From b5213e66b2d46e7bcfe52649d68fffb0eb6649b9 Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Wed, 22 Jul 2020 12:36:18 -0400 Subject: [PATCH] [Rule Tuning} Correct Promotion Rule Descriptions (#85) --- rules/promotions/endpoint_adversary_behavior_detected.toml | 3 +-- rules/promotions/endpoint_cred_dumping_detected.toml | 3 +-- rules/promotions/endpoint_cred_dumping_prevented.toml | 3 +-- rules/promotions/endpoint_cred_manipulation_detected.toml | 3 +-- rules/promotions/endpoint_cred_manipulation_prevented.toml | 3 +-- rules/promotions/endpoint_exploit_detected.toml | 3 +-- rules/promotions/endpoint_exploit_prevented.toml | 3 +-- rules/promotions/endpoint_malware_detected.toml | 2 +- rules/promotions/endpoint_malware_prevented.toml | 2 +- rules/promotions/endpoint_permission_theft_detected.toml | 3 +-- rules/promotions/endpoint_permission_theft_prevented.toml | 3 +-- rules/promotions/endpoint_process_injection_detected.toml | 3 +-- rules/promotions/endpoint_process_injection_prevented.toml | 3 +-- rules/promotions/endpoint_ransomware_detected.toml | 3 +-- rules/promotions/endpoint_ransomware_prevented.toml | 3 +-- 15 files changed, 15 insertions(+), 28 deletions(-) diff --git a/rules/promotions/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml index 2fdf3d42e..2c08ebd02 100644 --- a/rules/promotions/endpoint_adversary_behavior_detected.toml +++ b/rules/promotions/endpoint_adversary_behavior_detected.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security detected an Adversary Behavior. Click the Elastic Endpoint Security icon in the event.module -column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for -additional information. +column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml index 9640baa64..f82609dff 100644 --- a/rules/promotions/endpoint_cred_dumping_detected.toml +++ b/rules/promotions/endpoint_cred_dumping_detected.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security detected Credential Dumping. Click the Elastic Endpoint Security icon in the event.module -column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for -additional information. +column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml index 30af14c48..09ed75c06 100644 --- a/rules/promotions/endpoint_cred_dumping_prevented.toml +++ b/rules/promotions/endpoint_cred_dumping_prevented.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security prevented Credential Dumping. Click the Elastic Endpoint Security icon in the event.module -column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for -additional information. +column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml index 0a148f30c..21476ac27 100644 --- a/rules/promotions/endpoint_cred_manipulation_detected.toml +++ b/rules/promotions/endpoint_cred_manipulation_detected.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security detected Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module -column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for -additional information. +column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml index 76ef368bf..edba99b93 100644 --- a/rules/promotions/endpoint_cred_manipulation_prevented.toml +++ b/rules/promotions/endpoint_cred_manipulation_prevented.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security prevented Credential Manipulation. Click the Elastic Endpoint Security icon in the -event.module column or the link in the rule.reference column in the External Alerts tab of the Security Detections page -for additional information. +event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml index c8a0cf7e0..e5bdce1fd 100644 --- a/rules/promotions/endpoint_exploit_detected.toml +++ b/rules/promotions/endpoint_exploit_detected.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security detected an Exploit. Click the Elastic Endpoint Security icon in the event.module column or -the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional -information. +the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml index 345766b86..88b0b0b8a 100644 --- a/rules/promotions/endpoint_exploit_prevented.toml +++ b/rules/promotions/endpoint_exploit_prevented.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security prevented an Exploit. Click the Elastic Endpoint Security icon in the event.module column or -the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional -information. +the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml index 187f5c68f..4734b60d7 100644 --- a/rules/promotions/endpoint_malware_detected.toml +++ b/rules/promotions/endpoint_malware_detected.toml @@ -8,7 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security detected Malware. Click the Elastic Endpoint Security icon in the event.module column or the -link in the rule.reference column in the External Alerts tab of the Security Detections page for additional information. +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml index 4e628d2a3..3d858bf3a 100644 --- a/rules/promotions/endpoint_malware_prevented.toml +++ b/rules/promotions/endpoint_malware_prevented.toml @@ -8,7 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security prevented Malware. Click the Elastic Endpoint Security icon in the event.module column or the -link in the rule.reference column in the External Alerts tab of the Security Detections page for additional information. +link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml index 69525f17c..43a7c34d9 100644 --- a/rules/promotions/endpoint_permission_theft_detected.toml +++ b/rules/promotions/endpoint_permission_theft_detected.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security detected Permission Theft. Click the Elastic Endpoint Security icon in the event.module column -or the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional -information. +or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml index 4675ccc52..25794d751 100644 --- a/rules/promotions/endpoint_permission_theft_prevented.toml +++ b/rules/promotions/endpoint_permission_theft_prevented.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security prevented Permission Theft. Click the Elastic Endpoint Security icon in the event.module -column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for -additional information. +column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml index f4186eeb7..87e2a1309 100644 --- a/rules/promotions/endpoint_process_injection_detected.toml +++ b/rules/promotions/endpoint_process_injection_detected.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security detected Process Injection. Click the Elastic Endpoint Security icon in the event.module -column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for -additional information. +column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml index 6ce930359..4f6e452d8 100644 --- a/rules/promotions/endpoint_process_injection_prevented.toml +++ b/rules/promotions/endpoint_process_injection_prevented.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security prevented Process Injection. Click the Elastic Endpoint Security icon in the event.module -column or the link in the rule.reference column in the External Alerts tab of the Security Detections page for -additional information. +column or the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml index a90aa78f6..680aeb3ed 100644 --- a/rules/promotions/endpoint_ransomware_detected.toml +++ b/rules/promotions/endpoint_ransomware_detected.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security detected Ransomware. Click the Elastic Endpoint Security icon in the event.module column or -the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional -information. +the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"] diff --git a/rules/promotions/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml index 89491c2f2..9a39384e8 100644 --- a/rules/promotions/endpoint_ransomware_prevented.toml +++ b/rules/promotions/endpoint_ransomware_prevented.toml @@ -8,8 +8,7 @@ updated_date = "2020/02/18" author = ["Elastic"] description = """ Elastic Endpoint Security prevented Ransomware. Click the Elastic Endpoint Security icon in the event.module column or -the link in the rule.reference column in the External Alerts tab of the Security Detections page for additional -information. +the link in the rule.reference column for additional information. """ from = "now-15m" index = ["endgame-*"]