[Rule tuning] Update rules based on docs review (#1663)

* [Rule tuning] Update rule verbiage based on docs review * fix typos Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * revert TI rule changes since it was deprecated Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Removed changes from: - rules/cross-platform/threat_intel_filebeat8x.toml - rules/cross-platform/threat_intel_fleet_integrations.toml (selectively cherry picked from commit 72c64de3f5)
2022-01-28 10:41:22 -09:00
parent cea62303e3
commit cb34ee5a28
65 changed files with 95 additions and 96 deletions
@@ -10,7 +10,7 @@ description = "Identifies the creation of an AWS log trail that specifies the se
 false_positives = [
    """
    Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should
+    and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies the deletion of an AWS log trail. An adversary may del
 false_positives = [
    """
    Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should
+    and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies the deletion of an AWS CloudWatch alarm. An adversary
 false_positives = [
    """
    Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm
-    deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it
+    deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it
    can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ in an attempt to evade defenses.
 false_positives = [
    """
    Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log
-    deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it
+    deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it
    can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ ingress/egress entries.
 false_positives = [
    """
    Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should
+    hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies when an ElastiCache security group has been created."
 false_positives = [
    """
    A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users
+    agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users
    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies when an ElastiCache security group has been modified o
 false_positives = [
    """
    A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity,
-    user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar
+    user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar
    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
    rule.
    """,
@@ -13,7 +13,7 @@ all existing findings are lost.
 false_positives = [
    """
    The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or
+    agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies the deletion of various Amazon Simple Storage Service
 false_positives = [
    """
    Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or
+    and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies the deletion of a specified AWS Web Application Firewa
 false_positives = [
    """
    Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts
+    and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies the deletion of a specified AWS Web Application Firewa
 false_positives = [
    """
    WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts
+    agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ unauthorized or unexpected AWS account.
 false_positives = [
    """
    Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should
+    and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ visibility in applications or a break in the flow with other AWS services.
 false_positives = [
    """
    EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or 
-    hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should 
+    hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ events associated with the log group are also permanently deleted.
 false_positives = [
    """
    Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log
-    group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives,
+    group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives,
    it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ with the stream.
 false_positives = [
    """
    A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname
-    should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be
+    should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be
    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ deleting the File System, or the adversary will be unable to delete the File Sys
 false_positives = [
    """
    File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity,
-    user agent, and/or hostname should be making changes in your environment. File System Mount deleted from unfamiliar
+    user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar
    users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ group does not delete resources that are members of the group; it only deletes t
 false_positives = [
    """
    A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts
+    hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ cluster.
 false_positives = [
    """
    Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname
-    should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be
+    should be making changes in your environment. Cluster deletions by unfamiliar users or hosts should be
    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies the deletion of an Amazon Relational Database Service
 false_positives = [
    """
    An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity,
-    user agent, and/or hostname should be making changes in your environment. Security group deletions from unfamiliar
+    user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar
    users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the
    rule.
    """,
@@ -47,14 +47,14 @@ this has the potential to uncover unknown threats or activity.
 ### False Positive Analysis
 - This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent
 changes to automation modules or scripting.
- Adoption of new services or implementing new functionality to scripts may generate false positives
+- The adoption of new services or the addition of new functionality to scripts may generate false positives.

 ### Related Rules
 - Unusual AWS Command for a User
 - Rare AWS Error Code

 ### Response and Remediation
- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys
+- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys
 - Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users
 - Look into enabling multi-factor authentication for users
 - Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS
@@ -55,7 +55,7 @@ therefore it's important to validate the activity listed in the investigation st
 - Rare AWS Error Code

 ### Response and Remediation
- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys
+- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys
 - Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users
 - Look into enabling multi-factor authentication for users
 - Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS
@@ -13,7 +13,7 @@ ACL with a specified rule number.
 false_positives = [
    """
    Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should
+    hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ pivot in an AWS environment.
 false_positives = [
    """
    A security group may be created by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users
+    agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users
    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ users. Any user in a group automatically has the permissions that are assigned t
 false_positives = [
    """
    A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or
-    hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be
+    hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be
    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ across multiple regions.
 false_positives = [
    """
    Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent,
-    and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts
+    and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies the creation of an Amazon Relational Database Service
 false_positives = [
    """
    An RDS security group may be created by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users
+    agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users
    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -10,7 +10,7 @@ description = "Identifies the creation of an Amazon Relational Database Service
 false_positives = [
    """
    A database instance may be created by a system or network administrator. Verify whether the user identity, user
-    agent, and/or hostname should be making changes in your environment. Instances creations from unfamiliar users or
+    agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -9,11 +9,10 @@ author = ["Elastic", "Austin Songer"]
 description = "Identifies when an AWS Route Table has been created."
 false_positives = [
    """
-    Route Table being created may be done by a system or network administrator. Verify whether the user identity, user 
-    agent, and/or hostname should be making changes in your environment. Route Table being created from unfamiliar users or 
+    Route Tables may be created by a system or network administrators. Verify whether the user identity, user
+    agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
-
-    Automated processes that uses Terraform may lead to false positives.
+    Automated processes that use Terraform may lead to false positives.
    """,
 ]
 from = "now-60m"
@@ -12,7 +12,7 @@ false_positives = [
    Route Table could be modified or deleted by a system administrator. Verify whether the user identity, 
    user agent, and/or hostname should be making changes in your environment. Route Table being modified
    from unfamiliar users should be investigated. If known behavior is causing false positives, it can be 
-    exempted from the rule.  Also automated processes that uses Terraform may lead to false positives.
+    exempted from the rule. Also automated processes that use Terraform may lead to false positives.
    """,
 ]
 from = "now-60m"
@@ -12,7 +12,7 @@ Identifies when SAML activity has occurred in AWS. An adversary could manipulate
 false_positives = [
    """
    SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or 
-    hostname should be making changes in your environment. SAML Provider being updated from unfamiliar users should 
+    hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -12,7 +12,7 @@ AWS resources. An adversary could use those credentials to move laterally and es
 """
 false_positives = [
    """
-    Automated processes that uses Terraform may lead to false positives.
+    Automated processes that use Terraform may lead to false positives.
    """,
 ]
 index = ["filebeat-*", "logs-aws*"]
@@ -13,7 +13,7 @@ volumes of events and data. An adversary may delete an Event Hub in an attempt t
 false_positives = [
    """
    Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or
-    resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts
+    resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -8,12 +8,12 @@ integration = "azure"
 author = ["Elastic"]
 description = """
 Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade
-defenses and/or to eliminate barriers in carrying out their initiative.
+defenses and/or to eliminate barriers to their objective.
 """
 false_positives = [
    """
    Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname,
-    and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users
+    and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users
    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -8,12 +8,12 @@ integration = "azure"
 author = ["Austin Songer"]
 description = """
 Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall 
-(WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative.
+(WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective.
 """
 false_positives = [
    """
    Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, 
-    hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions from 
+    hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by
    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ in Azure Kubernetes in an attempt to evade detection.
 false_positives = [
    """
    Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or
-    resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts
+    resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ attempt to evade defenses.
 false_positives = [
    """
    Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname,
-    and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users
+    and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users
    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ of the environment.
 false_positives = [
    """
    Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname
-    should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be
+    should be making changes in your environment. Pods deletions by unfamiliar users or hosts should be
    investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -7,14 +7,14 @@ integration = "azure"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies when a virtual network device is being modified or deleted. This can be a network virtual 
+Identifies when a virtual network device is modified or deleted. This can be a network virtual
 appliance, virtual hub, or virtual router.
 """
 false_positives = [
    """
-    Virtual Network Device being modified or deleted may be performed by a system administrator. Verify 
+    Virtual Network Device modification or deletion may be performed by a system administrator. Verify
    whether the user identity, user agent, and/or hostname should be making changes in your environment. 
-    Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known 
+    Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known
    behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ subscription is a named resource representing the stream of messages to be deliv
 false_positives = [
    """
    Subscription creations may be done by a system or network administrator. Verify whether the user email, resource
-    name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or
+    name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ used to forward messages from publishers to subscribers.
 false_positives = [
    """
    Topic creations may be done by a system or network administrator. Verify whether the user email, resource name,
-    and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should
+    and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -16,7 +16,7 @@ bucket to evade detection.
 false_positives = [
    """
    Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource
-    name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users
+    name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users
    or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ the sink's export destination. An adversary may delete a Logging sink to evade d
 false_positives = [
    """
    Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource
-    name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or
+    name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ subscription is a named resource representing the stream of messages to be deliv
 false_positives = [
    """
    Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource
-    name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or
+    name, and/or hostname should be making changes in your environment. Subscription deletions by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ application creates and sends messages to a topic. Deleting a topic can interrup
 false_positives = [
    """
    Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name,
-    and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should
+    and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ role to inhibit access to accounts utilized by legitimate users.
 false_positives = [
    """
    Role deletions may be done by a system or network administrator. Verify whether the user email, resource name,
-    and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should
+    and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -13,7 +13,7 @@ order to disrupt their target's business operations.
 false_positives = [
    """
    Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name,
-    and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should
+    and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should
    be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -14,7 +14,7 @@ not be updated automatically and could lead to privilege creep if not carefully
 false_positives = [
    """
    Custom role creations may be done by a system or network administrator. Verify whether the user email, resource
-    name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts
+    name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts
    should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -15,7 +15,7 @@ practice is to rotate your service account keys regularly.
 false_positives = [
    """
    Service account key deletions may be done by a system or network administrator. Verify whether the user email,
-    resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or
+    resource name, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users or
    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -7,8 +7,8 @@ integration = "gcp"
 [rule]
 author = ["Elastic", "Austin Songer"]
 description = """
-Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects 
-(users, groups, or service accounts) with role bindings and cluster role bindings.
+Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role
+bindings to assign roles to Kubernetes subjects (users, groups, or service accounts).
 """
 from = "now-20m"
 index = ["filebeat-*", "logs-gcp*"]
@@ -7,7 +7,7 @@ integration = "o365"
 [rule]
 author = ["Austin Songer"]
 description = """
-Identifies that a user has deleted an unusually large volume of files  as reported by Microsoft Cloud App Security.
+Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security.
 """
 false_positives = ["Users or System Administrator cleaning out folders."]
 from = "now-30m"
@@ -7,8 +7,8 @@ integration = "o365"
 [rule]
 author = ["Elastic", "Austin Songer"]
 description = """
-Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account
-to send messages to other accounts in the network of the target business while creating inbox rules, so messages can 
+Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account
+to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can
 evade spam/phishing detection mechanisms.
 """
 false_positives = ["Assignment of rights to a service account."]
@@ -6,7 +6,7 @@ integration = "okta"

 [rule]
 author = ["Elastic", "Austin Songer"]
-description = "Identifies when an unauthorized access attempt is made by a user for an Okta application."
+description = "Identifies unauthorized access attempts to Okta applications."
 index = ["filebeat-*", "logs-okta*"]
 language = "kuery"
 license = "Elastic License v2"
@@ -19,7 +19,7 @@ name = "Unexpected Child Process of macOS Screensaver Engine"
 note = """## Triage and analysis

 - Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such
-as downloading a payload from a server
+as a download of a payload from a server
 - Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to
 identify whether the file is malicious or not.
 """
@@ -27,7 +27,7 @@ note = """## Triage and analysis
 ###  Investigating an Unusual Windows Process

 Searching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network.
-By understanding what is commonly run within an environment and developing baselines for legitimate activity can help
+Understanding what is commonly run within an environment and developing baselines for legitimate activity can help
 uncover potential malware and suspicious behaviors.

 #### Possible investigation steps:
@@ -51,7 +51,7 @@ such as servers that have very unique software that might appear to be unusual,
 - Unusual Windows Process Calling the Metadata Service

 ### Response and Remediation
- This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious
+- This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious.
 - Based on validation and if malicious, the impacted machine should be isolated and analyzed to determine other post-compromise
 behavior such as setting up persistence or performing lateral movement.
 - Look into preventive measures such as Windows Defender Application Control and AppLocker to gain better control on
@@ -44,7 +44,7 @@ Atomic Red Team or through offensive/compromise assessments.
 - Modification of WDigest Security Provider

 ### Response and Remediation
- Immediate response should be taken to review, investigate and potentially isolate activity to prevent further post-compromise
+- Take immediate action to review, investigate and potentially isolate activity to prevent further post-compromise
 behavior
 - During credential dump compromises, investigate the registry in order to check the number of cached users that have
 used the machine. These users should have their password reset.
@@ -6,7 +6,7 @@ updated_date = "2021/11/30"
 [rule]
 author = ["Elastic"]
 description = """
-This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or
+This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or
 Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials.
 """
 false_positives = ["Powershell Scripts that use this capability for troubleshooting."]
@@ -28,20 +28,19 @@ using scripting and PowerShell to configure the different exclusions for Windows
 identify the source of the activity first and determine if there is any mal-intent behind the events.
 - The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original
 intent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs
-to be legitimately whitelisted from Windows Defender?
+to be legitimately allowlisted from Windows Defender?

 ### False Positive Analysis
 - This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly
-a network administrator. In order to validate the activity further, review the specific exclusion made and determine based
-on the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made
-with Windows Defender so it's important to gain context around the exclusion.
+a network administrator. In order to validate the activity further, review the specific exclusion and based on its
+intent. There are many legitimate reasons for exclusions, so it's important to gain context.

 ### Related Rules
 - Windows Defender Disabled via Registry Modification
 - Disabling Windows Defender Security Settings via PowerShell

 ### Response and Remediation
- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and
+- Since this is related to post-exploitation activity, take immediate action to review, investigate and
 potentially isolate further activity
 - If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove
 the exclusion and ensure antimalware capability has not been disabled or deleted
@@ -8,7 +8,7 @@ author = ["Elastic"]
 description = """
 Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and
 usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass
-detections whitelisting those folders.
+detections allowlisting those folders.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
@@ -13,7 +13,7 @@ constraints, like internet and network lateral communication restrictions.
 false_positives = [
    """
    Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, 
-    user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from
+    user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by
    unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
    """,
 ]
@@ -6,8 +6,8 @@ updated_date = "2021/03/03"
 [rule]
 author = ["Elastic"]
 description = """
-Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting
-libraries it may be indicative of a whitelist bypass.
+Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting
+libraries it may be indicative of an allowlist bypass.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"]
@@ -20,7 +20,7 @@ note = """## Triage and analysis
 ### Investigating AdFind Command Activity

 [AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from
-Activity Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways
+Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways
 they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and
 understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/)
 observed where this tool has been adopted by ransomware and criminal groups and used in compromises.
@@ -31,11 +31,11 @@ the source of the activity.  This could involve identifying the account using `A
 what information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities.
 - In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted
 machine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic
-to suspicious infrastructure
+to suspicious infrastructure.

 ### False Positive Analysis
 - This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One
-option could be whitelisting specific users or groups who use the tool as part of their daily responsibilities. This can
+option could be allowlisting specific users or groups who use the tool as part of their daily responsibilities. This can
 be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment
 - Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in
 isolation, so reviewing previous logs/activity from impacted machines could be very telling.
@@ -46,7 +46,7 @@ isolation, so reviewing previous logs/activity from impacted machines could be v
 - Enumeration Command Spawned via WMIPrvSE

 ### Response and Remediation
- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further
+- take immediate action to validate activity, investigate and potentially isolate activity to prevent further
 post-compromise behavior
 - It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate
 purposes, so understanding the intent behind the activity will help determine the appropropriate response.
@@ -31,7 +31,7 @@ also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vu
 - This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate
 the source of the incoming traffic and determine if this activity has been observed previously within an environment.
 - Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity.
- Further examination can be made by reviewing the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
+- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
 - Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
 - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.

@@ -39,8 +39,8 @@ the source of the incoming traffic and determine if this activity has been obser
 - Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes
 and related to legitimate behavior.  In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses
 were all observed as greater than 65k bytes.
- This activity has the ability to be triggered from compliance/vulnerability scanning or compromise assessment, it's
-important to determine the source of the activity and potential whitelist the source host
+- This activity can be triggered by compliance/vulnerability scanning or compromise assessment, it's
+important to determine the source of the activity and potentially allowlist the source host.


 ### Related Rules
@@ -54,7 +54,7 @@ patched machines. If unable to patch immediately: Microsoft [released](https://s
 restart. This can be used as a temporary solution before the patch is applied.
 - Maintain backups of your critical systems to aid in quick recovery.
 - Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.
- If observed true positive activity, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
+- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
 """

 references = [
@@ -15,12 +15,13 @@ note = """## Triage and analysis

 ### Investigating Creation of Remote Scheduled Tasks

-[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism used for persistence and executing programs. These features can
+[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great
+mechanism for persistence and program execution. These features can
 be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries.
-When investigating scheduled tasks that have been set-up remotely, one of the first methods should be determining the
-original intent behind the configuration and verify if the activity is tied to benign behavior such as software installations or any kind
+When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the
+original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind
 of network administrator work. One objective for these alerts is to understand the configured action within the scheduled
-task, this is captured within the registry event data for this rule and can be base64 decoded to view the value.
+task. This is captured within the registry event data for this rule and can be base64 decoded to view the value.

 #### Possible investigation steps:
 - Review the base64 encoded tasks actions registry value to investigate the task configured action.
@@ -39,8 +40,8 @@ further understand the source of the activity and determine the intent based on
 - Remotely Started Services via RPC

 ### Response and Remediation
- This behavior represents post-exploitation actions such as persistence or lateral movement, immediate response should
-be taken to review and investigate the activity and potentially isolate involved machines to prevent further post-compromise
+- This behavior represents post-exploitation actions such as persistence or lateral movement, immediately review and
+investigate the activity and potentially isolate involved machines to prevent further post-compromise
 behavior.
 - Remove scheduled task and any other related artifacts to the activity.
 - Review privileged account management and user account management settings such as implementing GPO policies to further
@@ -20,8 +20,8 @@ note = """## Triage and analysis

 Techniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for
 persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this
-behavior may evade existing AV/EDR solutions. Another preference is that these programs might run with higher privileges
-which can be ideal for an attacker.
+behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for
+an attacker.

 #### Possible investigation steps:
 - Review the source process and related file tied to the Windows Registry entry
@@ -32,17 +32,17 @@ installations
 ### False Positive Analysis
 - There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based
 on new software installations, patches, or any kind of network administrator related activity. Before entering further
-investigation, this activity should be validated that is it not related to benign activity
+investigation, it should be verified that this activity is not benign.

 ### Related Rules
 - Startup or Run Key Registry Modification
 - Persistent Scripts in the Startup Directory

 ### Response and Remediation
- Activity should first be validated as a true positive event if so then immediate response should be taken to review,
+- Activity should first be validated as a true positive event if so then take immediate action to review,
 investigate and potentially isolate activity to prevent further post-compromise behavior
 - The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand
-it's behavior and capabilities
+its behavior and capabilities
 - Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first
 initialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source
 of the attack, this information can then be used to search for similar indicators on other machines in the same environment.
@@ -12,7 +12,7 @@ domain.
 false_positives = [
    """
    Legitimate local user creations may be done by a system or network administrator. Verify whether this is known
-    behavior in your environment. Local user creations from unfamiliar users or hosts should be investigated. If known
+    behavior in your environment. Local user creations by unfamiliar users or hosts should be investigated. If known
    behavior is causing false positives, it can be exempted from the rule.
    """,
 ]