[Rule Tuning] Update terms in promotion rules (#72)
* [Rule Tuning] Update terms in promotion rules * Update Endpoint terms and lint
This commit is contained in:
Brent Murphy
@@ -7,7 +7,7 @@ updated_date = "2020/07/08"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Generates a detection alert each time an Elastic Endpoint alert is received. Enabling this rule allows you to
|
||||
Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
|
||||
immediately begin investigating your Elastic Endpoint alerts.
|
||||
"""
|
||||
enabled = true
|
||||
@@ -16,7 +16,7 @@ index = ["logs-endpoint.alerts-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
max_signals = 10000
|
||||
name = "Elastic Endpoint"
|
||||
name = "Elastic Endpoint Security"
|
||||
risk_score = 47
|
||||
rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
|
||||
rule_name_override = "message"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link
|
||||
in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security detected an Adversary Behavior. Click the Elastic Endpoint Security icon in the event.module
|
||||
column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for
|
||||
additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Adversary Behavior - Detected - Elastic Endpoint"
|
||||
name = "Adversary Behavior - Detected - Elastic Endpoint Security"
|
||||
risk_score = 47
|
||||
rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
|
||||
severity = "medium"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in
|
||||
the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security detected Credential Dumping. Click the Elastic Endpoint Security icon in the event.module
|
||||
column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for
|
||||
additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Credential Dumping - Detected - Elastic Endpoint"
|
||||
name = "Credential Dumping - Detected - Elastic Endpoint Security"
|
||||
risk_score = 73
|
||||
rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
|
||||
severity = "high"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in
|
||||
the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security prevented Credential Dumping. Click the Elastic Endpoint Security icon in the event.module
|
||||
column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for
|
||||
additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Credential Dumping - Prevented - Elastic Endpoint"
|
||||
name = "Credential Dumping - Prevented - Elastic Endpoint Security"
|
||||
risk_score = 47
|
||||
rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
|
||||
severity = "medium"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the
|
||||
link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security detected Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module
|
||||
column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for
|
||||
additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Credential Manipulation - Detected - Elastic Endpoint"
|
||||
name = "Credential Manipulation - Detected - Elastic Endpoint Security"
|
||||
risk_score = 73
|
||||
rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
|
||||
severity = "high"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the
|
||||
link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security prevented Credential Manipulation. Click the Elastic Endpoint Security icon in the
|
||||
event.module column or the link in the rule.reference column in the External Alerts tab of the Security Detections page
|
||||
for additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Credential Manipulation - Prevented - Elastic Endpoint"
|
||||
name = "Credential Manipulation - Prevented - Elastic Endpoint Security"
|
||||
risk_score = 47
|
||||
rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
|
||||
severity = "medium"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the
|
||||
rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security detected an Exploit. Click the Elastic Endpoint Security icon in the event.module column or
|
||||
the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional
|
||||
information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Exploit - Detected - Elastic Endpoint"
|
||||
name = "Exploit - Detected - Elastic Endpoint Security"
|
||||
risk_score = 73
|
||||
rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
|
||||
severity = "high"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the
|
||||
rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security prevented an Exploit. Click the Elastic Endpoint Security icon in the event.module column or
|
||||
the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional
|
||||
information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Exploit - Prevented - Elastic Endpoint"
|
||||
name = "Exploit - Prevented - Elastic Endpoint Security"
|
||||
risk_score = 47
|
||||
rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
|
||||
severity = "medium"
|
||||
|
||||
@@ -7,15 +7,15 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the
|
||||
rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security detected Malware. Click the Elastic Endpoint Security icon in the event.module column or the
|
||||
link in the rule.reference column in the External Alerts tab of the Security Detections page for additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Malware - Detected - Elastic Endpoint"
|
||||
name = "Malware - Detected - Elastic Endpoint Security"
|
||||
risk_score = 99
|
||||
rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
|
||||
severity = "critical"
|
||||
|
||||
@@ -7,15 +7,15 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the
|
||||
rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security prevented Malware. Click the Elastic Endpoint Security icon in the event.module column or the
|
||||
link in the rule.reference column in the External Alerts tab of the Security Detections page for additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Malware - Prevented - Elastic Endpoint"
|
||||
name = "Malware - Prevented - Elastic Endpoint Security"
|
||||
risk_score = 73
|
||||
rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
|
||||
severity = "high"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in
|
||||
the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security detected Permission Theft. Click the Elastic Endpoint Security icon in the event.module column
|
||||
or the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional
|
||||
information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Permission Theft - Detected - Elastic Endpoint"
|
||||
name = "Permission Theft - Detected - Elastic Endpoint Security"
|
||||
risk_score = 73
|
||||
rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
|
||||
severity = "high"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in
|
||||
the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security prevented Permission Theft. Click the Elastic Endpoint Security icon in the event.module
|
||||
column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for
|
||||
additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Permission Theft - Prevented - Elastic Endpoint"
|
||||
name = "Permission Theft - Prevented - Elastic Endpoint Security"
|
||||
risk_score = 47
|
||||
rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
|
||||
severity = "medium"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in
|
||||
the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security detected Process Injection. Click the Elastic Endpoint Security icon in the event.module
|
||||
column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for
|
||||
additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Process Injection - Detected - Elastic Endpoint"
|
||||
name = "Process Injection - Detected - Elastic Endpoint Security"
|
||||
risk_score = 73
|
||||
rule_id = "80c52164-c82a-402c-9964-852533d58be1"
|
||||
severity = "high"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in
|
||||
the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security prevented Process Injection. Click the Elastic Endpoint Security icon in the event.module
|
||||
column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for
|
||||
additional information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Process Injection - Prevented - Elastic Endpoint"
|
||||
name = "Process Injection - Prevented - Elastic Endpoint Security"
|
||||
risk_score = 47
|
||||
rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
|
||||
severity = "medium"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the
|
||||
rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security detected Ransomware. Click the Elastic Endpoint Security icon in the event.module column or
|
||||
the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional
|
||||
information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Ransomware - Detected - Elastic Endpoint"
|
||||
name = "Ransomware - Detected - Elastic Endpoint Security"
|
||||
risk_score = 99
|
||||
rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
|
||||
severity = "critical"
|
||||
|
||||
@@ -7,15 +7,16 @@ updated_date = "2020/02/18"
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the
|
||||
rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
||||
Elastic Endpoint Security prevented Ransomware. Click the Elastic Endpoint Security icon in the event.module column or
|
||||
the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional
|
||||
information.
|
||||
"""
|
||||
from = "now-15m"
|
||||
index = ["endgame-*"]
|
||||
interval = "10m"
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Ransomware - Prevented - Elastic Endpoint"
|
||||
name = "Ransomware - Prevented - Elastic Endpoint Security"
|
||||
risk_score = 73
|
||||
rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
|
||||
severity = "high"
|
||||
|
||||
Reference in New Issue
Block a user