diff --git a/etc/version.lock.json b/etc/version.lock.json index c07b94515..6860a4b85 100644 --- a/etc/version.lock.json +++ b/etc/version.lock.json @@ -106,8 +106,8 @@ }, "0a97b20f-4144-49ea-be32-b540ecc445de": { "rule_name": "Malware - Detected - Elastic Endgame", - "sha256": "00f0fcc8e4641d92ddcd42b804404c551bdeca5e6d327e99b421533b456b060b", - "version": 5 + "sha256": "9b7bd55891baec28d77bb897969b40cc982c15102259ffff69b3796919202dbd", + "version": 6 }, "0b29cab4-dbbd-4a3f-9e8e-1287c7c11ae5": { "rule_name": "Anomalous Windows Process Creation", @@ -356,8 +356,8 @@ }, "2003cdc8-8d83-4aa5-b132-1f9a8eb48514": { "rule_name": "Exploit - Detected - Elastic Endgame", - "sha256": "6641c38a9f21bb4d011f23be360818e0a26261aee77dd52572cb4b1e74db9d54", - "version": 5 + "sha256": "da7b6e128ad5867cbd3456cf71fb4583caf272f62e76d422a6e765b5a019b508", + "version": 6 }, "201200f1-a99b-43fb-88ed-f65a45c4972c": { "rule_name": "Suspicious .NET Code Compilation", @@ -451,8 +451,8 @@ }, "2863ffeb-bf77-44dd-b7a5-93ef94b72036": { "rule_name": "Exploit - Prevented - Elastic Endgame", - "sha256": "fd0d6607641a2a3fe279fa21859438372610f47c0073b8cff12a4b16d4482a5f", - "version": 5 + "sha256": "027892bbc77dec382e1fff007e985d1ddaa09db9765397a995bca7504228a92d", + "version": 6 }, "28896382-7d4f-4d50-9b72-67091901fd26": { "rule_name": "Suspicious Process from Conhost", @@ -646,8 +646,8 @@ }, "3b382770-efbb-44f4-beed-f5e0a051b895": { "rule_name": "Malware - Prevented - Elastic Endgame", - "sha256": "50b2c302ad283dc7ef63c2d065b0af314e0ece8c2c206130440099a3f7377e8e", - "version": 5 + "sha256": "ee3b4a6b601f7f4929ff9f2d474a2deab9cef75f96c390b99208f95b12d8d619", + "version": 6 }, "3b47900d-e793-49e8-968f-c90dc3526aa1": { "rule_name": "Unusual Parent Process for cmd.exe", @@ -726,8 +726,8 @@ }, "453f659e-0429-40b1-bfdb-b6957286e04b": { "rule_name": "Permission Theft - Prevented - Elastic Endgame", - "sha256": "6bc20dfde21b99bceb78555445eed77ed4cc1aeaacee0be75f5be13d6baff80f", - "version": 5 + "sha256": "905e269e6ada516092e74e17fb1bb5d2bdc1ffdff1d87d42e253940d621e10bc", + "version": 6 }, "45ac4800-840f-414c-b221-53dd36a5aaf7": { "rule_name": "Windows Event Logs Cleared", @@ -901,8 +901,8 @@ }, "571afc56-5ed9-465d-a2a9-045f099f6e7e": { "rule_name": "Credential Dumping - Detected - Elastic Endgame", - "sha256": "92dbac698697ff1baba20201340efa2fa6909bd0332febd19dc7b120157b8288", - "version": 5 + "sha256": "e75e954e18e9d0dc6cbbbdbcb5deb63eb2dd29996703bc5dc2af235c82af3b0c", + "version": 6 }, "581add16-df76-42bb-af8e-c979bfb39a59": { "rule_name": "Deleting Backup Catalogs with Wbadmin", @@ -1266,8 +1266,8 @@ }, "77a3c3df-8ec4-4da4-b758-878f551dee69": { "rule_name": "Adversary Behavior - Detected - Elastic Endgame", - "sha256": "3d4c7e624f49095b9d4e05a486080f30e75d992cbac6947a37cbba3922afb684", - "version": 5 + "sha256": "8319fdbcc75a28932ed1ad89f7cae48a392d08b6bfd4a78ff5272c567bd03f6a", + "version": 6 }, "785a404b-75aa-4ffd-8be5-3334a5a544dd": { "rule_name": "Application Added to Google Workspace Domain", @@ -1331,8 +1331,8 @@ }, "80c52164-c82a-402c-9964-852533d58be1": { "rule_name": "Process Injection - Detected - Elastic Endgame", - "sha256": "1230896bf33c82b435b0a085a3cc4d4211dc4910eee62d13d35e8cd672bb3f9d", - "version": 5 + "sha256": "e8ed57396574222f759925fd3d4da6c63688d077a18de5a0bcec00ecf6de88d5", + "version": 6 }, "81cc58f5-8062-49a2-ba84-5cc4b4d31c40": { "rule_name": "Persistence via Kernel Module Modification", @@ -1436,8 +1436,8 @@ }, "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd": { "rule_name": "Ransomware - Detected - Elastic Endgame", - "sha256": "f887bad77276d23f9ce70a494ad975b51f2435f0f81308eb19c6b8f7760f5047", - "version": 5 + "sha256": "d8491d74b0dd8ca7304f3b8147e98c0dbb00f6551f61cc67bcbeb2a9a8ed8336", + "version": 6 }, "8ddab73b-3d15-4e5d-9413-47f05553c1d7": { "rule_name": "Azure Automation Runbook Deleted", @@ -1591,8 +1591,8 @@ }, "990838aa-a953-4f3e-b3cb-6ddf7584de9e": { "rule_name": "Process Injection - Prevented - Elastic Endgame", - "sha256": "c88ab010c4f6cce83349370811a1c01d6910cd907c7003a960779c7a87788b78", - "version": 5 + "sha256": "c3f63131525208fb1a8d655818506192b58ed5ddca6f26501f96672999d58085", + "version": 6 }, "99239e7d-b0d4-46e3-8609-acafcf99f68c": { "rule_name": "macOS Installer Spawns Network Event", @@ -2036,8 +2036,8 @@ }, "c0be5f31-e180-48ed-aa08-96b36899d48f": { "rule_name": "Credential Manipulation - Detected - Elastic Endgame", - "sha256": "beac6937eddc5c8bf327f253e55ae6002c455efcf0f7ad0115c03ee4b5ac28f0", - "version": 5 + "sha256": "a536250a00d6139b67326b7a160bef3ce820b1202add2eb68e37aea8c81b572b", + "version": 6 }, "c25e9c87-95e1-4368-bfab-9fd34cf867ec": { "rule_name": "Microsoft IIS Connection Strings Decryption", @@ -2061,8 +2061,8 @@ }, "c3167e1b-f73c-41be-b60b-87f4df707fe3": { "rule_name": "Permission Theft - Detected - Elastic Endgame", - "sha256": "1daef429f179b7b2decc62fd0040a1a0869724f0c5ad862e930de744a7ea8d20", - "version": 5 + "sha256": "b8e5fdd1a58640907a636b837eff2d2740c456b57954eac5fe0325d8f31c156c", + "version": 6 }, "c4210e1c-64f2-4f48-b67e-b5a8ffe3aa14": { "rule_name": "Mounting Hidden or WebDav Remote Shares", @@ -2131,8 +2131,8 @@ }, "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa": { "rule_name": "Credential Manipulation - Prevented - Elastic Endgame", - "sha256": "8701300b12edca7b1d753f35667a8ac660486880e262916978b2d93fc36f9b85", - "version": 5 + "sha256": "490cbfae68721fb35c3c8b8a0d41bc4b6efed8cc396d829e4afecc2e651c9ae1", + "version": 6 }, "ca79768e-40e1-4e45-a097-0e5fbc876ac2": { "rule_name": "Microsoft 365 Exchange Malware Filter Rule Modification", @@ -2346,8 +2346,8 @@ }, "db8c33a8-03cd-4988-9e2c-d0a4863adb13": { "rule_name": "Credential Dumping - Prevented - Elastic Endgame", - "sha256": "c96b35d3ac54f63415568d6a1f55de7c57c1b8e3e7bdff5e38c956812059b15e", - "version": 5 + "sha256": "27d6e4256f3c3e790e0339e015ee47e5c922269bdbb9091c04efe12ed0ec4592", + "version": 6 }, "dc9c1f74-dac3-48e3-b47f-eb79db358f57": { "rule_name": "Volume Shadow Copy Deletion via WMIC", @@ -2431,8 +2431,8 @@ }, "e3c5d5cb-41d5-4206-805c-f30561eae3ac": { "rule_name": "Ransomware - Prevented - Elastic Endgame", - "sha256": "2fc23dc4ae8c8b6aa5864423da31e254624822a593ee182936070c3436dfa49b", - "version": 5 + "sha256": "843eb805ba1977ac107e77885fa675b0633fea7cdf90a7437b83997cfe6ff5c8", + "version": 6 }, "e3cf38fa-d5b8-46cc-87f9-4a7513e4281d": { "rule_name": "Connection to Commonly Abused Free SSL Certificate Providers", diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index 04f49bf71..a2c8a4116 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_cred_dumping_detected.toml b/rules/promotions/endgame_cred_dumping_detected.toml index 2e475869b..b9a80f438 100644 --- a/rules/promotions/endgame_cred_dumping_detected.toml +++ b/rules/promotions/endgame_cred_dumping_detected.toml @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_cred_dumping_prevented.toml b/rules/promotions/endgame_cred_dumping_prevented.toml index 5c4dde1d8..2a777382f 100644 --- a/rules/promotions/endgame_cred_dumping_prevented.toml +++ b/rules/promotions/endgame_cred_dumping_prevented.toml @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_cred_manipulation_detected.toml b/rules/promotions/endgame_cred_manipulation_detected.toml index 4669ac3f2..e38efdd97 100644 --- a/rules/promotions/endgame_cred_manipulation_detected.toml +++ b/rules/promotions/endgame_cred_manipulation_detected.toml @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_cred_manipulation_prevented.toml b/rules/promotions/endgame_cred_manipulation_prevented.toml index d8460972b..de43c1b12 100644 --- a/rules/promotions/endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/endgame_cred_manipulation_prevented.toml @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_exploit_detected.toml b/rules/promotions/endgame_exploit_detected.toml index bcfd70bfc..5d0371543 100644 --- a/rules/promotions/endgame_exploit_detected.toml +++ b/rules/promotions/endgame_exploit_detected.toml @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_exploit_prevented.toml b/rules/promotions/endgame_exploit_prevented.toml index 07cfb2956..f8edb9304 100644 --- a/rules/promotions/endgame_exploit_prevented.toml +++ b/rules/promotions/endgame_exploit_prevented.toml @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index d2b72ea89..ee9b40849 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -19,7 +19,6 @@ risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 978c5f25f..c2e30fada 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_permission_theft_detected.toml b/rules/promotions/endgame_permission_theft_detected.toml index fa1f4e7c5..005cf8fd9 100644 --- a/rules/promotions/endgame_permission_theft_detected.toml +++ b/rules/promotions/endgame_permission_theft_detected.toml @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_permission_theft_prevented.toml b/rules/promotions/endgame_permission_theft_prevented.toml index f108ddb35..80edb6507 100644 --- a/rules/promotions/endgame_permission_theft_prevented.toml +++ b/rules/promotions/endgame_permission_theft_prevented.toml @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_process_injection_detected.toml b/rules/promotions/endgame_process_injection_detected.toml index a80e758bf..ebb53e8e7 100644 --- a/rules/promotions/endgame_process_injection_detected.toml +++ b/rules/promotions/endgame_process_injection_detected.toml @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_process_injection_prevented.toml b/rules/promotions/endgame_process_injection_prevented.toml index 823ff8baf..2050c86c5 100644 --- a/rules/promotions/endgame_process_injection_prevented.toml +++ b/rules/promotions/endgame_process_injection_prevented.toml @@ -19,7 +19,6 @@ risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index e7ab1575c..b8d82168e 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -19,7 +19,6 @@ risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = ''' diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index f63c22382..bc51d8e23 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -19,7 +19,6 @@ risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" tags = ["Elastic", "Elastic Endgame"] -timestamp_override = "event.ingested" type = "query" query = '''