diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index 7d6c27e3f..d1500ea75 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -7,7 +7,7 @@ updated_date = "2020/07/08" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Endpoint alert is received. Enabling this rule allows you to +Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Elastic Endpoint alerts. """ enabled = true @@ -16,7 +16,7 @@ index = ["logs-endpoint.alerts-*"] language = "kuery" license = "Elastic License" max_signals = 10000 -name = "Elastic Endpoint" +name = "Elastic Endpoint Security" risk_score = 47 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" diff --git a/rules/promotions/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml index 8b104eaa9..2fdf3d42e 100644 --- a/rules/promotions/endpoint_adversary_behavior_detected.toml +++ b/rules/promotions/endpoint_adversary_behavior_detected.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint detected an Adversary Behavior. Click the Elastic Endpoint icon in the event.module column or the link -in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security detected an Adversary Behavior. Click the Elastic Endpoint Security icon in the event.module +column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for +additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Adversary Behavior - Detected - Elastic Endpoint" +name = "Adversary Behavior - Detected - Elastic Endpoint Security" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" diff --git a/rules/promotions/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml index feb5f570f..9640baa64 100644 --- a/rules/promotions/endpoint_cred_dumping_detected.toml +++ b/rules/promotions/endpoint_cred_dumping_detected.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint detected Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in -the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security detected Credential Dumping. Click the Elastic Endpoint Security icon in the event.module +column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for +additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Credential Dumping - Detected - Elastic Endpoint" +name = "Credential Dumping - Detected - Elastic Endpoint Security" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" diff --git a/rules/promotions/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml index 89c0f0f88..30af14c48 100644 --- a/rules/promotions/endpoint_cred_dumping_prevented.toml +++ b/rules/promotions/endpoint_cred_dumping_prevented.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint prevented Credential Dumping. Click the Elastic Endpoint icon in the event.module column or the link in -the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security prevented Credential Dumping. Click the Elastic Endpoint Security icon in the event.module +column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for +additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Credential Dumping - Prevented - Elastic Endpoint" +name = "Credential Dumping - Prevented - Elastic Endpoint Security" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" diff --git a/rules/promotions/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml index 8efe9394e..0a148f30c 100644 --- a/rules/promotions/endpoint_cred_manipulation_detected.toml +++ b/rules/promotions/endpoint_cred_manipulation_detected.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint detected Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the -link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security detected Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module +column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for +additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Credential Manipulation - Detected - Elastic Endpoint" +name = "Credential Manipulation - Detected - Elastic Endpoint Security" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" diff --git a/rules/promotions/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml index d69f593c8..76ef368bf 100644 --- a/rules/promotions/endpoint_cred_manipulation_prevented.toml +++ b/rules/promotions/endpoint_cred_manipulation_prevented.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint prevented Credential Manipulation. Click the Elastic Endpoint icon in the event.module column or the -link in the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security prevented Credential Manipulation. Click the Elastic Endpoint Security icon in the +event.module column or the link in the rule.reference column in the External Alerts tab of the Security Detections page +for additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Credential Manipulation - Prevented - Elastic Endpoint" +name = "Credential Manipulation - Prevented - Elastic Endpoint Security" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" diff --git a/rules/promotions/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml index 0348122cb..c8a0cf7e0 100644 --- a/rules/promotions/endpoint_exploit_detected.toml +++ b/rules/promotions/endpoint_exploit_detected.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint detected an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the -rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security detected an Exploit. Click the Elastic Endpoint Security icon in the event.module column or +the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional +information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Exploit - Detected - Elastic Endpoint" +name = "Exploit - Detected - Elastic Endpoint Security" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" diff --git a/rules/promotions/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml index 1646cc750..345766b86 100644 --- a/rules/promotions/endpoint_exploit_prevented.toml +++ b/rules/promotions/endpoint_exploit_prevented.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the -rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security prevented an Exploit. Click the Elastic Endpoint Security icon in the event.module column or +the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional +information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Exploit - Prevented - Elastic Endpoint" +name = "Exploit - Prevented - Elastic Endpoint Security" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" diff --git a/rules/promotions/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml index b44a47a42..187f5c68f 100644 --- a/rules/promotions/endpoint_malware_detected.toml +++ b/rules/promotions/endpoint_malware_detected.toml @@ -7,15 +7,15 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint detected Malware. Click the Elastic Endpoint icon in the event.module column or the link in the -rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security detected Malware. Click the Elastic Endpoint Security icon in the event.module column or the +link in the rule.reference column in the External Alerts tab of the Security Detections page for additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Malware - Detected - Elastic Endpoint" +name = "Malware - Detected - Elastic Endpoint Security" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" diff --git a/rules/promotions/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml index 822c5fac3..4e628d2a3 100644 --- a/rules/promotions/endpoint_malware_prevented.toml +++ b/rules/promotions/endpoint_malware_prevented.toml @@ -7,15 +7,15 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint prevented Malware. Click the Elastic Endpoint icon in the event.module column or the link in the -rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security prevented Malware. Click the Elastic Endpoint Security icon in the event.module column or the +link in the rule.reference column in the External Alerts tab of the Security Detections page for additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Malware - Prevented - Elastic Endpoint" +name = "Malware - Prevented - Elastic Endpoint Security" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" diff --git a/rules/promotions/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml index 641eb1fa9..69525f17c 100644 --- a/rules/promotions/endpoint_permission_theft_detected.toml +++ b/rules/promotions/endpoint_permission_theft_detected.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint detected Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in -the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security detected Permission Theft. Click the Elastic Endpoint Security icon in the event.module column +or the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional +information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Permission Theft - Detected - Elastic Endpoint" +name = "Permission Theft - Detected - Elastic Endpoint Security" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" diff --git a/rules/promotions/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml index ad4fc7ed9..4675ccc52 100644 --- a/rules/promotions/endpoint_permission_theft_prevented.toml +++ b/rules/promotions/endpoint_permission_theft_prevented.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint prevented Permission Theft. Click the Elastic Endpoint icon in the event.module column or the link in -the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security prevented Permission Theft. Click the Elastic Endpoint Security icon in the event.module +column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for +additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Permission Theft - Prevented - Elastic Endpoint" +name = "Permission Theft - Prevented - Elastic Endpoint Security" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" diff --git a/rules/promotions/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml index c9831e8b7..f4186eeb7 100644 --- a/rules/promotions/endpoint_process_injection_detected.toml +++ b/rules/promotions/endpoint_process_injection_detected.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint detected Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in -the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security detected Process Injection. Click the Elastic Endpoint Security icon in the event.module +column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for +additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Process Injection - Detected - Elastic Endpoint" +name = "Process Injection - Detected - Elastic Endpoint Security" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" diff --git a/rules/promotions/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml index 5f43b29d8..6ce930359 100644 --- a/rules/promotions/endpoint_process_injection_prevented.toml +++ b/rules/promotions/endpoint_process_injection_prevented.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint prevented Process Injection. Click the Elastic Endpoint icon in the event.module column or the link in -the rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security prevented Process Injection. Click the Elastic Endpoint Security icon in the event.module +column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for +additional information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Process Injection - Prevented - Elastic Endpoint" +name = "Process Injection - Prevented - Elastic Endpoint Security" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" diff --git a/rules/promotions/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml index c887f6755..a90aa78f6 100644 --- a/rules/promotions/endpoint_ransomware_detected.toml +++ b/rules/promotions/endpoint_ransomware_detected.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint detected Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the -rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security detected Ransomware. Click the Elastic Endpoint Security icon in the event.module column or +the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional +information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Ransomware - Detected - Elastic Endpoint" +name = "Ransomware - Detected - Elastic Endpoint Security" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" diff --git a/rules/promotions/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml index a596bf3af..89491c2f2 100644 --- a/rules/promotions/endpoint_ransomware_prevented.toml +++ b/rules/promotions/endpoint_ransomware_prevented.toml @@ -7,15 +7,16 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint prevented Ransomware. Click the Elastic Endpoint icon in the event.module column or the link in the -rule.reference column in the External Alerts tab of the SIEM Detections page for additional information. +Elastic Endpoint Security prevented Ransomware. Click the Elastic Endpoint Security icon in the event.module column or +the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional +information. """ from = "now-15m" index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Ransomware - Prevented - Elastic Endpoint" +name = "Ransomware - Prevented - Elastic Endpoint Security" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high"