_halfbaked_beacon.toml +++ b/rules/network/command_and_control_halfbaked_beacon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 73 rule_id = "2e580225-2a58-48ef-938b-572933be06fe" severity = "high" -tags = ["Elastic", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_nat_traversal_port_activity.toml b/rules/network/command_and_control_nat_traversal_port_activity.toml index e724e679a..abca787bf 100644 --- a/rules/network/command_and_control_nat_traversal_port_activity.toml +++ b/rules/network/command_and_control_nat_traversal_port_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ name = "IPSEC NAT Traversal Port Activity" risk_score = 21 rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7" severity = "low" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_port_26_activity.toml b/rules/network/command_and_control_port_26_activity.toml index 5a450f359..ffc9bbe40 100644 --- a/rules/network/command_and_control_port_26_activity.toml +++ b/rules/network/command_and_control_port_26_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 21 rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d" severity = "low" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml index 87290ed28..4ce6a4dc5 100644 --- a/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml +++ b/rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488" severity = "medium" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timeline_id = "300afc76-072d-4261-864d-4149714bf3f1" timeline_title = "Comprehensive Network Timeline" timestamp_override = "event.ingested" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml index 96f044550..6156260d3 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8" severity = "high" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml index 13c3dbaaa..067d07809 100644 --- a/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml +++ b/rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 47 rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf" severity = "medium" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Command and Control", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml index d0827d9b4..d3c3cde8a 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a" severity = "high" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access", "Host"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml index baf4c7841..6603b6e26 100644 --- a/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml +++ b/rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "32923416-763a-4531-bb35-f33b9232ecdb" severity = "high" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access", "Host"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml index 8c34a4469..5425c5657 100644 --- a/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml +++ b/rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 73 rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a" severity = "high" -tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access", "Host"] +tags = ["Domain: Endpoint", "Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/initial_access_unsecure_elasticsearch_node.toml b/rules/network/initial_access_unsecure_elasticsearch_node.toml index f47bb7034..c61905524 100644 --- a/rules/network/initial_access_unsecure_elasticsearch_node.toml +++ b/rules/network/initial_access_unsecure_elasticsearch_node.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/12/14" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 47 rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9" severity = "medium" -tags = ["Elastic", "Network", "Threat Detection", "Initial Access", "Host"] +tags = ["Use Case: Threat Detection", "Tactic: Initial Access", "Domain: Endpoint"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/network/lateral_movement_dns_server_overflow.toml b/rules/network/lateral_movement_dns_server_overflow.toml index 92c7d7e95..cf80f59bd 100644 --- a/rules/network/lateral_movement_dns_server_overflow.toml +++ b/rules/network/lateral_movement_dns_server_overflow.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/16" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2022/11/28" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "11013227-0301-4a8c-b150-4db924484475" severity = "medium" -tags = ["Elastic", "Network", "Threat Detection", "Lateral Movement", "Investigation Guide"] +tags = ["Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 044aefadb..826c5f554 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Credential Dumping - Detected - Elastic Endgame" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Credential Access"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" query = ''' diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index effa541a4..48fd7956d 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Credential Dumping - Prevented - Elastic Endgame" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Credential Access"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" query = ''' diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 8a41014b9..77ae1de81 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Adversary Behavior - Detected - Elastic Endgame" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" -tags = ["Elastic", "Elastic Endgame"] +tags = ["Data Source: Elastic Endgame"] type = "query" query = ''' diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index a2b55db32..c1e2de987 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Malware - Detected - Elastic Endgame" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" -tags = ["Elastic", "Elastic Endgame"] +tags = ["Data Source: Elastic Endgame"] type = "query" query = ''' diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 755938ddf..7ad01e47a 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Malware - Prevented - Elastic Endgame" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" -tags = ["Elastic", "Elastic Endgame"] +tags = ["Data Source: Elastic Endgame"] type = "query" query = ''' diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 6c535477c..542dd465c 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Ransomware - Detected - Elastic Endgame" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" -tags = ["Elastic", "Elastic Endgame"] +tags = ["Data Source: Elastic Endgame"] type = "query" query = ''' diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 0baf14f7f..5cebcd0a3 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Ransomware - Prevented - Elastic Endgame" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" -tags = ["Elastic", "Elastic Endgame"] +tags = ["Data Source: Elastic Endgame"] type = "query" query = ''' diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index 745d0a1a9..7cfac3f6f 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,8 +22,7 @@ name = "Exploit - Detected - Elastic Endgame" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Execution", -"Privilege Escalation"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" query = ''' diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 561045e8d..23dea46f3 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,8 +22,7 @@ name = "Exploit - Prevented - Elastic Endgame" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Execution", -"Privilege Escalation"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" query = ''' diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index a4dca41fc..356e24da0 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/05" +updated_date = "2023/06/22" promotion = true [rule] @@ -21,7 +21,7 @@ risk_score = 47 rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" rule_name_override = "message" severity = "medium" -tags = ["Elastic", "Network", "Windows", "APM", "macOS", "Linux"] +tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index c31c91ba1..a574aad47 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Credential Manipulation - Detected - Elastic Endgame" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" query = ''' diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 41ed7022f..5d7ac328d 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Credential Manipulation - Prevented - Elastic Endgame" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" query = ''' diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 329ba2d87..a2710d4c7 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Permission Theft - Detected - Elastic Endgame" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" query = ''' diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 7cb83771d..81adad582 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Permission Theft - Prevented - Elastic Endgame" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" query = ''' diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 1fac9d6fc..f43c9db39 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Process Injection - Detected - Elastic Endgame" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" query = ''' diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 4cb6fd627..36e4e5ceb 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/31" +updated_date = "2023/06/22" promotion = true [rule] @@ -22,7 +22,7 @@ name = "Process Injection - Prevented - Elastic Endgame" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" -tags = ["Elastic", "Elastic Endgame", "Threat Detection", "Privilege Escalation"] +tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" query = ''' diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index 5936ed883..ccd118382 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.4.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "1dee0500-4aeb-44ca-b24b-4a285d7b6ba1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/collection_email_powershell_exchange_mailbox.toml b/rules/windows/collection_email_powershell_exchange_mailbox.toml index 4de8f0f29..dd2bcaf6f 100644 --- a/rules/windows/collection_email_powershell_exchange_mailbox.toml +++ b/rules/windows/collection_email_powershell_exchange_mailbox.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ references = [ risk_score = 47 rule_id = "6aace640-e631-4870-ba8e-5fdda09325db" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/collection_mailbox_export_winlog.toml b/rules/windows/collection_mailbox_export_winlog.toml index 4ed68053b..1e76a5df5 100644 --- a/rules/windows/collection_mailbox_export_winlog.toml +++ b/rules/windows/collection_mailbox_export_winlog.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ references = [ risk_score = 47 rule_id = "54a81f68-5f2a-421e-8eed-f888278bb712" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_audio_capture.toml b/rules/windows/collection_posh_audio_capture.toml index 25c5cf204..77cc89346 100644 --- a/rules/windows/collection_posh_audio_capture.toml +++ b/rules/windows/collection_posh_audio_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ references = ["https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfilt risk_score = 47 rule_id = "2f2f4939-0b34-40c2-a0a3-844eb7889f43" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_clipboard_capture.toml b/rules/windows/collection_posh_clipboard_capture.toml index afef1c8bc..70a23a815 100644 --- a/rules/windows/collection_posh_clipboard_capture.toml +++ b/rules/windows/collection_posh_clipboard_capture.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ references = [ risk_score = 47 rule_id = "92984446-aefb-4d5e-ad12-598042ca80ba" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "PowerShell", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_keylogger.toml b/rules/windows/collection_posh_keylogger.toml index 9b4215d97..89de30350 100644 --- a/rules/windows/collection_posh_keylogger.toml +++ b/rules/windows/collection_posh_keylogger.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ references = [ risk_score = 47 rule_id = "bd2c86a0-8b61-4457-ab38-96943984e889" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_mailbox.toml b/rules/windows/collection_posh_mailbox.toml index 4ec04bb57..f5cae31a9 100644 --- a/rules/windows/collection_posh_mailbox.toml +++ b/rules/windows/collection_posh_mailbox.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -81,7 +81,7 @@ references = [ risk_score = 47 rule_id = "a2d04374-187c-4fd9-b513-3ad4e7fdd67a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "PowerShell", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_posh_screen_grabber.toml b/rules/windows/collection_posh_screen_grabber.toml index 15393e8c4..fd02e08f6 100644 --- a/rules/windows/collection_posh_screen_grabber.toml +++ b/rules/windows/collection_posh_screen_grabber.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ references = ["https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphi risk_score = 47 rule_id = "959a7353-1129-4aa7-9084-30746b256a70" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/collection_winrar_encryption.toml b/rules/windows/collection_winrar_encryption.toml index 245955fdf..3dba39138 100644 --- a/rules/windows/collection_winrar_encryption.toml +++ b/rules/windows/collection_winrar_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ references = ["https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-ba risk_score = 47 rule_id = "45d273fb-1dca-457d-9855-bcb302180c21" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Collection", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_certreq_postdata.toml b/rules/windows/command_and_control_certreq_postdata.toml index 58b39d23a..bc46bfa7a 100644 --- a/rules/windows/command_and_control_certreq_postdata.toml +++ b/rules/windows/command_and_control_certreq_postdata.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = ["https://lolbas-project.github.io/lolbas/Binaries/Certreq/"] risk_score = 47 rule_id = "79f0a1f7-ed6b-471c-8eb1-23abd6470b1c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml index 790282eb4..2d83c3f1d 100644 --- a/rules/windows/command_and_control_certutil_network_connection.toml +++ b/rules/windows/command_and_control_certutil_network_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -101,7 +101,7 @@ references = [ risk_score = 21 rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_common_webservices.toml b/rules/windows/command_and_control_common_webservices.toml index 531990103..1022834c1 100644 --- a/rules/windows/command_and_control_common_webservices.toml +++ b/rules/windows/command_and_control_common_webservices.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/20" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -98,7 +98,7 @@ This rule looks for processes outside known legitimate program locations communi risk_score = 21 rule_id = "66883649-f908-4a5b-a1e0-54090a1d3a32" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_dns_tunneling_nslookup.toml b/rules/windows/command_and_control_dns_tunneling_nslookup.toml index 3acfbd999..b302081a1 100644 --- a/rules/windows/command_and_control_dns_tunneling_nslookup.toml +++ b/rules/windows/command_and_control_dns_tunneling_nslookup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -56,13 +56,12 @@ risk_score = 47 rule_id = "3a59fc81-99d3-47ea-8cd6-d48d561fca20" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] type = "threshold" diff --git a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml index 8b5265fa5..6789abd78 100644 --- a/rules/windows/command_and_control_encrypted_channel_freesslcert.toml +++ b/rules/windows/command_and_control_encrypted_channel_freesslcert.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_iexplore_via_com.toml b/rules/windows/command_and_control_iexplore_via_com.toml index b4ba60b9a..1dce0093a 100644 --- a/rules/windows/command_and_control_iexplore_via_com.toml +++ b/rules/windows/command_and_control_iexplore_via_com.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ name = "Potential Command and Control via Internet Explorer" risk_score = 47 rule_id = "acd611f3-2b93-47b3-a0a3-7723bcc46f6d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_ingress_transfer_bits.toml b/rules/windows/command_and_control_ingress_transfer_bits.toml index 72473be29..c707da5fc 100644 --- a/rules/windows/command_and_control_ingress_transfer_bits.toml +++ b/rules/windows/command_and_control_ingress_transfer_bits.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://attack.mitre.org/techniques/T1197/"] risk_score = 21 rule_id = "f95972d3-c23b-463b-89a8-796b3f369b49" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml index 8d6693544..fd25c5601 100644 --- a/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml +++ b/rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "6e1a2cc4-d260-11ed-8829-f661ea17fbcc" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/command_and_control_port_forwarding_added_registry.toml b/rules/windows/command_and_control_port_forwarding_added_registry.toml index 223897fc8..68af4cd47 100644 --- a/rules/windows/command_and_control_port_forwarding_added_registry.toml +++ b/rules/windows/command_and_control_port_forwarding_added_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -70,13 +70,12 @@ risk_score = 47 rule_id = "3535c8bb-3bd5-40f4-ae32-b7cd589d5372" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_rdp_tunnel_plink.toml b/rules/windows/command_and_control_rdp_tunnel_plink.toml index c9924f419..a7ed81962 100644 --- a/rules/windows/command_and_control_rdp_tunnel_plink.toml +++ b/rules/windows/command_and_control_rdp_tunnel_plink.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -61,13 +61,12 @@ risk_score = 73 rule_id = "76fd43b7-3480-4dd9-8ad7-8bd36bfad92f" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml index a666a9fed..4b869245b 100644 --- a/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml +++ b/rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -107,13 +107,12 @@ risk_score = 47 rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml index 23c0b56f4..990ecb642 100644 --- a/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml +++ b/rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -104,13 +104,12 @@ risk_score = 47 rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_remote_file_copy_powershell.toml b/rules/windows/command_and_control_remote_file_copy_powershell.toml index 7ad48cfe7..9d38a56ff 100644 --- a/rules/windows/command_and_control_remote_file_copy_powershell.toml +++ b/rules/windows/command_and_control_remote_file_copy_powershell.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/30" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -95,7 +95,7 @@ PowerShell is one of system administrators' main tools for automation, report ro risk_score = 47 rule_id = "33f306e8-417c-411b-965c-c2812d6d3f4d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_remote_file_copy_scripts.toml b/rules/windows/command_and_control_remote_file_copy_scripts.toml index 7cea42d0c..41161ea54 100644 --- a/rules/windows/command_and_control_remote_file_copy_scripts.toml +++ b/rules/windows/command_and_control_remote_file_copy_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -96,7 +96,7 @@ This rule looks for DLLs and executables downloaded using `cscript.exe` or `wscr risk_score = 47 rule_id = "1d276579-3380-4095-ad38-e596a01bc64f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index e13d0867c..26121acc0 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -99,7 +99,7 @@ references = [ risk_score = 73 rule_id = "22599847-5d13-48cb-8872-5796fee8692b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml index a6e1c8ed9..5214a965d 100644 --- a/rules/windows/command_and_control_teamviewer_remote_file_copy.toml +++ b/rules/windows/command_and_control_teamviewer_remote_file_copy.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -100,13 +100,12 @@ risk_score = 47 rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Command and Control", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Command and Control", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_bruteforce_admin_account.toml b/rules/windows/credential_access_bruteforce_admin_account.toml index b8b850449..46aabe4b2 100644 --- a/rules/windows/credential_access_bruteforce_admin_account.toml +++ b/rules/windows/credential_access_bruteforce_admin_account.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -101,7 +101,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "f9790abf-bd0c-45f9-8b5f-d0b74015e029" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml index 074e1aa41..8d97b198d 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -105,7 +105,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "4e85dc8a-3e41-40d8-bc28-91af7ac6cf60" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml index a0ada08f7..a288ce930 100644 --- a/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml +++ b/rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -110,7 +110,7 @@ references = [ risk_score = 47 rule_id = "48b6edfc-079d-4907-b43c-baffa243270d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_cmdline_dump_tool.toml b/rules/windows/credential_access_cmdline_dump_tool.toml index 7aca4042e..7bf052b05 100644 --- a/rules/windows/credential_access_cmdline_dump_tool.toml +++ b/rules/windows/credential_access_cmdline_dump_tool.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -60,13 +60,12 @@ risk_score = 73 rule_id = "00140285-b827-4aee-aa09-8113f58a08f3" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml index 873b1d42b..1440ac6e8 100644 --- a/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml +++ b/rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "3bc6deaa-fbd4-433a-ae21-3e892f95624f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml index 65a7bc901..dcee402ee 100644 --- a/rules/windows/credential_access_credential_dumping_msbuild.toml +++ b/rules/windows/credential_access_credential_dumping_msbuild.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/25" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -100,7 +100,7 @@ This rule looks for the MSBuild process loading `vaultcli.dll` or `SAMLib.DLL`, risk_score = 73 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml index 8a5ce12cf..c6905e711 100644 --- a/rules/windows/credential_access_dcsync_newterm_subjectuser.toml +++ b/rules/windows/credential_access_dcsync_newterm_subjectuser.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -47,7 +47,7 @@ references = [ risk_score = 73 rule_id = "5c6f4c58-b381-452a-8976-f1b1c6aa0def" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/credential_access_dcsync_replication_rights.toml b/rules/windows/credential_access_dcsync_replication_rights.toml index f5046310a..d08f6dbdf 100644 --- a/rules/windows/credential_access_dcsync_replication_rights.toml +++ b/rules/windows/credential_access_dcsync_replication_rights.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -86,13 +86,13 @@ risk_score = 73 rule_id = "9f962927-1a4f-45f3-a57b-287f2c7029c1" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Active Directory", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_disable_kerberos_preauth.toml b/rules/windows/credential_access_disable_kerberos_preauth.toml index 721566b0c..0af7561c7 100644 --- a/rules/windows/credential_access_disable_kerberos_preauth.toml +++ b/rules/windows/credential_access_disable_kerberos_preauth.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -70,7 +70,7 @@ references = [ risk_score = 47 rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml index 77b693922..93ab814c5 100644 --- a/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml +++ b/rules/windows/credential_access_domain_backup_dpapi_private_keys.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 73 rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_dump_registry_hives.toml b/rules/windows/credential_access_dump_registry_hives.toml index 577c684f0..063094044 100644 --- a/rules/windows/credential_access_dump_registry_hives.toml +++ b/rules/windows/credential_access_dump_registry_hives.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -65,13 +65,12 @@ risk_score = 73 rule_id = "a7e7bfa3-088e-4f13-b29e-3986e0e756b8" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_generic_localdumps.toml b/rules/windows/credential_access_generic_localdumps.toml index b47b6fc91..efb36814b 100644 --- a/rules/windows/credential_access_generic_localdumps.toml +++ b/rules/windows/credential_access_generic_localdumps.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "220be143-5c67-4fdb-b6ce-dd6826d024fd" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml index b57caf834..99f8e9aa1 100644 --- a/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml +++ b/rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of- risk_score = 73 rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_iis_connectionstrings_dumping.toml b/rules/windows/credential_access_iis_connectionstrings_dumping.toml index 6bd5e3aec..623a27243 100644 --- a/rules/windows/credential_access_iis_connectionstrings_dumping.toml +++ b/rules/windows/credential_access_iis_connectionstrings_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_kerberoasting_unusual_process.toml b/rules/windows/credential_access_kerberoasting_unusual_process.toml index fe9239f38..58dd75039 100644 --- a/rules/windows/credential_access_kerberoasting_unusual_process.toml +++ b/rules/windows/credential_access_kerberoasting_unusual_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/02" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -108,7 +108,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "897dc6b5-b39f-432a-8d75-d3730d50c782" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_ldap_attributes.toml b/rules/windows/credential_access_ldap_attributes.toml index 016e51f7e..b3859d46a 100644 --- a/rules/windows/credential_access_ldap_attributes.toml +++ b/rules/windows/credential_access_ldap_attributes.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -43,7 +43,7 @@ references = [ risk_score = 47 rule_id = "764c9fcd-4c4c-41e6-a0c7-d6c46c2eff66" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml index 312dc9870..7e6f7f201 100644 --- a/rules/windows/credential_access_lsass_handle_via_malseclogon.toml +++ b/rules/windows/credential_access_lsass_handle_via_malseclogon.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-p risk_score = 73 rule_id = "7ba58110-ae13-439b-8192-357b0fcfa9d7" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_loaded_susp_dll.toml b/rules/windows/credential_access_lsass_loaded_susp_dll.toml index 7b7547086..0b896eefc 100644 --- a/rules/windows/credential_access_lsass_loaded_susp_dll.toml +++ b/rules/windows/credential_access_lsass_loaded_susp_dll.toml @@ -4,7 +4,7 @@ maturity = "production" integration = ["endpoint"] min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "3a6001a0-0939-4bbe-86f4-47d8faeb7b97" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_memdump_file_created.toml b/rules/windows/credential_access_lsass_memdump_file_created.toml index 720ebf4fa..830cc02a9 100644 --- a/rules/windows/credential_access_lsass_memdump_file_created.toml +++ b/rules/windows/credential_access_lsass_memdump_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -104,13 +104,12 @@ risk_score = 73 rule_id = "f2f46686-6f3c-4724-bd7d-24e31c70f98f" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Elastic Endgame", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", ] timeline_id = "4d4c0b59-ea83-483f-b8c1-8c360ee53c5c" timeline_title = "Comprehensive File Timeline" diff --git a/rules/windows/credential_access_lsass_memdump_handle_access.toml b/rules/windows/credential_access_lsass_memdump_handle_access.toml index 44b508141..82a20bdce 100644 --- a/rules/windows/credential_access_lsass_memdump_handle_access.toml +++ b/rules/windows/credential_access_lsass_memdump_handle_access.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -129,7 +129,7 @@ references = [ risk_score = 73 rule_id = "208dbe77-01ed-4954-8d44-1e5751cb20de" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_lsass_openprocess_api.toml b/rules/windows/credential_access_lsass_openprocess_api.toml index 3a78a013d..9343cd1b3 100644 --- a/rules/windows/credential_access_lsass_openprocess_api.toml +++ b/rules/windows/credential_access_lsass_openprocess_api.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: Lsass access events added in Elastic Endpoint 8.7." min_stack_version = "8.7.0" -updated_date = "2023/03/02" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "ff4599cb-409f-4910-a239-52e4e6f532ff" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml index b8cfb8edc..679ff5180 100644 --- a/rules/windows/credential_access_mimikatz_memssp_default_logs.toml +++ b/rules/windows/credential_access_mimikatz_memssp_default_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -64,13 +64,12 @@ risk_score = 73 rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 5401e2cec..d5c164318 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -91,7 +91,7 @@ references = [ risk_score = 73 rule_id = "ac96ceb8-4399-4191-af1d-4feeac1f1f46" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_mod_wdigest_security_provider.toml b/rules/windows/credential_access_mod_wdigest_security_provider.toml index 96e3299f3..781f0c335 100644 --- a/rules/windows/credential_access_mod_wdigest_security_provider.toml +++ b/rules/windows/credential_access_mod_wdigest_security_provider.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -76,13 +76,12 @@ risk_score = 73 rule_id = "d703a5af-d5b0-43bd-8ddb-7a5d500b7da5" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_moving_registry_hive_via_smb.toml b/rules/windows/credential_access_moving_registry_hive_via_smb.toml index 14901d5f6..69b40e2b0 100644 --- a/rules/windows/credential_access_moving_registry_hive_via_smb.toml +++ b/rules/windows/credential_access_moving_registry_hive_via_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -57,13 +57,12 @@ risk_score = 47 rule_id = "a4c7473a-5cb4-4bc1-9d06-e4a75adbc494" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement", - "Credential Access", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml index 5792108b2..ae5043c60 100644 --- a/rules/windows/credential_access_persistence_network_logon_provider_modification.toml +++ b/rules/windows/credential_access_persistence_network_logon_provider_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "54c3d186-0461-4dc3-9b33-2dc5c7473936" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_posh_invoke_ninjacopy.toml b/rules/windows/credential_access_posh_invoke_ninjacopy.toml index 9b8126f40..a83fadcde 100644 --- a/rules/windows/credential_access_posh_invoke_ninjacopy.toml +++ b/rules/windows/credential_access_posh_invoke_ninjacopy.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "b8386923-b02c-4b94-986a-d223d9b01f88" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index fe9041c13..4cabc039c 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -80,7 +80,7 @@ references = [ risk_score = 73 rule_id = "577ec21e-56fe-4065-91d8-45eb8224fe77" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_posh_request_ticket.toml b/rules/windows/credential_access_posh_request_ticket.toml index 6191ae909..bdf15d76a 100644 --- a/rules/windows/credential_access_posh_request_ticket.toml +++ b/rules/windows/credential_access_posh_request_ticket.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -76,7 +76,7 @@ references = [ risk_score = 47 rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml index 06d4aad1c..b7e3e8eff 100644 --- a/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml +++ b/rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://github.com/CCob/MirrorDump"] risk_score = 47 rule_id = "02a4576a-7480-4284-9327-548a806b5e48" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml index 24ee1c504..f423dbe68 100644 --- a/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml +++ b/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 73 rule_id = "4682fd2c-cfae-47ed-a543-9bed37657aa6" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_remote_sam_secretsdump.toml b/rules/windows/credential_access_remote_sam_secretsdump.toml index 067ac93d8..e95cd00a2 100644 --- a/rules/windows/credential_access_remote_sam_secretsdump.toml +++ b/rules/windows/credential_access_remote_sam_secretsdump.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -66,13 +66,12 @@ risk_score = 73 rule_id = "850d901a-2a3c-46c6-8b22-55398a01aad8" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Lateral Movement", - "Credential Access", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Lateral Movement", + "Tactic: Credential Access", + "Resources: Investigation Guide", ] type = "eql" diff --git a/rules/windows/credential_access_saved_creds_vault_winlog.toml b/rules/windows/credential_access_saved_creds_vault_winlog.toml index 728734520..f24551a31 100644 --- a/rules/windows/credential_access_saved_creds_vault_winlog.toml +++ b/rules/windows/credential_access_saved_creds_vault_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "44fc462c-1159-4fa8-b1b7-9b6296ab4f96" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_saved_creds_vaultcmd.toml b/rules/windows/credential_access_saved_creds_vaultcmd.toml index b08967846..df3400fb4 100644 --- a/rules/windows/credential_access_saved_creds_vaultcmd.toml +++ b/rules/windows/credential_access_saved_creds_vaultcmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 47 rule_id = "be8afaed-4bcd-4e0a-b5f9-5562003dde81" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml index 5582cbbbf..6681183be 100644 --- a/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml +++ b/rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -78,13 +78,13 @@ risk_score = 73 rule_id = "f494c678-3c33-43aa-b169-bb3d5198c41d" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Active Directory", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_shadow_credentials.toml b/rules/windows/credential_access_shadow_credentials.toml index 5d6f1c98c..408d46122 100644 --- a/rules/windows/credential_access_shadow_credentials.toml +++ b/rules/windows/credential_access_shadow_credentials.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -87,7 +87,7 @@ references = [ risk_score = 73 rule_id = "79f97b31-480e-4e63-a7f4-ede42bf2c6de" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Active Directory", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Active Directory", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_spn_attribute_modified.toml b/rules/windows/credential_access_spn_attribute_modified.toml index 3fdc81e15..d4d7e09e8 100644 --- a/rules/windows/credential_access_spn_attribute_modified.toml +++ b/rules/windows/credential_access_spn_attribute_modified.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -87,13 +87,13 @@ risk_score = 73 rule_id = "0b2f3da5-b5ec-47d1-908b-6ebb74814289" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Active Directory", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml index 51068d5b1..13e9e04c1 100644 --- a/rules/windows/credential_access_suspicious_comsvcs_imageload.toml +++ b/rules/windows/credential_access_suspicious_comsvcs_imageload.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com risk_score = 73 rule_id = "c5c9f591-d111-4cf8-baec-c26a39bc31ef" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_suspicious_lsass_access_generic.toml b/rules/windows/credential_access_suspicious_lsass_access_generic.toml index bfbc7ecbe..a4773ecc5 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_generic.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_generic.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://github.com/redcanaryco/atomic-red-team/blob/master/atomic risk_score = 47 rule_id = "128468bf-cab1-4637-99ea-fdf3780a4609" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml index 434268ca5..c60078310 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_memdump.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_memdump.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "9960432d-9b26-409f-972b-839a959e79e2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml index 667f0113a..252fcb7d5 100644 --- a/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml +++ b/rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "0f93cb9a-1931-48c2-8cd0-f173fd3e5283" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "threshold" diff --git a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml index ce52d0c88..8e7754b7c 100644 --- a/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml +++ b/rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -84,7 +84,7 @@ references = [ risk_score = 47 rule_id = "47e22836-4a16-4b35-beee-98f6c4ee9bf2" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Credential Access", "Investigation Guide", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Credential Access", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] type = "eql" query = ''' diff --git a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml index 9e490f091..8efbf9b2d 100644 --- a/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml +++ b/rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -88,13 +88,12 @@ risk_score = 47 rule_id = "d117cbb4-7d56-41b4-b999-bdf8c25648a0" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml index d9ca743f4..c8411f5ae 100644 --- a/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml +++ b/rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/05" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 73 rule_id = "a16612dd-b30e-4d41-86a0-ebe70974ec00" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/credential_access_wireless_creds_dumping.toml b/rules/windows/credential_access_wireless_creds_dumping.toml index 4b1455c44..cd03e935c 100644 --- a/rules/windows/credential_access_wireless_creds_dumping.toml +++ b/rules/windows/credential_access_wireless_creds_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -89,14 +89,13 @@ risk_score = 73 rule_id = "2de87d72-ee0c-43e2-b975-5f0b029ac600" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Credential Access", - "Discovery", - "Elastic Endgame", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Credential Access", + "Tactic: Discovery", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml index a79a95d34..269b02992 100644 --- a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml +++ b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/05/18" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -95,7 +95,7 @@ This rule looks for the execution of the `attrib.exe` utility with a command lin risk_score = 21 rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml index 1af480821..d590c4994 100644 --- a/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml +++ b/rules/windows/defense_evasion_amsi_bypass_dllhijack.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/29" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -96,13 +96,12 @@ risk_score = 73 rule_id = "fa488440-04cc-41d7-9279-539387bf2a17" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Elastic Endgame", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_amsi_bypass_powershell.toml b/rules/windows/defense_evasion_amsi_bypass_powershell.toml index 764a738af..85666af1d 100644 --- a/rules/windows/defense_evasion_amsi_bypass_powershell.toml +++ b/rules/windows/defense_evasion_amsi_bypass_powershell.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/24" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -99,7 +99,7 @@ references = ["https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell"] risk_score = 73 rule_id = "1f0a69c0-3392-4adf-b7d5-6012fd292da8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "PowerShell", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_amsienable_key_mod.toml b/rules/windows/defense_evasion_amsienable_key_mod.toml index 4bf0a554a..0e9f887ac 100644 --- a/rules/windows/defense_evasion_amsienable_key_mod.toml +++ b/rules/windows/defense_evasion_amsienable_key_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -79,13 +79,12 @@ risk_score = 73 rule_id = "f874315d-5188-4b4a-8521-d1c73093a7e4" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_console_history.toml b/rules/windows/defense_evasion_clearing_windows_console_history.toml index 0300edd00..d44784630 100644 --- a/rules/windows/defense_evasion_clearing_windows_console_history.toml +++ b/rules/windows/defense_evasion_clearing_windows_console_history.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -61,13 +61,12 @@ risk_score = 47 rule_id = "b5877334-677f-4fb9-86d5-a9721274223b" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml index 19d04ac25..f821679b8 100644 --- a/rules/windows/defense_evasion_clearing_windows_event_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_event_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -57,13 +57,12 @@ risk_score = 21 rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61" severity = "low" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_clearing_windows_security_logs.toml b/rules/windows/defense_evasion_clearing_windows_security_logs.toml index 5cc82e595..1a8d8b4ca 100644 --- a/rules/windows/defense_evasion_clearing_windows_security_logs.toml +++ b/rules/windows/defense_evasion_clearing_windows_security_logs.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Anabella Cristaldi"] @@ -51,7 +51,7 @@ This rule looks for the occurrence of clear actions on the `security` event log. risk_score = 21 rule_id = "45ac4800-840f-414c-b221-53dd36a5aaf7" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml index 0e39bb548..c79fd8ca2 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -83,13 +83,12 @@ risk_score = 47 rule_id = "b43570de-a908-4f7f-8bdb-b2df6ffd8c80" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Elastic Endgame", - "Investigation Guide" + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml index 37b9878b6..795aaaded 100644 --- a/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml +++ b/rules/windows/defense_evasion_code_signing_policy_modification_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -83,13 +83,12 @@ risk_score = 47 rule_id = "da7733b1-fe08-487e-b536-0a04c6d8b0cd" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Elastic Endgame", - "Investigation Guide" + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_create_mod_root_certificate.toml b/rules/windows/defense_evasion_create_mod_root_certificate.toml index 065132233..070f8a692 100644 --- a/rules/windows/defense_evasion_create_mod_root_certificate.toml +++ b/rules/windows/defense_evasion_create_mod_root_certificate.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -76,13 +76,12 @@ risk_score = 21 rule_id = "203ab79b-239b-4aa5-8e54-fc50623ee8e4" severity = "low" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_cve_2020_0601.toml b/rules/windows/defense_evasion_cve_2020_0601.toml index 535d040ee..3f819e689 100644 --- a/rules/windows/defense_evasion_cve_2020_0601.toml +++ b/rules/windows/defense_evasion_cve_2020_0601.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601 - CurveBall)" risk_score = 21 rule_id = "56557cde-d923-4b88-adee-c61b3f3b5dc3" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_defender_disabled_via_registry.toml b/rules/windows/defense_evasion_defender_disabled_via_registry.toml index e570adcf4..76e310dde 100644 --- a/rules/windows/defense_evasion_defender_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_defender_disabled_via_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -63,13 +63,12 @@ risk_score = 21 rule_id = "2ffa1f1e-b6db-47fa-994b-1512743847eb" severity = "low" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index c99c44d91..319358914 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -75,13 +75,12 @@ risk_score = 47 rule_id = "2c17e5d7-08b9-43b2-b58a-0270d65ac85b" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml index 5d9a994bd..c7665c333 100644 --- a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml +++ b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ Consider using the Elastic Defend integration instead of USN Journal, as the Ela risk_score = 21 rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml index ec8cc3905..8c0798a9d 100644 --- a/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml +++ b/rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -64,13 +64,12 @@ risk_score = 47 rule_id = "818e23e6-2094-4f0e-8c01-22d30f3506c6" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml index 6154dd858..499962cff 100644 --- a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml +++ b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -55,13 +55,12 @@ risk_score = 47 rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml index 50fa47a27..944265338 100644 --- a/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml +++ b/rules/windows/defense_evasion_disabling_windows_defender_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -63,13 +63,12 @@ risk_score = 47 rule_id = "c8cccb06-faf2-4cd5-886e-2c9636cfcb87" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_disabling_windows_logs.toml b/rules/windows/defense_evasion_disabling_windows_logs.toml index 26cc55c2c..8850d6e96 100644 --- a/rules/windows/defense_evasion_disabling_windows_logs.toml +++ b/rules/windows/defense_evasion_disabling_windows_logs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Ivan Ninichuck", "Austin Songer"] @@ -60,13 +60,12 @@ risk_score = 21 rule_id = "4de76544-f0e5-486a-8f84-eae0b6063cdc" severity = "low" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_dns_over_https_enabled.toml b/rules/windows/defense_evasion_dns_over_https_enabled.toml index 1459bc5d5..3b18c1175 100644 --- a/rules/windows/defense_evasion_dns_over_https_enabled.toml +++ b/rules/windows/defense_evasion_dns_over_https_enabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -29,7 +29,7 @@ references = [ risk_score = 21 rule_id = "a22a09c2-2162-4df0-a356-9aacbeb56a04" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml index 07fcf22a1..1e9b3e226 100644 --- a/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml +++ b/rules/windows/defense_evasion_dotnet_compiler_parent_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml index e7a8da1c4..1e5a409d5 100644 --- a/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -61,13 +61,12 @@ risk_score = 47 rule_id = "074464f9-f30d-4029-8c03-0ed237fffec7" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml index 51036b633..f033341ec 100644 --- a/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml +++ b/rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -57,13 +57,12 @@ risk_score = 47 rule_id = "8b4f0816-6a65-4630-86a6-c21c179c0d09" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml index 7df65a5a2..59e3460c3 100644 --- a/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml +++ b/rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://www.joesandbox.com/analysis/476188/1/html"] risk_score = 73 rule_id = "416697ae-e468-4093-a93d-59661fa619ec" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml index 179f905c0..7ba7ae5f5 100644 --- a/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml +++ b/rules/windows/defense_evasion_execution_lolbas_wuauclt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://dtm.uk/wuauclt/"] risk_score = 47 rule_id = "edf8ee23-5ea7-4123-ba19-56b41e424ae3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml index 88e55bcf2..3fef0a241 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -82,13 +82,12 @@ risk_score = 73 rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml index 1bbbb00f7..c8b1079b0 100755 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml index 019238357..9042922bb 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml index f0b899ee7..03390cbdc 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/07" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -102,13 +102,12 @@ risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4" severity = "low" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Elastic Endgame", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml index 024bc3351..2862acb3d 100644 --- a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml +++ b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://blog.talosintelligence.com/2020/02/building-bypass-with-m risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml index bd8bf99ef..c84764a31 100644 --- a/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml +++ b/rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "1160dcdb-0a0a-4a79-91d8-9b84616edebd" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml index 2caa87b0f..03cfc6bf8 100644 --- a/rules/windows/defense_evasion_execution_windefend_unusual_path.toml +++ b/rules/windows/defense_evasion_execution_windefend_unusual_path.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Dennis Perto"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "053a0387-f3b5-4ba5-8245-8002cca2bd08" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_file_creation_mult_extension.toml b/rules/windows/defense_evasion_file_creation_mult_extension.toml index ded93fc8b..66660e2d0 100644 --- a/rules/windows/defense_evasion_file_creation_mult_extension.toml +++ b/rules/windows/defense_evasion_file_creation_mult_extension.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "8b2b3a62-a598-4293-bc14-3d5fa22bb98f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_from_unusual_directory.toml b/rules/windows/defense_evasion_from_unusual_directory.toml index 5c6f205e0..3922f5c1b 100644 --- a/rules/windows/defense_evasion_from_unusual_directory.toml +++ b/rules/windows/defense_evasion_from_unusual_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "ebfe1448-7fac-4d59-acea-181bd89b1f7f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml index 02c6e8e63..ca32d0129 100644 --- a/rules/windows/defense_evasion_hide_encoded_executable_registry.toml +++ b/rules/windows/defense_evasion_hide_encoded_executable_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Encoded Executable Stored in the Registry" risk_score = 47 rule_id = "93c1ce76-494c-4f01-8167-35edfb52f7b1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_iis_httplogging_disabled.toml b/rules/windows/defense_evasion_iis_httplogging_disabled.toml index 806c63d8b..a20a4ca08 100644 --- a/rules/windows/defense_evasion_iis_httplogging_disabled.toml +++ b/rules/windows/defense_evasion_iis_httplogging_disabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/02" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -59,7 +59,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "ebf1adea-ccf2-4943-8b96-7ab11ca173a5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_injection_msbuild.toml b/rules/windows/defense_evasion_injection_msbuild.toml index d5bee584d..3211a75db 100755 --- a/rules/windows/defense_evasion_injection_msbuild.toml +++ b/rules/windows/defense_evasion_injection_msbuild.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Process Injection by the Microsoft Build Engine" risk_score = 21 rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae9" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_installutil_beacon.toml b/rules/windows/defense_evasion_installutil_beacon.toml index 4e270d971..845252357 100644 --- a/rules/windows/defense_evasion_installutil_beacon.toml +++ b/rules/windows/defense_evasion_installutil_beacon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "InstallUtil Process Making Network Connections" risk_score = 47 rule_id = "a13167f1-eec2-4015-9631-1fee60406dcf" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index fd0ffc1da..d99a3d7ee 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml index 31e47193c..10571c4bc 100644 --- a/rules/windows/defense_evasion_masquerading_renamed_autoit.toml +++ b/rules/windows/defense_evasion_masquerading_renamed_autoit.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/07" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -101,13 +101,12 @@ risk_score = 47 rule_id = "2e1e835d-01e5-48ca-b9fc-7a61f7f11902" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Elastic Endgame", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Data Source: Elastic Endgame", + "Resources: Investigation Guide", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml index 4ea706f05..9e5ec9cb1 100644 --- a/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml +++ b/rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "ac5012b8-8da8-440b-aaaf-aedafdea2dff" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 150922343..c466f17c0 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "32c5cf9c-2ef8-4e87-819e-5ccb7cd18b14" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_masquerading_werfault.toml b/rules/windows/defense_evasion_masquerading_werfault.toml index 3e1045ff7..bf00e9012 100644 --- a/rules/windows/defense_evasion_masquerading_werfault.toml +++ b/rules/windows/defense_evasion_masquerading_werfault.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/07" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -103,7 +103,7 @@ references = [ risk_score = 47 rule_id = "6ea41894-66c3-4df7-ad6b-2c5074eb3df8" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_microsoft_defender_tampering.toml b/rules/windows/defense_evasion_microsoft_defender_tampering.toml index 426103e78..7d576a39c 100644 --- a/rules/windows/defense_evasion_microsoft_defender_tampering.toml +++ b/rules/windows/defense_evasion_microsoft_defender_tampering.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -72,7 +72,7 @@ references = [ risk_score = 47 rule_id = "fe794edd-487f-4a90-b285-3ee54f2af2d3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml index 39126d6ea..437e9120a 100644 --- a/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml +++ b/rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -100,7 +100,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "63e65ec3-43b1-45b0-8f2d-45b34291dc44" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml index 35eb55fd5..74bbdc02f 100644 --- a/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml +++ b/rules/windows/defense_evasion_ms_office_suspicious_regmod.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -74,13 +74,12 @@ risk_score = 47 rule_id = "feeed87c-5e95-4339-aef1-47fd79bcfbe3" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml index 85f138312..d61278529 100644 --- a/rules/windows/defense_evasion_msbuild_beacon_sequence.toml +++ b/rules/windows/defense_evasion_msbuild_beacon_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "MsBuild Network Connection Sequence" risk_score = 47 rule_id = "9dc6ed5d-62a9-4feb-a903-fafa1d33b8e9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msbuild_making_network_connections.toml b/rules/windows/defense_evasion_msbuild_making_network_connections.toml index 66689d1d9..e8a338fc6 100644 --- a/rules/windows/defense_evasion_msbuild_making_network_connections.toml +++ b/rules/windows/defense_evasion_msbuild_making_network_connections.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -100,7 +100,7 @@ This rule looks for the `Msbuild.exe` utility execution, followed by a network c risk_score = 47 rule_id = "0e79980b-4250-4a50-a509-69294c14e84b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_mshta_beacon.toml b/rules/windows/defense_evasion_mshta_beacon.toml index 2993d680e..90b277935 100644 --- a/rules/windows/defense_evasion_mshta_beacon.toml +++ b/rules/windows/defense_evasion_mshta_beacon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Mshta Making Network Connections" risk_score = 47 rule_id = "c2d90150-0133-451c-a783-533e736c12d7" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_beacon.toml b/rules/windows/defense_evasion_msxsl_beacon.toml index 4360cfdc1..49a15debb 100644 --- a/rules/windows/defense_evasion_msxsl_beacon.toml +++ b/rules/windows/defense_evasion_msxsl_beacon.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "MsXsl Making Network Connections" risk_score = 47 rule_id = "870d1753-1078-403e-92d4-735f142edcca" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_msxsl_network.toml b/rules/windows/defense_evasion_msxsl_network.toml index 0cdbcee14..43b0df677 100644 --- a/rules/windows/defense_evasion_msxsl_network.toml +++ b/rules/windows/defense_evasion_msxsl_network.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b86afe07-0d98-4738-b15d-8d7465f95ff5" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml index 2506e9f9f..a3dbb4de1 100644 --- a/rules/windows/defense_evasion_network_connection_from_windows_binary.toml +++ b/rules/windows/defense_evasion_network_connection_from_windows_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -100,7 +100,7 @@ This rule identifies network connections established by trusted developer utilit risk_score = 47 rule_id = "1fe3b299-fbb5-4657-a937-1d746f2c711a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml index bd06daf99..747a04f75 100644 --- a/rules/windows/defense_evasion_parent_process_pid_spoofing.toml +++ b/rules/windows/defense_evasion_parent_process_pid_spoofing.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://blog.didierstevens.com/2017/03/20/"] risk_score = 73 rule_id = "c88d4bd0-5649-4c52-87ea-9be59dbfbcf2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml index 8e012822c..217f09bb0 100644 --- a/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml +++ b/rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,13 +27,12 @@ risk_score = 47 rule_id = "07b1ef73-1fde-4a49-a34a-5dd40011b076" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Privilege Escalation", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Tactic: Privilege Escalation", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_posh_assembly_load.toml b/rules/windows/defense_evasion_posh_assembly_load.toml index baf74b0ac..72d10874a 100644 --- a/rules/windows/defense_evasion_posh_assembly_load.toml +++ b/rules/windows/defense_evasion_posh_assembly_load.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/15" integration = ["windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -124,7 +124,7 @@ references = ["https://docs.microsoft.com/en-us/dotnet/api/system.reflection.ass risk_score = 47 rule_id = "e26f042e-c590-4e82-8e05-41e81bd822ad" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_compressed.toml b/rules/windows/defense_evasion_posh_compressed.toml index 1d6cb8f6f..55734b836 100644 --- a/rules/windows/defense_evasion_posh_compressed.toml +++ b/rules/windows/defense_evasion_posh_compressed.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/20" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -124,7 +124,7 @@ reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLo risk_score = 47 rule_id = "81fe9dc6-a2d7-4192-a2d8-eed98afc766a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_encryption.toml b/rules/windows/defense_evasion_posh_encryption.toml index 28fe9b635..12c2c8204 100644 --- a/rules/windows/defense_evasion_posh_encryption.toml +++ b/rules/windows/defense_evasion_posh_encryption.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "PowerShell Script with Encryption/Decryption Capabilities" risk_score = 47 rule_id = "1d9aeb0b-9549-46f6-a32d-05e2a001b7fd" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_posh_process_injection.toml b/rules/windows/defense_evasion_posh_process_injection.toml index 27dd49538..94323cd13 100644 --- a/rules/windows/defense_evasion_posh_process_injection.toml +++ b/rules/windows/defense_evasion_posh_process_injection.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -83,7 +83,7 @@ references = [ risk_score = 47 rule_id = "2e29e96a-b67c-455a-afe4-de6183431d0d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/defense_evasion_potential_processherpaderping.toml b/rules/windows/defense_evasion_potential_processherpaderping.toml index 981b3d7e7..d9593729b 100644 --- a/rules/windows/defense_evasion_potential_processherpaderping.toml +++ b/rules/windows/defense_evasion_potential_processherpaderping.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://github.com/jxy-s/herpaderping"] risk_score = 73 rule_id = "ccc55af4-9882-4c67-87b4-449a7ae8079c" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index c42aacd21..6bfbb88e3 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Austin Songer"] @@ -71,13 +71,12 @@ risk_score = 47 rule_id = "f63c8e3c-d396-404f-b2ea-0379d3942d73" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml index 75d883b17..fd05cf2be 100644 --- a/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml +++ b/rules/windows/defense_evasion_process_termination_followed_by_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ name = "Process Termination followed by Deletion" risk_score = 47 rule_id = "09443c92-46b3-45a4-8f25-383b028b258d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml index ce1fda7f5..2edf1cc96 100644 --- a/rules/windows/defense_evasion_proxy_execution_via_msdt.toml +++ b/rules/windows/defense_evasion_proxy_execution_via_msdt.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "2c3c29a4-f170-42f8-a3d8-2ceebc18eb6a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_rundll32_no_arguments.toml b/rules/windows/defense_evasion_rundll32_no_arguments.toml index 48876f060..d54b61439 100644 --- a/rules/windows/defense_evasion_rundll32_no_arguments.toml +++ b/rules/windows/defense_evasion_rundll32_no_arguments.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Unusual Child Processes of RunDLL32" risk_score = 73 rule_id = "f036953a-4615-4707-a1ca-dc53bf69dcd5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml index d95dc0290..dda08a658 100644 --- a/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml +++ b/rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/win32 risk_score = 47 rule_id = "9aa0e1f6-52ce-42e1-abb3-09657cee2698" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml index c623a29fd..c6323fc66 100644 --- a/rules/windows/defense_evasion_sdelete_like_filename_rename.toml +++ b/rules/windows/defense_evasion_sdelete_like_filename_rename.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "5aee924b-6ceb-4633-980e-1bde8cdb40c5" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_sip_provider_mod.toml b/rules/windows/defense_evasion_sip_provider_mod.toml index a8c6c9e94..401a3062b 100644 --- a/rules/windows/defense_evasion_sip_provider_mod.toml +++ b/rules/windows/defense_evasion_sip_provider_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://github.com/mattifestation/PoCSubjectInterfacePackage"] risk_score = 47 rule_id = "f2c7b914-eda3-40c2-96ac-d23ef91776ca" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml index 6bd9e0617..91415195d 100644 --- a/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml +++ b/rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "b9960fef-82c6-4816-befa-44745030e917" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_certutil_commands.toml b/rules/windows/defense_evasion_suspicious_certutil_commands.toml index 712a4a759..b75115273 100644 --- a/rules/windows/defense_evasion_suspicious_certutil_commands.toml +++ b/rules/windows/defense_evasion_suspicious_certutil_commands.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -102,7 +102,7 @@ references = [ risk_score = 47 rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml index 0f2722933..54fca638d 100644 --- a/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml +++ b/rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "8a1d4831-3ce6-4859-9891-28931fa6101d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml index 38be37a16..c72c8d718 100644 --- a/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml +++ b/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-c risk_score = 73 rule_id = "acf738b5-b5b2-4acc-bad9-1e18ee234f40" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml index aa9318180..520772cac 100644 --- a/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml +++ b/rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml @@ -2,7 +2,7 @@ creation_date = "2021/10/11" integration = ["windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -109,7 +109,7 @@ references = [ risk_score = 73 rule_id = "2dd480be-1263-4d9c-8672-172928f6789a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml index 22f8ba755..ef7146827 100644 --- a/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml +++ b/rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -48,7 +48,7 @@ Attackers may inject code into child processes' memory to hide their actual acti risk_score = 47 rule_id = "3ed032b2-45d8-4406-bc79-7ad1eabb2c72" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide", "Data Source: Sysmon Only"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_scrobj_load.toml b/rules/windows/defense_evasion_suspicious_scrobj_load.toml index a4acedba6..7d1652cb9 100644 --- a/rules/windows/defense_evasion_suspicious_scrobj_load.toml +++ b/rules/windows/defense_evasion_suspicious_scrobj_load.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Suspicious Script Object Execution" risk_score = 47 rule_id = "4ed678a9-3a4f-41fb-9fea-f85a6e0a0dff" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_short_program_name.toml b/rules/windows/defense_evasion_suspicious_short_program_name.toml index ddea1b831..fa95bc2b6 100644 --- a/rules/windows/defense_evasion_suspicious_short_program_name.toml +++ b/rules/windows/defense_evasion_suspicious_short_program_name.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "17c7f6a5-5bc9-4e1f-92bf-13632d24384d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 2419da35e..349cfee4e 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Suspicious WMIC XSL Script Execution" risk_score = 47 rule_id = "7f370d54-c0eb-4270-ac5a-9a6020585dc6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml index 5949b2752..db40ed158 100644 --- a/rules/windows/defense_evasion_suspicious_zoom_child_process.toml +++ b/rules/windows/defense_evasion_suspicious_zoom_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "97aba1ef-6034-4bd3-8c1a-1e0996b27afa" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml index 2af0266b9..b929a53c2 100644 --- a/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml +++ b/rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -101,13 +101,12 @@ risk_score = 73 rule_id = "e94262f2-c1e9-4d3f-a907-aeab16712e1a" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_timestomp_sysmon.toml b/rules/windows/defense_evasion_timestomp_sysmon.toml index 8bfed4516..8f2c91c6b 100644 --- a/rules/windows/defense_evasion_timestomp_sysmon.toml +++ b/rules/windows/defense_evasion_timestomp_sysmon.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,11 +22,10 @@ risk_score = 47 rule_id = "166727ab-6768-4e26-b80c-948b228ffc06" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion" + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml index 320bb0333..5e9636906 100644 --- a/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml +++ b/rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml @@ -4,7 +4,7 @@ maturity = "production" integration = ["endpoint"] min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.4.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "ca98c7cf-a56e-4057-a4e8-39603f7f0389" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_untrusted_driver_loaded.toml b/rules/windows/defense_evasion_untrusted_driver_loaded.toml index 897149b0e..6bba8a316 100644 --- a/rules/windows/defense_evasion_untrusted_driver_loaded.toml +++ b/rules/windows/defense_evasion_untrusted_driver_loaded.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -95,7 +95,7 @@ references = [ risk_score = 73 rule_id = "d8ab1ec1-feeb-48b9-89e7-c12e189448aa" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_ads_file_creation.toml b/rules/windows/defense_evasion_unusual_ads_file_creation.toml index 9f72dad73..955bbd649 100644 --- a/rules/windows/defense_evasion_unusual_ads_file_creation.toml +++ b/rules/windows/defense_evasion_unusual_ads_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/05/24" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -106,7 +106,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "71bccb61-e19b-452f-b104-79a60e546a95" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_dir_ads.toml b/rules/windows/defense_evasion_unusual_dir_ads.toml index 1b713e8e0..105a585f6 100644 --- a/rules/windows/defense_evasion_unusual_dir_ads.toml +++ b/rules/windows/defense_evasion_unusual_dir_ads.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "4bd1c1af-79d4-4d37-9efa-6e0240640242" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml index 1e8d05fea..78d592248 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "c7894234-7814-44c2-92a9-f7d851ea246a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml index e7fdef8f0..e84bb608e 100644 --- a/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml +++ b/rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ references = [ risk_score = 47 rule_id = "52aaab7b-b51c-441a-89ce-4387b3aea886" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Command and Control", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Command and Control", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_process_network_connection.toml b/rules/windows/defense_evasion_unusual_process_network_connection.toml index 0b9943161..a306d59ba 100644 --- a/rules/windows/defense_evasion_unusual_process_network_connection.toml +++ b/rules/windows/defense_evasion_unusual_process_network_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -47,7 +47,7 @@ This rule identifies network activity from unexpected system utilities and appli risk_score = 21 rule_id = "610949a1-312f-4e04-bb55-3a79b8c95267" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml index 914b22e9f..e7535d623 100644 --- a/rules/windows/defense_evasion_unusual_system_vp_child_program.toml +++ b/rules/windows/defense_evasion_unusual_system_vp_child_program.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "de9bd7e0-49e9-4e92-a64d-53ade2e66af1" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_via_filter_manager.toml b/rules/windows/defense_evasion_via_filter_manager.toml index 873231990..c56e1fe1b 100644 --- a/rules/windows/defense_evasion_via_filter_manager.toml +++ b/rules/windows/defense_evasion_via_filter_manager.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -97,7 +97,7 @@ This rule identifies the attempt to unload a minifilter using the `fltmc.exe` co risk_score = 47 rule_id = "06dceabf-adca-48af-ac79-ffdf4c3b1e9a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_workfolders_control_execution.toml b/rules/windows/defense_evasion_workfolders_control_execution.toml index 8c7a51291..b9aa644a1 100644 --- a/rules/windows/defense_evasion_workfolders_control_execution.toml +++ b/rules/windows/defense_evasion_workfolders_control_execution.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -61,13 +61,12 @@ risk_score = 47 rule_id = "ad0d2742-9a49-11ec-8d6b-acde48001122" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_bash_exec.toml b/rules/windows/defense_evasion_wsl_bash_exec.toml index 9a4ccb9c5..fc41e3cc4 100644 --- a/rules/windows/defense_evasion_wsl_bash_exec.toml +++ b/rules/windows/defense_evasion_wsl_bash_exec.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "3e0eeb75-16e8-4f2f-9826-62461ca128b7" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_child_process.toml b/rules/windows/defense_evasion_wsl_child_process.toml index d06db7e0e..d8e8621f1 100644 --- a/rules/windows/defense_evasion_wsl_child_process.toml +++ b/rules/windows/defense_evasion_wsl_child_process.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -21,7 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "db7dbad5-08d2-4d25-b9b1-d3a1e4a15efd" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml index 22516769f..ac0561287 100644 --- a/rules/windows/defense_evasion_wsl_enabled_via_dism.toml +++ b/rules/windows/defense_evasion_wsl_enabled_via_dism.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/13" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -21,7 +21,7 @@ references = ["https://blog.f-secure.com/hunting-for-windows-subsystem-for-linux risk_score = 47 rule_id = "e2e0537d-7d8f-4910-a11d-559bcf61295a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_filesystem.toml b/rules/windows/defense_evasion_wsl_filesystem.toml index 543a35c65..09f62af42 100644 --- a/rules/windows/defense_evasion_wsl_filesystem.toml +++ b/rules/windows/defense_evasion_wsl_filesystem.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -21,7 +21,7 @@ references = ["https://github.com/microsoft/WSL"] risk_score = 47 rule_id = "e88d1fe9-b2f4-48d4-bace-a026dc745d4b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_kalilinux.toml b/rules/windows/defense_evasion_wsl_kalilinux.toml index 77d7a7363..403f8cc90 100644 --- a/rules/windows/defense_evasion_wsl_kalilinux.toml +++ b/rules/windows/defense_evasion_wsl_kalilinux.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -21,7 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 73 rule_id = "dd34b062-b9e3-4a6b-8c0c-6c8ca6dd450e" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/defense_evasion_wsl_registry_modification.toml b/rules/windows/defense_evasion_wsl_registry_modification.toml index dcf48d0e8..7a2a476fc 100644 --- a/rules/windows/defense_evasion_wsl_registry_modification.toml +++ b/rules/windows/defense_evasion_wsl_registry_modification.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/12" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -21,7 +21,7 @@ references = ["https://learn.microsoft.com/en-us/windows/wsl/wsl-config"] risk_score = 47 rule_id = "a1699af0-8e1e-4ed0-8ec1-89783538a061" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Endgame"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 6133f4cf8..a987032b6 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ references = [ risk_score = 21 rule_id = "eda499b8-a073-4e35-9733-22ec71f57f3a" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_admin_recon.toml b/rules/windows/discovery_admin_recon.toml index 0a88a9387..60c2c8b2e 100644 --- a/rules/windows/discovery_admin_recon.toml +++ b/rules/windows/discovery_admin_recon.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "871ea072-1b71-4def-b016-6278b505138d" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_command_system_account.toml b/rules/windows/discovery_command_system_account.toml index 8ac39d0e3..2c3d39a42 100644 --- a/rules/windows/discovery_command_system_account.toml +++ b/rules/windows/discovery_command_system_account.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "2856446a-34e6-435b-9fb5-f8f040bfa7ed" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml index d4946f591..a669619f5 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_dsquery.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 21 rule_id = "06a7a03c-c735-47a6-a313-51c354aef6c3" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml index f9ffae75f..691e90ce8 100644 --- a/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml +++ b/rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ references = [ risk_score = 21 rule_id = "84da2554-e12a-11ec-b896-f661ea17fbcd" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml index 2a86d2562..557738694 100644 --- a/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml +++ b/rules/windows/discovery_files_dir_systeminfo_via_cmd.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/24" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "d68e95ad-1c82-4074-a12a-125fe10ac8ba" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Execution", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Tactic: Execution", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_group_policy_object_discovery.toml b/rules/windows/discovery_group_policy_object_discovery.toml index 61892a1df..4202ab5a9 100644 --- a/rules/windows/discovery_group_policy_object_discovery.toml +++ b/rules/windows/discovery_group_policy_object_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Group Policy Discovery via Microsoft GPResult Utility" risk_score = 21 rule_id = "94a401ba-4fa2-455c-b7ae-b6e037afc0b7" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_net_view.toml b/rules/windows/discovery_net_view.toml index 6788ad3ea..f0b74e70f 100644 --- a/rules/windows/discovery_net_view.toml +++ b/rules/windows/discovery_net_view.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -49,7 +49,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "7b8bfc26-81d2-435e-965c-d722ee397ef1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_peripheral_device.toml b/rules/windows/discovery_peripheral_device.toml index 14a2fa4a8..4ca4f7e0e 100644 --- a/rules/windows/discovery_peripheral_device.toml +++ b/rules/windows/discovery_peripheral_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -53,7 +53,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0c7ca5c2-728d-4ad9-b1c5-bbba83ecb1f4" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_posh_invoke_sharefinder.toml b/rules/windows/discovery_posh_invoke_sharefinder.toml index b97968d0d..3a9dfda52 100644 --- a/rules/windows/discovery_posh_invoke_sharefinder.toml +++ b/rules/windows/discovery_posh_invoke_sharefinder.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -77,7 +77,7 @@ references = [ risk_score = 47 rule_id = "4c59cff1-b78a-41b8-a9f1-4231984d1fb6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/discovery_posh_suspicious_api_functions.toml b/rules/windows/discovery_posh_suspicious_api_functions.toml index c766c950d..0b7449ebf 100644 --- a/rules/windows/discovery_posh_suspicious_api_functions.toml +++ b/rules/windows/discovery_posh_suspicious_api_functions.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ references = [ risk_score = 47 rule_id = "61ac3638-40a3-44b2-855a-985636ca985e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml index 782fdf285..b75db165e 100644 --- a/rules/windows/discovery_post_exploitation_external_ip_lookup.toml +++ b/rules/windows/discovery_post_exploitation_external_ip_lookup.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ references = [ risk_score = 21 rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_privileged_localgroup_membership.toml b/rules/windows/discovery_privileged_localgroup_membership.toml index 0f8a2839c..17764a8ba 100644 --- a/rules/windows/discovery_privileged_localgroup_membership.toml +++ b/rules/windows/discovery_privileged_localgroup_membership.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -112,7 +112,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "291a0de9-937a-4189-94c0-3e847c8b13e4" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_remote_system_discovery_commands_windows.toml b/rules/windows/discovery_remote_system_discovery_commands_windows.toml index ea764fdfc..cd4060307 100644 --- a/rules/windows/discovery_remote_system_discovery_commands_windows.toml +++ b/rules/windows/discovery_remote_system_discovery_commands_windows.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -49,7 +49,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "0635c542-1b96-4335-9b47-126582d2c19a" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_security_software_wmic.toml b/rules/windows/discovery_security_software_wmic.toml index f7d781a01..bcc10fd12 100644 --- a/rules/windows/discovery_security_software_wmic.toml +++ b/rules/windows/discovery_security_software_wmic.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "6ea55c81-e2ba-42f2-a134-bccf857ba922" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_system_service_discovery.toml b/rules/windows/discovery_system_service_discovery.toml index 15640d92d..7d949a628 100644 --- a/rules/windows/discovery_system_service_discovery.toml +++ b/rules/windows/discovery_system_service_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "System Service Discovery through built-in Windows Utilities" risk_score = 21 rule_id = "e0881d20-54ac-457f-8733-fe0bc5d44c55" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_system_time_discovery.toml b/rules/windows/discovery_system_time_discovery.toml index 8489b4981..fecb139e6 100644 --- a/rules/windows/discovery_system_time_discovery.toml +++ b/rules/windows/discovery_system_time_discovery.toml @@ -4,7 +4,7 @@ integration = ["windows", "endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "System Time Discovery" risk_score = 21 rule_id = "06568a02-af29-4f20-929c-f3af281e41aa" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/discovery_whoami_command_activity.toml b/rules/windows/discovery_whoami_command_activity.toml index f0f6d49fd..276f133d3 100644 --- a/rules/windows/discovery_whoami_command_activity.toml +++ b/rules/windows/discovery_whoami_command_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -62,7 +62,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "ef862985-3f13-4262-a686-5f357bbb9bc2" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Discovery", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml index 78d7aa6c2..e347d508b 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml index c42fa79f9..49fbfea33 100644 --- a/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml +++ b/rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 47 rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_com_object_xwizard.toml b/rules/windows/execution_com_object_xwizard.toml index 659916fb2..7064a300e 100644 --- a/rules/windows/execution_com_object_xwizard.toml +++ b/rules/windows/execution_com_object_xwizard.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "1a6075b0-7479-450e-8fe7-b8b8438ac570" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml index 0f239a8fe..afb1e0efe 100644 --- a/rules/windows/execution_command_prompt_connecting_to_the_internet.toml +++ b/rules/windows/execution_command_prompt_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -106,7 +106,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/execution_command_shell_started_by_svchost.toml b/rules/windows/execution_command_shell_started_by_svchost.toml index b7a037367..50c77ac42 100644 --- a/rules/windows/execution_command_shell_started_by_svchost.toml +++ b/rules/windows/execution_command_shell_started_by_svchost.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -100,7 +100,7 @@ references = [ risk_score = 21 rule_id = "fd7a6052-58fa-4397-93c3-4795249ccfa2" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timeline_id = "e70679c2-6cde-4510-9764-4823df18f7db" timeline_title = "Comprehensive Process Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/execution_command_shell_started_by_unusual_process.toml b/rules/windows/execution_command_shell_started_by_unusual_process.toml index c8a5bb5b9..951b91f38 100644 --- a/rules/windows/execution_command_shell_started_by_unusual_process.toml +++ b/rules/windows/execution_command_shell_started_by_unusual_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "3b47900d-e793-49e8-968f-c90dc3526aa1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_command_shell_via_rundll32.toml b/rules/windows/execution_command_shell_via_rundll32.toml index 6d805c059..5807d3930 100644 --- a/rules/windows/execution_command_shell_via_rundll32.toml +++ b/rules/windows/execution_command_shell_via_rundll32.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "9ccf3ce0-0057-440a-91f5-870c6ad39093" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Credential Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Credential Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_downloaded_shortcut_files.toml b/rules/windows/execution_downloaded_shortcut_files.toml index 77abfdca6..7682cc2bf 100644 --- a/rules/windows/execution_downloaded_shortcut_files.toml +++ b/rules/windows/execution_downloaded_shortcut_files.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" query_schema_validation = false -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Downloaded Shortcut Files" risk_score = 21 rule_id = "6b1fd8e8-cefe-444c-bc4d-feaa2c497347" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"] type = "eql" query = ''' diff --git a/rules/windows/execution_downloaded_url_file.toml b/rules/windows/execution_downloaded_url_file.toml index ecb4e2844..943e9914b 100644 --- a/rules/windows/execution_downloaded_url_file.toml +++ b/rules/windows/execution_downloaded_url_file.toml @@ -3,7 +3,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" query_schema_validation = false -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "Downloaded URL Files" risk_score = 47 rule_id = "cd82e3d6-1346-4afd-8f22-38388bbf34cb" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"] type = "eql" query = ''' diff --git a/rules/windows/execution_enumeration_via_wmiprvse.toml b/rules/windows/execution_enumeration_via_wmiprvse.toml index 3c304678e..3aeed2751 100644 --- a/rules/windows/execution_enumeration_via_wmiprvse.toml +++ b/rules/windows/execution_enumeration_via_wmiprvse.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "770e0c4d-b998-41e5-a62e-c7901fd7f470" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_from_unusual_path_cmdline.toml b/rules/windows/execution_from_unusual_path_cmdline.toml index df5e563a5..3e16bf3f7 100644 --- a/rules/windows/execution_from_unusual_path_cmdline.toml +++ b/rules/windows/execution_from_unusual_path_cmdline.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -102,14 +102,13 @@ risk_score = 47 rule_id = "cff92c41-2225-4763-b4ce-6f71e5bda5e6" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Execution", - "Defense Evasion", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Execution", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml index 7a8f8ab28..64a390162 100644 --- a/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -108,7 +108,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "b29ee2be-bf99-446c-ab1a-2dc0183394b8" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/execution_ms_office_written_file.toml b/rules/windows/execution_ms_office_written_file.toml index 5fad22a35..048002fdb 100644 --- a/rules/windows/execution_ms_office_written_file.toml +++ b/rules/windows/execution_ms_office_written_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ This rule searches for executable files written by MS Office applications execut risk_score = 73 rule_id = "0d8ad79f-9025-45d8-80c1-4f0cd3c5e8e5" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/execution_pdf_written_file.toml b/rules/windows/execution_pdf_written_file.toml index 4684ea4f4..133859562 100644 --- a/rules/windows/execution_pdf_written_file.toml +++ b/rules/windows/execution_pdf_written_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -68,7 +68,7 @@ This rule searches for executable files written by PDF reader software and execu risk_score = 73 rule_id = "1defdd62-cd8d-426e-a246-81a37751bb2b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/execution_posh_hacktool_functions.toml b/rules/windows/execution_posh_hacktool_functions.toml index c949449f8..465621373 100644 --- a/rules/windows/execution_posh_hacktool_functions.toml +++ b/rules/windows/execution_posh_hacktool_functions.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/17" integration = ["windows"] maturity = "production" -updated_date = "2023/04/27" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -42,7 +42,7 @@ references = [ risk_score = 47 rule_id = "cde1bafa-9f01-4f43-a872-605b678968b0" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_posh_portable_executable.toml b/rules/windows/execution_posh_portable_executable.toml index a721fdb32..aaf299a29 100644 --- a/rules/windows/execution_posh_portable_executable.toml +++ b/rules/windows/execution_posh_portable_executable.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -125,7 +125,7 @@ references = [ risk_score = 47 rule_id = "ad84d445-b1ce-4377-82d9-7c633f28bf9a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_posh_psreflect.toml b/rules/windows/execution_posh_psreflect.toml index 808216b38..947263e11 100644 --- a/rules/windows/execution_posh_psreflect.toml +++ b/rules/windows/execution_posh_psreflect.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -136,7 +136,7 @@ references = [ risk_score = 47 rule_id = "56f2e9b5-4803-4e44-a0a4-a52dc79d57fe" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/execution_psexec_lateral_movement_command.toml b/rules/windows/execution_psexec_lateral_movement_command.toml index 556d2c907..2085e8964 100644 --- a/rules/windows/execution_psexec_lateral_movement_command.toml +++ b/rules/windows/execution_psexec_lateral_movement_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ This rule identifies PsExec execution by looking for the creation of `PsExec.exe risk_score = 21 rule_id = "55d551c6-333b-4665-ab7e-5d14a59715ce" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml index 79f7e4e22..07d8f6c42 100644 --- a/rules/windows/execution_register_server_program_connecting_to_the_internet.toml +++ b/rules/windows/execution_register_server_program_connecting_to_the_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -105,7 +105,7 @@ references = ["https://www.iana.org/assignments/iana-ipv4-special-registry/iana- risk_score = 21 rule_id = "fb02b8d3-71ee-4af1-bacd-215d23f17efa" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/execution_scheduled_task_powershell_source.toml b/rules/windows/execution_scheduled_task_powershell_source.toml index 305863e33..f74f75473 100644 --- a/rules/windows/execution_scheduled_task_powershell_source.toml +++ b/rules/windows/execution_scheduled_task_powershell_source.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "5cd55388-a19c-47c7-8ec4-f41656c2fded" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution"] type = "eql" query = ''' diff --git a/rules/windows/execution_shared_modules_local_sxs_dll.toml b/rules/windows/execution_shared_modules_local_sxs_dll.toml index 160dbc7b2..9e690dcc3 100644 --- a/rules/windows/execution_shared_modules_local_sxs_dll.toml +++ b/rules/windows/execution_shared_modules_local_sxs_dll.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = ["https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link- risk_score = 47 rule_id = "a3ea12f3-0d4e-4667-8b44-4230c63f3c75" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_cmd_wmi.toml b/rules/windows/execution_suspicious_cmd_wmi.toml index 4a87ad68a..c3f040f2f 100644 --- a/rules/windows/execution_suspicious_cmd_wmi.toml +++ b/rules/windows/execution_suspicious_cmd_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "12f07955-1674-44f7-86b5-c35da0a6f41a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml index cf0f11283..c2e6e5b59 100644 --- a/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml +++ b/rules/windows/execution_suspicious_image_load_wmi_ms_office.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 21 rule_id = "891cb88e-441a-4c3e-be2d-120d99fe7b0d" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_pdf_reader.toml b/rules/windows/execution_suspicious_pdf_reader.toml index 28b0eaefa..3b35a3e3f 100644 --- a/rules/windows/execution_suspicious_pdf_reader.toml +++ b/rules/windows/execution_suspicious_pdf_reader.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -72,7 +72,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "53a26770-9cbd-40c5-8b57-61d01a325e14" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_powershell_imgload.toml b/rules/windows/execution_suspicious_powershell_imgload.toml index 7ae99c30c..6e3857ef8 100644 --- a/rules/windows/execution_suspicious_powershell_imgload.toml +++ b/rules/windows/execution_suspicious_powershell_imgload.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -85,7 +85,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "852c1f19-68e8-43a6-9dce-340771fe1be3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_suspicious_psexesvc.toml b/rules/windows/execution_suspicious_psexesvc.toml index 2b192ea31..d34a7de7a 100644 --- a/rules/windows/execution_suspicious_psexesvc.toml +++ b/rules/windows/execution_suspicious_psexesvc.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -55,7 +55,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e2f9fdf5-8076-45ad-9427-41e0e03dc9c2" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_compiled_html_file.toml b/rules/windows/execution_via_compiled_html_file.toml index 1e7016d53..32543af2f 100644 --- a/rules/windows/execution_via_compiled_html_file.toml +++ b/rules/windows/execution_via_compiled_html_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/07" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -115,7 +115,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e3343ab9-4245-4715-b344-e11c56b0a47f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Elastic Endgame", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_hidden_shell_conhost.toml b/rules/windows/execution_via_hidden_shell_conhost.toml index 84db8fc88..5e43ac1fd 100644 --- a/rules/windows/execution_via_hidden_shell_conhost.toml +++ b/rules/windows/execution_via_hidden_shell_conhost.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ references = [ risk_score = 73 rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml index 3e599d42d..562dcc848 100644 --- a/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml +++ b/rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -58,7 +58,7 @@ references = ["https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ risk_score = 73 rule_id = "4ed493fc-d637-4a36-80ff-ac84937e5461" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_backup_file_deletion.toml b/rules/windows/impact_backup_file_deletion.toml index 9079da020..bd174943b 100644 --- a/rules/windows/impact_backup_file_deletion.toml +++ b/rules/windows/impact_backup_file_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/10" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -67,7 +67,7 @@ references = ["https://www.advintel.io/post/backup-removal-solutions-from-conti- risk_score = 47 rule_id = "11ea6bec-ebde-4d71-a8e9-784948f8e3e9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml index 7328e0746..14e0c4335 100644 --- a/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml +++ b/rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "581add16-df76-42bb-af8e-c979bfb39a59" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_modification_of_boot_config.toml b/rules/windows/impact_modification_of_boot_config.toml index 4196a5215..894be7700 100644 --- a/rules/windows/impact_modification_of_boot_config.toml +++ b/rules/windows/impact_modification_of_boot_config.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "69c251fb-a5d6-4035-b5ec-40438bd829ff" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_stop_process_service_threshold.toml b/rules/windows/impact_stop_process_service_threshold.toml index 906c1428c..ff07c03b8 100644 --- a/rules/windows/impact_stop_process_service_threshold.toml +++ b/rules/windows/impact_stop_process_service_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -52,7 +52,7 @@ references = ["https://www.elastic.co/security-labs/luna-ransomware-attack-patte risk_score = 47 rule_id = "035889c4-2686-4583-a7df-67f89c292f2c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] type = "threshold" query = ''' diff --git a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml index ecf4ebf31..fa74cfb04 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "b5ea4bfe-a1b2-421f-9d47-22a75a6f2921" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml index 48501364c..8f978b0b3 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -86,7 +86,7 @@ references = [ risk_score = 73 rule_id = "d99a037b-c8e2-47a5-97b9-170d076827c4" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml index 293c69eae..868b5dc75 100644 --- a/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml +++ b/rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -82,7 +82,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "dc9c1f74-dac3-48e3-b47f-eb79db358f57" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Impact", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Impact", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml index e4e7ce35b..593740e97 100644 --- a/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml +++ b/rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access"] type = "eql" query = ''' diff --git a/rules/windows/initial_access_execution_via_office_addins.toml b/rules/windows/initial_access_execution_via_office_addins.toml index 7bcce09ef..c2b767203 100644 --- a/rules/windows/initial_access_execution_via_office_addins.toml +++ b/rules/windows/initial_access_execution_via_office_addins.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "ae8a142c-6a1d-4918-bea7-0b617e99ecfa" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_script_executing_powershell.toml b/rules/windows/initial_access_script_executing_powershell.toml index fc21e4dee..e44bf3d2d 100644 --- a/rules/windows/initial_access_script_executing_powershell.toml +++ b/rules/windows/initial_access_script_executing_powershell.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -74,7 +74,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_scripts_process_started_via_wmi.toml b/rules/windows/initial_access_scripts_process_started_via_wmi.toml index ebf900017..590ef9fc9 100644 --- a/rules/windows/initial_access_scripts_process_started_via_wmi.toml +++ b/rules/windows/initial_access_scripts_process_started_via_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Windows Script Interpreter Executing Process via WMI" risk_score = 47 rule_id = "b64b183e-1a76-422d-9179-7b389513e74d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 8b5afe993..befdaaba6 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -48,7 +48,7 @@ references = [ risk_score = 47 rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_process.toml index 22ea3f086..59d371039 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Austin Songer"] @@ -34,7 +34,7 @@ references = [ risk_score = 47 rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml index a6b308dc7..cc0e80704 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "f81ee52c-297e-46d9-9205-07e66931df26" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_office_child_process.toml b/rules/windows/initial_access_suspicious_ms_office_child_process.toml index 0a85326c8..8eae8766e 100644 --- a/rules/windows/initial_access_suspicious_ms_office_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_office_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ references = ["https://www.elastic.co/blog/vulnerability-summary-follina"] risk_score = 47 rule_id = "a624863f-a70d-417f-a7d2-7a404638d47f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Execution", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Tactic: Execution", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml index 2004b16d9..839125aaf 100644 --- a/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml +++ b/rules/windows/initial_access_suspicious_ms_outlook_child_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -71,7 +71,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "32f4675e-6c49-4ace-80f9-97c9259dca2e" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_unusual_dns_service_children.toml b/rules/windows/initial_access_unusual_dns_service_children.toml index 17b632e83..5f9462ea9 100644 --- a/rules/windows/initial_access_unusual_dns_service_children.toml +++ b/rules/windows/initial_access_unusual_dns_service_children.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -73,7 +73,7 @@ references = [ risk_score = 73 rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_unusual_dns_service_file_writes.toml b/rules/windows/initial_access_unusual_dns_service_file_writes.toml index 17ace565f..72b9b645e 100644 --- a/rules/windows/initial_access_unusual_dns_service_file_writes.toml +++ b/rules/windows/initial_access_unusual_dns_service_file_writes.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -36,7 +36,7 @@ references = [ risk_score = 73 rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml index 56c3e35fc..97d647c83 100644 --- a/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml +++ b/rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "9a5b4e31-6cde-4295-9ff7-6be1b8567e1b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_alternate_creds_pth.toml b/rules/windows/lateral_movement_alternate_creds_pth.toml index 0a0adaa4f..e4e2a9ff0 100644 --- a/rules/windows/lateral_movement_alternate_creds_pth.toml +++ b/rules/windows/lateral_movement_alternate_creds_pth.toml @@ -4,7 +4,7 @@ integration = ["windows", "system"] maturity = "production" min_stack_comments = "The New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/03/29" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://attack.mitre.org/techniques/T1550/002/"] risk_score = 47 rule_id = "daafdf96-e7b1-4f14-b494-27e0d24b11f6" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/lateral_movement_cmd_service.toml b/rules/windows/lateral_movement_cmd_service.toml index e7191974e..5efcbdf06 100644 --- a/rules/windows/lateral_movement_cmd_service.toml +++ b/rules/windows/lateral_movement_cmd_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Service Command Lateral Movement" risk_score = 21 rule_id = "d61cbcf8-1bc1-4cff-85ba-e7b21c5beedc" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_hta.toml b/rules/windows/lateral_movement_dcom_hta.toml index a5466c835..b6a4cc22c 100644 --- a/rules/windows/lateral_movement_dcom_hta.toml +++ b/rules/windows/lateral_movement_dcom_hta.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://codewhitesec.blogspot.com/2018/07/lethalhta.html"] risk_score = 73 rule_id = "622ecb68-fa81-4601-90b5-f8cd661e4520" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_mmc20.toml b/rules/windows/lateral_movement_dcom_mmc20.toml index c3f2299c6..74b5afec7 100644 --- a/rules/windows/lateral_movement_dcom_mmc20.toml +++ b/rules/windows/lateral_movement_dcom_mmc20.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20 risk_score = 73 rule_id = "51ce96fb-9e52-4dad-b0ba-99b54440fc9a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml index 6524c2568..bd3c0634a 100644 --- a/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml +++ b/rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round- risk_score = 47 rule_id = "8f919d4b-a5af-47ca-a594-6be59cd924a4" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml index b6a02dd39..d86aa81ab 100644 --- a/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml +++ b/rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 47 rule_id = "ddab1f5f-7089-44f5-9fda-de5b11322e77" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml index f1d979190..f6ea9a8d2 100644 --- a/rules/windows/lateral_movement_direct_outbound_smb_connection.toml +++ b/rules/windows/lateral_movement_direct_outbound_smb_connection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -97,7 +97,7 @@ This rule looks for unexpected processes making network connections over port 44 risk_score = 47 rule_id = "c82c7d8f-fb9e-4874-a4bd-fd9e3f9becf1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml index 0b29f54d9..fa4046e8e 100644 --- a/rules/windows/lateral_movement_evasion_rdp_shadowing.toml +++ b/rules/windows/lateral_movement_evasion_rdp_shadowing.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "c57f8579-e2a5-4804-847f-f2732edc5156" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml index 9b6692e2b..ac3324aa0 100644 --- a/rules/windows/lateral_movement_executable_tool_transfer_smb.toml +++ b/rules/windows/lateral_movement_executable_tool_transfer_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ Adversaries can use network shares to host tooling to support the compromise of risk_score = 47 rule_id = "58bc134c-e8d2-4291-a552-b4b3e537c60b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml index 478dce6b9..804b0e6f5 100644 --- a/rules/windows/lateral_movement_execution_from_tsclient_mup.toml +++ b/rules/windows/lateral_movement_execution_from_tsclient_mup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-mov risk_score = 73 rule_id = "4fe9d835-40e1-452d-8230-17c147cafad8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml index c522f7f6b..6773aaea7 100644 --- a/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml +++ b/rules/windows/lateral_movement_execution_via_file_shares_sequence.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/03" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -95,7 +95,7 @@ references = ["https://blog.menasec.net/2020/08/new-trick-to-detect-lateral-move risk_score = 47 rule_id = "ab75c24b-2502-43a0-bf7c-e60e662c811e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml index d849b93f0..ea19be8e8 100644 --- a/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml +++ b/rules/windows/lateral_movement_incoming_winrm_shell_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ name = "Incoming Execution via WinRM Remote Shell" risk_score = 47 rule_id = "1cd01db9-be24-4bef-8e7c-e923f0ff78ab" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_incoming_wmi.toml b/rules/windows/lateral_movement_incoming_wmi.toml index 3417682d7..b702779fa 100644 --- a/rules/windows/lateral_movement_incoming_wmi.toml +++ b/rules/windows/lateral_movement_incoming_wmi.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/05/03" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "WMI Incoming Lateral Movement" risk_score = 47 rule_id = "f3475224-b179-4f78-8877-c2bd64c26b88" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml index e26f61178..fe33a54b3 100644 --- a/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml +++ b/rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Lateral Movement", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_powershell_remoting_target.toml b/rules/windows/lateral_movement_powershell_remoting_target.toml index ee1e5710e..6384e3be3 100644 --- a/rules/windows/lateral_movement_powershell_remoting_target.toml +++ b/rules/windows/lateral_movement_powershell_remoting_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "2772264c-6fb9-4d9d-9014-b416eed21254" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_rdp_enabled_registry.toml b/rules/windows/lateral_movement_rdp_enabled_registry.toml index 0a99ef002..790fe7ba6 100644 --- a/rules/windows/lateral_movement_rdp_enabled_registry.toml +++ b/rules/windows/lateral_movement_rdp_enabled_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -60,7 +60,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "58aa72ca-d968-4f34-b9f7-bea51d75eb50" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_rdp_sharprdp_target.toml b/rules/windows/lateral_movement_rdp_sharprdp_target.toml index 1829f7ab6..fc4022304 100644 --- a/rules/windows/lateral_movement_rdp_sharprdp_target.toml +++ b/rules/windows/lateral_movement_rdp_sharprdp_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "8c81e506-6e82-4884-9b9a-75d3d252f967" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml index 4f5002060..617986432 100644 --- a/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml +++ b/rules/windows/lateral_movement_remote_file_copy_hidden_share.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "fa01341d-6662-426b-9d0c-6d81e33c8a9d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_remote_service_installed_winlog.toml b/rules/windows/lateral_movement_remote_service_installed_winlog.toml index 3bdc457cd..7230fa974 100644 --- a/rules/windows/lateral_movement_remote_service_installed_winlog.toml +++ b/rules/windows/lateral_movement_remote_service_installed_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Remote Windows Service Installed" risk_score = 47 rule_id = "d33ea3bf-9a11-463e-bd46-f648f2a0f4b1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_services.toml b/rules/windows/lateral_movement_remote_services.toml index 3df52c526..6026388a1 100644 --- a/rules/windows/lateral_movement_remote_services.toml +++ b/rules/windows/lateral_movement_remote_services.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/16" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -103,7 +103,7 @@ references = [ risk_score = 47 rule_id = "aa9a274d-6b53-424d-ac5e-cb8ca4251650" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_remote_task_creation_winlog.toml b/rules/windows/lateral_movement_remote_task_creation_winlog.toml index 5f474c722..373f5e3d5 100644 --- a/rules/windows/lateral_movement_remote_task_creation_winlog.toml +++ b/rules/windows/lateral_movement_remote_task_creation_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -49,7 +49,7 @@ note = """## Triage and analysis risk_score = 47 rule_id = "9c865691-5599-447a-bac9-b3f2df5f9a9d" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index b9d993e3f..78e101722 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -45,7 +45,7 @@ note = """## Triage and analysis risk_score = 47 rule_id = "954ee7c8-5437-49ae-b2d6-2960883898e9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml index 83d060ca4..072272e2a 100644 --- a/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml +++ b/rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://posts.specterops.io/revisiting-remote-desktop-lateral-mov risk_score = 47 rule_id = "71c5cb27-eca5-4151-bb47-64bc3f883270" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml index 2052703ce..2882ebdb3 100644 --- a/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml +++ b/rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://www.mdsec.co.uk/2017/06/rdpinception/"] risk_score = 73 rule_id = "25224a80-5a4a-4b8a-991e-6ab390465c4f" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Lateral Movement", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Lateral Movement", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_ad_adminsdholder.toml b/rules/windows/persistence_ad_adminsdholder.toml index 92de4f64f..84d4d80bf 100644 --- a/rules/windows/persistence_ad_adminsdholder.toml +++ b/rules/windows/persistence_ad_adminsdholder.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "6e9130a5-9be6-48e5-943a-9628bfc74b18" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_adobe_hijack_persistence.toml b/rules/windows/persistence_adobe_hijack_persistence.toml index aee993eed..e721d59f5 100644 --- a/rules/windows/persistence_adobe_hijack_persistence.toml +++ b/rules/windows/persistence_adobe_hijack_persistence.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -98,7 +98,7 @@ references = ["https://twitter.com/pabraeken/status/997997818362155008"] risk_score = 21 rule_id = "2bf78aa2-9c56-48de-b139-f169bf99cf86" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_app_compat_shim.toml b/rules/windows/persistence_app_compat_shim.toml index c6ca44c22..d20fcac8b 100644 --- a/rules/windows/persistence_app_compat_shim.toml +++ b/rules/windows/persistence_app_compat_shim.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Installation of Custom Shim Databases" risk_score = 47 rule_id = "c5ce48a6-7f57-4ee8-9313-3d0024caee10" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/windows/persistence_appcertdlls_registry.toml b/rules/windows/persistence_appcertdlls_registry.toml index 14fd51591..bb40701c4 100644 --- a/rules/windows/persistence_appcertdlls_registry.toml +++ b/rules/windows/persistence_appcertdlls_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "513f0ffd-b317-4b9c-9494-92ce861f22c7" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_appinitdlls_registry.toml b/rules/windows/persistence_appinitdlls_registry.toml index bd15a993f..e5fc6ed37 100644 --- a/rules/windows/persistence_appinitdlls_registry.toml +++ b/rules/windows/persistence_appinitdlls_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/07" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -114,7 +114,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "d0e159cf-73e9-40d1-a9ed-077e3158a855" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_dontexpirepasswd_account.toml b/rules/windows/persistence_dontexpirepasswd_account.toml index 775ffe298..dbcb55b4e 100644 --- a/rules/windows/persistence_dontexpirepasswd_account.toml +++ b/rules/windows/persistence_dontexpirepasswd_account.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -65,13 +65,13 @@ risk_score = 47 rule_id = "62a70f6f-3c37-43df-a556-f64fa475fba2" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence", - "Active Directory", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_driver_newterm_imphash.toml b/rules/windows/persistence_driver_newterm_imphash.toml index f128d6080..88ece7e00 100644 --- a/rules/windows/persistence_driver_newterm_imphash.toml +++ b/rules/windows/persistence_driver_newterm_imphash.toml @@ -4,7 +4,7 @@ maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" integration = ["endpoint"] -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -97,7 +97,7 @@ references = ["https://www.elastic.co/kr/security-labs/stopping-vulnerable-drive risk_score = 47 rule_id = "df0fd41e-5590-4965-ad5e-cd079ec22fa9" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "new_terms" diff --git a/rules/windows/persistence_evasion_hidden_local_account_creation.toml b/rules/windows/persistence_evasion_hidden_local_account_creation.toml index d0c734131..329215cab 100644 --- a/rules/windows/persistence_evasion_hidden_local_account_creation.toml +++ b/rules/windows/persistence_evasion_hidden_local_account_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -56,7 +56,7 @@ references = [ risk_score = 73 rule_id = "2edc8076-291e-41e9-81e4-e3fcbc97ae5e" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_ifeo_injection.toml b/rules/windows/persistence_evasion_registry_ifeo_injection.toml index 7a96e9bee..12b2965d0 100644 --- a/rules/windows/persistence_evasion_registry_ifeo_injection.toml +++ b/rules/windows/persistence_evasion_registry_ifeo_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = [ risk_score = 47 rule_id = "6839c821-011d-43bd-bd5b-acff00257226" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index 3da9654a1..c5342f202 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -2,7 +2,7 @@ creation_date = "2021/03/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -98,7 +98,7 @@ Techniques used within malware and by adversaries often leverage the Windows reg risk_score = 73 rule_id = "c8b150f0-0164-475b-a75e-74b47800a9ff" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_gpo_schtask_service_creation.toml b/rules/windows/persistence_gpo_schtask_service_creation.toml index 8d3296713..2ad215067 100644 --- a/rules/windows/persistence_gpo_schtask_service_creation.toml +++ b/rules/windows/persistence_gpo_schtask_service_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "c0429aa8-9974-42da-bfb6-53a0a515a145" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_local_scheduled_job_creation.toml b/rules/windows/persistence_local_scheduled_job_creation.toml index 60c9972d9..a844966a9 100644 --- a/rules/windows/persistence_local_scheduled_job_creation.toml +++ b/rules/windows/persistence_local_scheduled_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "1327384f-00f3-44d5-9a8c-2373ba071e92" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_local_scheduled_task_creation.toml b/rules/windows/persistence_local_scheduled_task_creation.toml index 5480c2df6..3ca4482b6 100644 --- a/rules/windows/persistence_local_scheduled_task_creation.toml +++ b/rules/windows/persistence_local_scheduled_task_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 21 rule_id = "afcce5ad-65de-4ed2-8516-5e093d3ac99a" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/windows/persistence_local_scheduled_task_scripting.toml b/rules/windows/persistence_local_scheduled_task_scripting.toml index f85deda2b..62615df12 100644 --- a/rules/windows/persistence_local_scheduled_task_scripting.toml +++ b/rules/windows/persistence_local_scheduled_task_scripting.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ Decode the base64 encoded Tasks Actions registry value to investigate the task's risk_score = 47 rule_id = "689b9d57-e4d5-4357-ad17-9c334609d79a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/persistence_ms_office_addins_file.toml b/rules/windows/persistence_ms_office_addins_file.toml index 431732744..3daa7cb0e 100644 --- a/rules/windows/persistence_ms_office_addins_file.toml +++ b/rules/windows/persistence_ms_office_addins_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-of risk_score = 73 rule_id = "f44fa4b6-524c-4e87-8d9e-a32599e4fb7c" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_ms_outlook_vba_template.toml b/rules/windows/persistence_ms_outlook_vba_template.toml index d8cbad2b8..213db3a03 100644 --- a/rules/windows/persistence_ms_outlook_vba_template.toml +++ b/rules/windows/persistence_ms_outlook_vba_template.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 47 rule_id = "397945f3-d39a-4e6f-8bcb-9656c2031438" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml index 6dada78d6..97160392c 100644 --- a/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml +++ b/rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -40,7 +40,7 @@ references = [ risk_score = 73 rule_id = "e052c845-48d0-4f46-8a13-7d0aba05df82" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml index b0adaaaf4..41375f9de 100644 --- a/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml +++ b/rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 47 rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_powershell_profiles.toml b/rules/windows/persistence_powershell_profiles.toml index 34f902e24..2b2a5795b 100644 --- a/rules/windows/persistence_powershell_profiles.toml +++ b/rules/windows/persistence_powershell_profiles.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = [ risk_score = 47 rule_id = "5cf6397e-eb91-4f31-8951-9f0eaa755a31" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml index 258644f0c..1bb39e002 100644 --- a/rules/windows/persistence_priv_escalation_via_accessibility_features.toml +++ b/rules/windows/persistence_priv_escalation_via_accessibility_features.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -107,7 +107,7 @@ references = ["https://www.elastic.co/blog/practical-security-engineering-statef risk_score = 73 rule_id = "7405ddf1-6c8e-41ce-818f-48bea6bcaed8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_registry_uncommon.toml b/rules/windows/persistence_registry_uncommon.toml index fa5c9bc7f..0a99ab034 100644 --- a/rules/windows/persistence_registry_uncommon.toml +++ b/rules/windows/persistence_registry_uncommon.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.microsoftpressstore.com/articles/article.aspx?p=27620 risk_score = 47 rule_id = "54902e45-3467-49a4-8abc-529f2c8cfb80" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_remote_password_reset.toml b/rules/windows/persistence_remote_password_reset.toml index 622e761d0..38f591fcb 100644 --- a/rules/windows/persistence_remote_password_reset.toml +++ b/rules/windows/persistence_remote_password_reset.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 47 rule_id = "2820c9c2-bcd7-4d6e-9eba-faf3891ba450" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/windows/persistence_run_key_and_startup_broad.toml b/rules/windows/persistence_run_key_and_startup_broad.toml index f4c77f8cd..ab07e8197 100644 --- a/rules/windows/persistence_run_key_and_startup_broad.toml +++ b/rules/windows/persistence_run_key_and_startup_broad.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -103,7 +103,7 @@ Adversaries may achieve persistence by referencing a program with a registry run risk_score = 21 rule_id = "97fc44d3-8dae-4019-ae83-298c3015600f" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timeline_id = "3e47ef71-ebfc-4520-975c-cb27fc090799" timeline_title = "Comprehensive Registry Timeline" timestamp_override = "event.ingested" diff --git a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml index 566f0b61b..b85d07a3f 100644 --- a/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml +++ b/rules/windows/persistence_runtime_run_key_startup_susp_procs.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Execution of Persistent Suspicious Program" risk_score = 47 rule_id = "e7125cea-9fe1-42a5-9a05-b0792cf86f5a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] type = "eql" query = ''' diff --git a/rules/windows/persistence_scheduled_task_creation_winlog.toml b/rules/windows/persistence_scheduled_task_creation_winlog.toml index ed7291b82..2204f0fc2 100644 --- a/rules/windows/persistence_scheduled_task_creation_winlog.toml +++ b/rules/windows/persistence_scheduled_task_creation_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 21 rule_id = "92a6faf5-78ec-4e25-bea1-73bacc9b59d9" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_scheduled_task_updated.toml b/rules/windows/persistence_scheduled_task_updated.toml index 12f29c89b..e96785744 100644 --- a/rules/windows/persistence_scheduled_task_updated.toml +++ b/rules/windows/persistence_scheduled_task_updated.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 21 rule_id = "a02cb68e-7c93-48d1-93b2-2c39023308eb" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml index 5a4080384..c4c678d43 100644 --- a/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml +++ b/rules/windows/persistence_sdprop_exclusion_dsheuristics.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -84,13 +84,13 @@ risk_score = 73 rule_id = "61d29caf-6c15-4d1e-9ccb-7ad12ccc0bc7" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence", - "Active Directory", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_service_dll_unsigned.toml b/rules/windows/persistence_service_dll_unsigned.toml index 1b72dd9e1..cbbc1a170 100644 --- a/rules/windows/persistence_service_dll_unsigned.toml +++ b/rules/windows/persistence_service_dll_unsigned.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: dll.Ext.relative_file_creation_time is populated in Elastic Endpoint 8.4 and above." min_stack_version = "8.4.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Unsigned DLL Loaded by Svchost" risk_score = 47 rule_id = "78ef0c95-9dc2-40ac-a8da-5deb6293a14e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_service_windows_service_winlog.toml b/rules/windows/persistence_service_windows_service_winlog.toml index 375ab18f7..6ea1d13a7 100644 --- a/rules/windows/persistence_service_windows_service_winlog.toml +++ b/rules/windows/persistence_service_windows_service_winlog.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/05/18" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -94,7 +94,7 @@ This rule looks for suspicious services being created with suspicious traits com risk_score = 47 rule_id = "da87eee1-129c-4661-a7aa-57d0b9645fad" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_services_registry.toml b/rules/windows/persistence_services_registry.toml index 7b3f03df4..bf40f7b56 100644 --- a/rules/windows/persistence_services_registry.toml +++ b/rules/windows/persistence_services_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Unusual Persistence via Services Registry" risk_score = 21 rule_id = "403ef0d3-8259-40c9-a5b6-d48354712e49" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml index 56a07c77a..57601c31d 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -107,7 +107,7 @@ references = ["https://www.elastic.co/security-labs/hunting-for-persistence-usin risk_score = 47 rule_id = "440e2db4-bc7f-4c96-a068-65b78da59bde" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml index a9ccbc9c2..c93e826ce 100644 --- a/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml +++ b/rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/29" integration = ["endpoint"] maturity = "production" -updated_date = "2023/02/22" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -102,7 +102,7 @@ This rule looks for unsigned processes writing to the Startup folder locations. risk_score = 47 rule_id = "2fba96c0-ade5-4bce-b92f-a5df2509da3f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide"] type = "eql" query = ''' diff --git a/rules/windows/persistence_startup_folder_scripts.toml b/rules/windows/persistence_startup_folder_scripts.toml index d4db24bbe..c3276a1cb 100644 --- a/rules/windows/persistence_startup_folder_scripts.toml +++ b/rules/windows/persistence_startup_folder_scripts.toml @@ -2,7 +2,7 @@ creation_date = "2020/11/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -106,7 +106,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "f7c4dc5a-a58d-491d-9f14-9b66507121c0" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_com_hijack_registry.toml b/rules/windows/persistence_suspicious_com_hijack_registry.toml index c9229dea9..8e1675084 100644 --- a/rules/windows/persistence_suspicious_com_hijack_registry.toml +++ b/rules/windows/persistence_suspicious_com_hijack_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -69,7 +69,7 @@ references = [ risk_score = 47 rule_id = "16a52c14-7883-47af-8745-9357803f0d4c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml index 616192d7c..01350c04d 100644 --- a/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml +++ b/rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ references = [ risk_score = 21 rule_id = "baa5d22c-5e1c-4f33-bfc9-efa73bb53022" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml index 91e748260..311623f48 100644 --- a/rules/windows/persistence_suspicious_scheduled_task_runtime.toml +++ b/rules/windows/persistence_suspicious_scheduled_task_runtime.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "5d1d6907-0747-4d5d-9b24-e4a18853dc0a" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_suspicious_service_created_registry.toml b/rules/windows/persistence_suspicious_service_created_registry.toml index 835013f0b..fd735248b 100644 --- a/rules/windows/persistence_suspicious_service_created_registry.toml +++ b/rules/windows/persistence_suspicious_service_created_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -20,7 +20,7 @@ name = "Suspicious ImagePath Service Creation" risk_score = 73 rule_id = "36a8e048-d888-4f61-a8b9-0f9e2e40f317" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_system_shells_via_services.toml b/rules/windows/persistence_system_shells_via_services.toml index 15d60083d..0bf2c8c09 100644 --- a/rules/windows/persistence_system_shells_via_services.toml +++ b/rules/windows/persistence_system_shells_via_services.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/30" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -81,7 +81,7 @@ This rule looks for system shells being spawned by `services.exe`, which is comp risk_score = 47 rule_id = "0022d47d-39c7-4f69-a232-4fe9dc7a3acd" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_temp_scheduled_task.toml b/rules/windows/persistence_temp_scheduled_task.toml index 430f84018..518de3a8f 100644 --- a/rules/windows/persistence_temp_scheduled_task.toml +++ b/rules/windows/persistence_temp_scheduled_task.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://docs.microsoft.com/en-us/windows/security/threat-protecti risk_score = 47 rule_id = "81ff45f8-f8c2-4e28-992e-5a0e8d98e0fe" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] type = "eql" query = ''' diff --git a/rules/windows/persistence_time_provider_mod.toml b/rules/windows/persistence_time_provider_mod.toml index 642d59506..11af0e1ff 100644 --- a/rules/windows/persistence_time_provider_mod.toml +++ b/rules/windows/persistence_time_provider_mod.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -23,7 +23,7 @@ references = ["https://pentestlab.blog/2019/10/22/persistence-time-providers/"] risk_score = 47 rule_id = "14ed1aa9-ebfd-4cf9-a463-0ac59ec55204" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml index e7c9a62fa..dd4dc6de4 100644 --- a/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml +++ b/rules/windows/persistence_user_account_added_to_privileged_group_ad.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic", "Skoetting"] @@ -57,7 +57,7 @@ references = [ risk_score = 47 rule_id = "5cd8e1f7-0050-4afc-b2df-904e40b2f5ae" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation.toml b/rules/windows/persistence_user_account_creation.toml index cb70c3972..0d51dc93a 100644 --- a/rules/windows/persistence_user_account_creation.toml +++ b/rules/windows/persistence_user_account_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -57,7 +57,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "1aa9181a-492b-4c01-8b16-fa0735786b2b" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index 0e86da94d..57660e617 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -2,7 +2,7 @@ creation_date = "2021/01/04" integration = ["system", "windows"] maturity = "development" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Skoetting"] @@ -24,7 +24,7 @@ name = "Windows User Account Creation" risk_score = 21 rule_id = "38e17753-f581-4644-84da-0d60a8318694" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/persistence_via_application_shimming.toml b/rules/windows/persistence_via_application_shimming.toml index 634a55986..50a2b8b2d 100644 --- a/rules/windows/persistence_via_application_shimming.toml +++ b/rules/windows/persistence_via_application_shimming.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 21 rule_id = "fd4a992d-6130-4802-9ff8-829b89ae801f" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_bits_job_notify_command.toml b/rules/windows/persistence_via_bits_job_notify_command.toml index 2d35264e8..651c9b3be 100644 --- a/rules/windows/persistence_via_bits_job_notify_command.toml +++ b/rules/windows/persistence_via_bits_job_notify_command.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = [ risk_score = 47 rule_id = "c3b915e0-22f3-4bf7-991d-b643513c722f" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_hidden_run_key_valuename.toml b/rules/windows/persistence_via_hidden_run_key_valuename.toml index 5c698c28a..ed63e3fa3 100644 --- a/rules/windows/persistence_via_hidden_run_key_valuename.toml +++ b/rules/windows/persistence_via_hidden_run_key_valuename.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "a9b05c3b-b304-4bf9-970d-acdfaef2944c" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml index 7e2cbe1f7..7dafe2a26 100644 --- a/rules/windows/persistence_via_lsa_security_support_provider_registry.toml +++ b/rules/windows/persistence_via_lsa_security_support_provider_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "e86da94d-e54b-4fb5-b96c-cecff87e8787" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml index c37fa2d35..7ef92b357 100644 --- a/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml +++ b/rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "68921d85-d0dc-48b3-865f-43291ca2c4f2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml index 921ad8732..fdfbdd3e7 100644 --- a/rules/windows/persistence_via_update_orchestrator_service_hijack.toml +++ b/rules/windows/persistence_via_update_orchestrator_service_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -103,7 +103,7 @@ references = ["https://github.com/irsl/CVE-2020-1313"] risk_score = 73 rule_id = "265db8f5-fc73-4d0d-b434-6483b56372e2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "CVE-2020-1313", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Use Case: Vulnerability", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml index 8d9a778a7..9b231cf8f 100644 --- a/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml +++ b/rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = ["https://www.elastic.co/security-labs/hunting-for-persistence-usin risk_score = 21 rule_id = "9b6813a1-daf1-457e-b0e6-0bb4e55b8a4c" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml index a6bc559fc..0c0f4732a 100644 --- a/rules/windows/persistence_via_wmi_stdregprov_run_services.toml +++ b/rules/windows/persistence_via_wmi_stdregprov_run_services.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "70d12c9c-0dbd-4a1a-bc44-1467502c9cf6" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/persistence_webshell_detection.toml b/rules/windows/persistence_webshell_detection.toml index 2d5fd41f5..8cc385eae 100644 --- a/rules/windows/persistence_webshell_detection.toml +++ b/rules/windows/persistence_webshell_detection.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -75,7 +75,7 @@ references = [ risk_score = 73 rule_id = "2917d495-59bd-4250-b395-c29409b76086" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_create_process_as_different_user.toml b/rules/windows/privilege_escalation_create_process_as_different_user.toml index 509e493dd..d977ea681 100644 --- a/rules/windows/privilege_escalation_create_process_as_different_user.toml +++ b/rules/windows/privilege_escalation_create_process_as_different_user.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = ["https://attack.mitre.org/techniques/T1134/002/"] risk_score = 47 rule_id = "42eeee3d-947f-46d3-a14d-7036b962c266" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_credroaming_ldap.toml b/rules/windows/privilege_escalation_credroaming_ldap.toml index b3327fb16..ce02a86d7 100644 --- a/rules/windows/privilege_escalation_credroaming_ldap.toml +++ b/rules/windows/privilege_escalation_credroaming_ldap.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -50,7 +50,7 @@ references = [ risk_score = 47 rule_id = "670b3b5a-35e5-42db-bd36-6c5b9b4b7313" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Active Directory", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Data Source: Active Directory", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_disable_uac_registry.toml b/rules/windows/privilege_escalation_disable_uac_registry.toml index 51f9c91d0..5f68e0bb8 100644 --- a/rules/windows/privilege_escalation_disable_uac_registry.toml +++ b/rules/windows/privilege_escalation_disable_uac_registry.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -78,7 +78,7 @@ references = [ risk_score = 47 rule_id = "d31f183a-e5b1-451b-8534-ba62bca0b404" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_group_policy_iniscript.toml b/rules/windows/privilege_escalation_group_policy_iniscript.toml index 99e5946cb..609d3a652 100644 --- a/rules/windows/privilege_escalation_group_policy_iniscript.toml +++ b/rules/windows/privilege_escalation_group_policy_iniscript.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -86,13 +86,13 @@ risk_score = 47 rule_id = "16fac1a1-21ee-4ca6-b720-458e3855d046" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation", - "Active Directory", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml index 2c25444e2..8ba7f049c 100644 --- a/rules/windows/privilege_escalation_group_policy_privileged_groups.toml +++ b/rules/windows/privilege_escalation_group_policy_privileged_groups.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -68,13 +68,13 @@ risk_score = 73 rule_id = "b9554892-5e0e-424b-83a0-5aef95aa43bf" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation", - "Active Directory", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml index 3cd9e54fd..65122c94e 100644 --- a/rules/windows/privilege_escalation_group_policy_scheduled_task.toml +++ b/rules/windows/privilege_escalation_group_policy_scheduled_task.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -88,13 +88,13 @@ risk_score = 47 rule_id = "15a8ba77-1c13-4274-88fe-6bd14133861e" severity = "medium" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation", - "Active Directory", - "Investigation Guide", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Active Directory", + "Resources: Investigation Guide", + "Use Case: Active Directory Monitoring" ] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_installertakeover.toml b/rules/windows/privilege_escalation_installertakeover.toml index 9f89f8d45..a6e5b9083 100644 --- a/rules/windows/privilege_escalation_installertakeover.toml +++ b/rules/windows/privilege_escalation_installertakeover.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/27" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -106,7 +106,7 @@ references = ["https://github.com/klinix5/InstallerFileTakeOver"] risk_score = 73 rule_id = "58c6d58b-a0d3-412d-b3b8-0981a9400607" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml index 85c8f745e..07bf29f33 100644 --- a/rules/windows/privilege_escalation_krbrelayup_service_creation.toml +++ b/rules/windows/privilege_escalation_krbrelayup_service_creation.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -27,7 +27,7 @@ references = [ risk_score = 73 rule_id = "e4e31051-ee01-4307-a6ee-b21b186958f4" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Credential Access", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Tactic: Credential Access", "Use Case: Active Directory Monitoring", "Data Source: Active Directory"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_lsa_auth_package.toml b/rules/windows/privilege_escalation_lsa_auth_package.toml index 8d8af2708..2b714a6d5 100644 --- a/rules/windows/privilege_escalation_lsa_auth_package.toml +++ b/rules/windows/privilege_escalation_lsa_auth_package.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ name = "Potential LSA Authentication Package Abuse" risk_score = 47 rule_id = "e9abe69b-1deb-4e19-ac4a-5d5ac00f72eb" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_named_pipe_impersonation.toml b/rules/windows/privilege_escalation_named_pipe_impersonation.toml index 3dad88a1e..597948a7b 100644 --- a/rules/windows/privilege_escalation_named_pipe_impersonation.toml +++ b/rules/windows/privilege_escalation_named_pipe_impersonation.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/07" +updated_date = "2023/06/22" [transform] [[transform.osquery]] @@ -106,13 +106,12 @@ risk_score = 73 rule_id = "3ecbdc9e-e4f2-43fa-8cca-63802125e582" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Privilege Escalation", - "Investigation Guide", - "Elastic Endgame", + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame", ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index b87f40a03..754a38f26 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -74,14 +74,13 @@ risk_score = 73 rule_id = "bfeaf89b-a2a7-48a3-817f-e41829dc61ee" severity = "high" tags = [ - "Elastic", - "Host", - "Windows", - "Threat Detection", - "Persistence", - "Privilege Escalation", - "Investigation Guide", - "Elastic Endgame" + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Persistence", + "Tactic: Privilege Escalation", + "Resources: Investigation Guide", + "Data Source: Elastic Endgame" ] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml index 9376757c6..62d89d546 100644 --- a/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml +++ b/rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -22,7 +22,7 @@ references = ["https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-gro risk_score = 47 rule_id = "8f3e91c7-d791-4704-80a1-42c160d7aa27" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_posh_token_impersonation.toml b/rules/windows/privilege_escalation_posh_token_impersonation.toml index a140b2df8..6028f33f2 100644 --- a/rules/windows/privilege_escalation_posh_token_impersonation.toml +++ b/rules/windows/privilege_escalation_posh_token_impersonation.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/20" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -46,7 +46,7 @@ references = [ risk_score = 47 rule_id = "11dd9713-0ec6-4110-9707-32daae1ee68c" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "PowerShell"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: PowerShell Logs"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml index e644f3118..2e92c1b2d 100644 --- a/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml +++ b/rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 73 rule_id = "bd7eefee-f671-494e-98df-f01daf9e5f17" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml index 93c029b11..7050d5f10 100644 --- a/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml +++ b/rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -29,7 +29,7 @@ references = [ risk_score = 73 rule_id = "5bb4a95d-5a08-48eb-80db-4c3a63ec78a8" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml index 2da0ddfc9..99625086e 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34 risk_score = 47 rule_id = "c4818812-d44f-47be-aaef-4cfb2f9cc799" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml index 3f78724ba..c6326b664 100644 --- a/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml +++ b/rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml @@ -2,7 +2,7 @@ creation_date = "2020/08/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -104,7 +104,7 @@ references = ["https://safebreach.com/Post/How-we-bypassed-CVE-2020-1048-Patch-a risk_score = 73 rule_id = "a7ccae7b-9d2c-44b2-a061-98e5946971fa" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml index 264d3b3d6..4b57ed5e2 100644 --- a/rules/windows/privilege_escalation_rogue_windir_environment_var.toml +++ b/rules/windows/privilege_escalation_rogue_windir_environment_var.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -21,7 +21,7 @@ references = ["https://www.tiraniddo.dev/2017/05/exploiting-environment-variable risk_score = 73 rule_id = "d563aaba-2e72-462b-8658-3e5ea22db3a6" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml index 620f8fc75..d0c82fae2 100644 --- a/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml +++ b/rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ references = [ risk_score = 73 rule_id = "bdcf646b-08d4-492c-870a-6c04e3700034" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence", "Privilege Escalation", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml index 303d9641f..9c4132221 100644 --- a/rules/windows/privilege_escalation_service_control_spawned_script_int.toml +++ b/rules/windows/privilege_escalation_service_control_spawned_script_int.toml @@ -80,7 +80,7 @@ The `sc.exe` command line utility is used to manage and control Windows services risk_score = 21 rule_id = "e8571d5f-bea1-46c2-9f56-998de2d3ed95" severity = "low" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame", "Investigation Guide"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Resources: Investigation Guide"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml index 0d0d686d7..5640bdd05 100644 --- a/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml +++ b/rules/windows/privilege_escalation_suspicious_dnshostname_update.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 73 rule_id = "6bed021a-0afb-461c-acbe-ffdb9574d3f3" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Active Directory"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Active Directory Monitoring", "Data Source: Active Directory", "Use Case: Vulnerability"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml index 8b521152f..a1be5270e 100644 --- a/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml +++ b/rules/windows/privilege_escalation_tokenmanip_sedebugpriv_enabled.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -41,7 +41,7 @@ references = [ risk_score = 47 rule_id = "97020e61-e591-4191-8a3b-2861a2b887cd" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml index 5f1fa1147..5e057dd43 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_clipup.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://github.com/hfiref0x/UACME"] risk_score = 73 rule_id = "b90cdde7-7e0d-4359-8bf0-2c112ce2008a" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml index 9528569ac..61e2acccf 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ references = ["https://swapcontext.blogspot.com/2020/11/uac-bypasses-from-comaut risk_score = 47 rule_id = "fc7c0fa4-8f03-4b3e-8336-c5feab0be022" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml index 23003f3cb..8e217b215 100644 --- a/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml +++ b/rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "68d56fdc-7ffa-4419-8e95-81641bd6f845" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml index 8dfcc0d8a..9f73441e4 100644 --- a/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "1dcc51f6-ba26-49e7-9ef4-2655abb2361e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml index 2ecf18052..a90bec5c8 100644 --- a/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml +++ b/rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -28,7 +28,7 @@ references = [ risk_score = 73 rule_id = "5a14d01d-7ac8-4545-914c-b687c2cf66b3" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml index fe91f59da..7738c61ca 100644 --- a/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml +++ b/rules/windows/privilege_escalation_uac_bypass_event_viewer.toml @@ -2,7 +2,7 @@ creation_date = "2020/03/17" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -104,7 +104,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 73 rule_id = "31b4c719-f2b4-41f6-a9bd-fce93c2eaf62" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml index 2b2c50b98..81f6596aa 100644 --- a/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml +++ b/rules/windows/privilege_escalation_uac_bypass_mock_windir.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/26" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -104,7 +104,7 @@ references = ["https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted risk_score = 73 rule_id = "290aca65-e94d-403b-ba0f-62f320e63f51" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml index c01efb61c..711f8ae58 100644 --- a/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml +++ b/rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml @@ -2,7 +2,7 @@ creation_date = "2020/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -104,7 +104,7 @@ references = ["https://github.com/AzAgarampur/byeintegrity-uac"] risk_score = 47 rule_id = "1178ae09-5aff-460a-9f2f-455cd0ac4d8e" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_uac_sdclt.toml b/rules/windows/privilege_escalation_uac_sdclt.toml index 3c32d79b0..eb2be634c 100644 --- a/rules/windows/privilege_escalation_uac_sdclt.toml +++ b/rules/windows/privilege_escalation_uac_sdclt.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint", "windows"] maturity = "development" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -18,7 +18,7 @@ name = "Bypass UAC via Sdclt" risk_score = 73 rule_id = "9b54e002-034a-47ac-9307-ad12c03fa900" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "eql" query = ''' diff --git a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml index b1ef35423..29dd0c8d6 100644 --- a/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml +++ b/rules/windows/privilege_escalation_unusual_parentchild_relationship.toml @@ -2,7 +2,7 @@ creation_date = "2020/02/18" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2023/03/06" +updated_date = "2023/06/22" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -104,7 +104,7 @@ references = [ risk_score = 47 rule_id = "35df0dd8-092d-4a83-88c1-5151a804f31b" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Investigation Guide", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Resources: Investigation Guide", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml index aace35f0c..c2ae801ff 100644 --- a/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml +++ b/rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ references = ["https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34 risk_score = 47 rule_id = "ee5300a7-7e31-4a72-a258-250abb8b3aa1" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Use Case: Vulnerability"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml index 8b2798230..6b7cede3e 100644 --- a/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml +++ b/rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/03/06" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -25,7 +25,7 @@ If enabling an EQL rule on a non-elastic-agent index (such as beats) for version risk_score = 47 rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7" severity = "medium" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion", "Privilege Escalation", "Elastic Endgame"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_ppid_spoofing.toml b/rules/windows/privilege_escalation_via_ppid_spoofing.toml index e6651c5c6..1adc09548 100644 --- a/rules/windows/privilege_escalation_via_ppid_spoofing.toml +++ b/rules/windows/privilege_escalation_via_ppid_spoofing.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -26,7 +26,7 @@ references = [ risk_score = 73 rule_id = "26b01043-4f04-4d2f-882a-5a1d2e95751b" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml index 126c6aa25..94a7268c4 100644 --- a/rules/windows/privilege_escalation_via_rogue_named_pipe.toml +++ b/rules/windows/privilege_escalation_via_rogue_named_pipe.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -33,7 +33,7 @@ references = [ risk_score = 73 rule_id = "76ddb638-abf7-42d5-be22-4a70b0bf7241" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation", "Sysmon Only"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Sysmon Only"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_via_token_theft.toml b/rules/windows/privilege_escalation_via_token_theft.toml index d5f304812..e3d6a5e89 100644 --- a/rules/windows/privilege_escalation_via_token_theft.toml +++ b/rules/windows/privilege_escalation_via_token_theft.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, process.Ext.effective_parent.executable" min_stack_version = "8.4.0" -updated_date = "2023/03/07" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -24,7 +24,7 @@ references = [ risk_score = 73 rule_id = "02a23ee7-c8f8-4701-b99d-e9038ce313cb" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "eql" diff --git a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml index 9f8ba5599..9733b19b6 100644 --- a/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml +++ b/rules/windows/privilege_escalation_windows_service_via_unusual_client.toml @@ -4,7 +4,7 @@ integration = ["system", "windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/04/27" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -42,7 +42,7 @@ references = [ risk_score = 73 rule_id = "55c2bf58-2a39-4c58-a384-c8b1978153c2" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] timestamp_override = "event.ingested" type = "query" diff --git a/rules/windows/privilege_escalation_wpad_exploitation.toml b/rules/windows/privilege_escalation_wpad_exploitation.toml index 453016e47..8817e2add 100644 --- a/rules/windows/privilege_escalation_wpad_exploitation.toml +++ b/rules/windows/privilege_escalation_wpad_exploitation.toml @@ -2,7 +2,7 @@ creation_date = "2020/09/02" integration = ["endpoint"] maturity = "development" -updated_date = "2023/02/22" +updated_date = "2023/06/22" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ name = "WPAD Service Exploit" risk_score = 73 rule_id = "ec328da1-d5df-482b-866c-4a435692b1f3" severity = "high" -tags = ["Elastic", "Host", "Windows", "Threat Detection", "Privilege Escalation"] +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "eql" query = ''' diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index bfd502715..f13325bd7 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -243,11 +243,65 @@ class TestRuleTags(BaseRuleTest): """Ensure consistent and expected casing for controlled tags.""" expected_tags = [ - 'APM', 'AWS', 'Asset Visibility', 'Azure', 'Configuration Audit', 'Continuous Monitoring', - 'Data Protection', 'Elastic', 'Elastic Endgame', 'Endpoint Security', 'GCP', 'Identity and Access', - 'Investigation Guide', 'Linux', 'Logging', 'ML', 'macOS', 'Monitoring', 'Network', 'Okta', 'Packetbeat', - 'Post-Execution', 'SecOps', 'Windows' + 'Data Source: Active Directory', + 'Data Source: Amazon Web Services', + 'Data Source: AWS', + 'Data Source: APM', + 'Data Source: Azure', + 'Data Source: CyberArk PAS', + 'Data Source: Elastic Defend', + 'Data Source: Elastic Defend for Containers', + 'Data Source: Elastic Endgame', + 'Data Source: GCP', + 'Data Source: Google Cloud Platform', + 'Data Source: Google Workspace', + 'Data Source: Kubernetes', + 'Data Source: Microsoft 365', + 'Data Source: Okta', + 'Data Source: PowerShell Logs', + 'Data Source: Sysmon Only', + 'Data Source: Zoom', + 'Domain: Cloud', + 'Domain: Container', + 'Domain: Endpoint', + 'OS: Linux', + 'OS: macOS', + 'OS: Windows', + 'Resources: Investigation Guide', + 'Rule Type: Higher-Order Rule', + 'Rule Type: Machine Learning', + 'Rule Type: ML', + 'Tactic: Collection', + 'Tactic: Command and Control', + 'Tactic: Credential Access', + 'Tactic: Defense Evasion', + 'Tactic: Discovery', + 'Tactic: Execution', + 'Tactic: Exfiltration', + 'Tactic: Impact', + 'Tactic: Initial Access', + 'Tactic: Lateral Movement', + 'Tactic: Persistence', + 'Tactic: Privilege Escalation', + 'Tactic: Reconnaissance', + 'Tactic: Resource Development', + 'Threat: BPFDoor', + 'Threat: Cobalt Strike', + 'Threat: Lightning Framework', + 'Threat: Orbit', + 'Threat: Rootkit', + 'Threat: TripleCross', + 'Use Case: Active Directory Monitoring', + 'Use Case: Asset Visibility', + 'Use Case: Configuration Audit', + 'Use case: Guided Onboarding', + 'Use Case: Identity and Access Audit', + 'Use Case: Log Auditing', + 'Use Case: Network Security Monitoring', + 'Use Case: Threat Detection', + 'Use Case: Vulnerability', ] + expected_case = {t.casefold(): t for t in expected_tags} for rule in self.all_rules: @@ -265,22 +319,24 @@ class TestRuleTags(BaseRuleTest): def test_required_tags(self): """Test that expected tags are present within rules.""" - # indexes considered; only those with obvious relationships included - # 'apm-*-transaction*', 'traces-apm*', 'auditbeat-*', 'endgame-*', 'filebeat-*', 'logs-*', 'logs-aws*', - # 'logs-endpoint.alerts-*', 'logs-endpoint.events.*', 'logs-okta*', 'packetbeat-*', 'winlogbeat-*' required_tags_map = { - 'apm-*-transaction*': {'all': ['APM']}, - 'traces-apm*': {'all': ['APM']}, - 'auditbeat-*': {'any': ['Windows', 'macOS', 'Linux']}, - 'endgame-*': {'all': ['Elastic Endgame']}, - 'logs-aws*': {'all': ['AWS']}, - 'logs-endpoint.alerts-*': {'all': ['Endpoint Security']}, - 'logs-endpoint.events.*': {'any': ['Windows', 'macOS', 'Linux', 'Host']}, - 'logs-okta*': {'all': ['Okta']}, - 'logs-windows.*': {'all': ['Windows']}, - 'packetbeat-*': {'all': ['Network']}, - 'winlogbeat-*': {'all': ['Windows']} + 'logs-endpoint.events.*': {'all': ['Domain: Endpoint']}, + 'endgame-*': {'all': ['Data Source: Elastic Endgame']}, + 'logs-aws*': {'all': ['Data Source: AWS', 'Data Source: Amazon Web Services', 'Domain: Cloud']}, + 'logs-azure*': {'all': ['Data Source: Azure', 'Domain: Cloud']}, + 'logs-o365*': {'all': ['Data Source: Microsoft 365', 'Domain: Cloud']}, + 'logs-okta*': {'all': ['Data Source: Okta']}, + 'logs-gcp*': {'all': ['Data Source: Google Cloud Platform', 'Data Source: GCP', 'Domain: Cloud']}, + 'logs-google_workspace*': {'all': ['Data Source: Google Workspace', 'Domain: Cloud']}, + 'logs-cloud_defend.alerts-*': {'all': ['Data Source: Elastic Defend for Containers', 'Domain: Container']}, + 'logs-cloud_defend*': {'all': ['Data Source: Elastic Defend for Containers', 'Domain: Container']}, + 'logs-kubernetes.*': {'all': ['Data Source: Kubernetes']}, + 'apm-*-transaction*': {'all': ['Data Source: APM']}, + 'traces-apm*': {'all': ['Data Source: APM']}, + '.alerts-security.*': {'all': ['Rule Type: Higher-Order Rule']}, + 'logs-cyberarkpas.audit*': {'all': ['Data Source: CyberArk PAS']}, + 'logs-endpoint.alerts-*': {'all': ['Data Source: Elastic Defend']} } for rule in self.all_rules: @@ -291,9 +347,6 @@ class TestRuleTags(BaseRuleTest): is_missing_any_tags = False missing_required_tags = set() - if 'Elastic' not in rule_tags: - missing_required_tags.add('Elastic') - if isinstance(rule.contents.data, QueryRuleData): for index in rule.contents.data.index: expected_tags = required_tags_map.get(index, {}) @@ -331,10 +384,7 @@ class TestRuleTags(BaseRuleTest): if threat: missing = [] threat_tactic_names = [e.tactic.name for e in threat] - primary_tactic = threat_tactic_names[0] - - if 'Threat Detection' not in rule_tags: - missing.append('Threat Detection') + primary_tactic = f"Tactic: {threat_tactic_names[0]}" # missing primary tactic if primary_tactic not in rule.contents.data.tags: @@ -357,6 +407,67 @@ class TestRuleTags(BaseRuleTest): err_msg = '\n'.join(invalid) self.fail(f'Rules with misaligned tags and tactics:\n{err_msg}') + def test_os_tags(self): + """Test that OS tags are present within rules.""" + required_tags_map = { + 'linux': 'OS: Linux', + 'macos': 'OS: macOS', + 'windows': 'OS: Windows' + } + invalid = [] + for rule in self.all_rules: + dir_name = rule.path.parent.name + # if directory name is linux, macos, or windows, + # ensure the rule has the corresponding tag + if dir_name in ['linux', 'macos', 'windows']: + if required_tags_map[dir_name] not in rule.contents.data.tags: + err_msg = self.rule_str(rule) + err_msg += f'\n expected: {required_tags_map[dir_name]}' + invalid.append(err_msg) + + if invalid: + err_msg = '\n'.join(invalid) + self.fail(f'Rules with missing OS tags:\n{err_msg}') + + def test_ml_rule_type_tags(self): + """Test that ML rule type tags are present within rules.""" + invalid = [] + + for rule in self.all_rules: + rule_tags = rule.contents.data.tags + + if rule.contents.data.type == 'machine_learning': + if 'Rule Type: Machine Learning' not in rule_tags: + err_msg = self.rule_str(rule) + err_msg += '\n expected: Rule Type: Machine Learning' + invalid.append(err_msg) + if 'Rule Type: ML' not in rule_tags: + err_msg = self.rule_str(rule) + err_msg += '\n expected: Rule Type: ML' + invalid.append(err_msg) + + if invalid: + err_msg = '\n'.join(invalid) + self.fail(f'Rules with misaligned ML rule type tags:\n{err_msg}') + + @unittest.skip("Skipping until all Investigation Guides follow the proper format.") + def test_investigation_guide_tag(self): + """Test that investigation guide tags are present within rules.""" + invalid = [] + for rule in self.all_rules: + note = rule.contents.data.get('note') + if note is not None: + results = re.search(r'Investigating', note, re.M) + if results is not None: + # check if investigation guide tag is present + if 'Resources: Investigation Guide' not in rule.contents.data.tags: + err_msg = self.rule_str(rule) + err_msg += '\n expected: Resources: Investigation Guide' + invalid.append(err_msg) + if invalid: + err_msg = '\n'.join(invalid) + self.fail(f'Rules with missing Investigation tag:\n{err_msg}') + class TestRuleTimelines(BaseRuleTest): """Test timelines in rules are valid."""