From cb34ee5a287483c4deb6cea3f424fd50170269b8 Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Fri, 28 Jan 2022 10:41:22 -0900 Subject: [PATCH] [Rule tuning] Update rules based on docs review (#1663) * [Rule tuning] Update rule verbiage based on docs review * fix typos Co-authored-by: Jonhnathan * revert TI rule changes since it was deprecated Co-authored-by: Jonhnathan Removed changes from: - rules/cross-platform/threat_intel_filebeat8x.toml - rules/cross-platform/threat_intel_fleet_integrations.toml (selectively cherry picked from commit 72c64de3f5c51d6c6a739a3c92d96e0c616e1e40) --- .../aws/collection_cloudtrail_logging_created.toml | 2 +- .../defense_evasion_cloudtrail_logging_deleted.toml | 2 +- .../defense_evasion_cloudwatch_alarm_deletion.toml | 2 +- .../aws/defense_evasion_ec2_flow_log_deletion.toml | 2 +- .../defense_evasion_ec2_network_acl_deletion.toml | 2 +- ...evasion_elasticache_security_group_creation.toml | 2 +- ...sticache_security_group_modified_or_deleted.toml | 2 +- ...defense_evasion_guardduty_detector_deletion.toml | 2 +- ...se_evasion_s3_bucket_configuration_deletion.toml | 2 +- .../aws/defense_evasion_waf_acl_deletion.toml | 2 +- ...nse_evasion_waf_rule_or_rule_group_deletion.toml | 2 +- .../aws/exfiltration_rds_snapshot_restored.toml | 2 +- ...ct_aws_eventbridge_rule_disabled_or_deleted.toml | 2 +- .../aws/impact_cloudwatch_log_group_deletion.toml | 2 +- .../aws/impact_cloudwatch_log_stream_deletion.toml | 2 +- .../aws/impact_efs_filesystem_or_mount_deleted.toml | 2 +- .../integrations/aws/impact_iam_group_deletion.toml | 2 +- .../aws/impact_rds_cluster_deletion.toml | 2 +- .../integrations/aws/impact_rds_group_deletion.toml | 2 +- .../aws/ml_cloudtrail_error_message_spike.toml | 4 ++-- .../aws/ml_cloudtrail_rare_method_by_country.toml | 2 +- .../aws/persistence_ec2_network_acl_creation.toml | 2 +- ...curity_group_configuration_change_detection.toml | 2 +- .../aws/persistence_iam_group_creation.toml | 2 +- .../aws/persistence_rds_cluster_creation.toml | 2 +- .../aws/persistence_rds_group_creation.toml | 2 +- .../aws/persistence_rds_instance_creation.toml | 2 +- .../aws/persistence_route_table_created.toml | 7 +++---- ...persistence_route_table_modified_or_deleted.toml | 2 +- ...ege_escalation_aws_suspicious_saml_activity.toml | 2 +- .../privilege_escalation_sts_assumerole_usage.toml | 2 +- .../azure/defense_evasion_event_hub_deletion.toml | 2 +- .../defense_evasion_firewall_policy_deletion.toml | 4 ++-- ..._evasion_frontdoor_firewall_policy_deletion.toml | 4 ++-- .../defense_evasion_kubernetes_events_deleted.toml | 2 +- .../defense_evasion_network_watcher_deletion.toml | 2 +- .../azure/impact_kubernetes_pod_deleted.toml | 2 +- .../impact_virtual_network_device_modified.toml | 6 +++--- ...ollection_gcp_pub_sub_subscription_creation.toml | 2 +- .../gcp/collection_gcp_pub_sub_topic_creation.toml | 2 +- ...defense_evasion_gcp_logging_bucket_deletion.toml | 2 +- .../defense_evasion_gcp_logging_sink_deletion.toml | 2 +- ...e_evasion_gcp_pub_sub_subscription_deletion.toml | 2 +- .../defense_evasion_gcp_pub_sub_topic_deletion.toml | 2 +- .../gcp/impact_gcp_iam_role_deletion.toml | 2 +- .../gcp/impact_gcp_storage_bucket_deleted.toml | 2 +- ...initial_access_gcp_iam_custom_role_creation.toml | 2 +- ...stence_gcp_iam_service_account_key_deletion.toml | 2 +- ..._kubernetes_rolebindings_created_or_patched.toml | 4 ++-- ...crosoft_365_unusual_volume_of_file_deletion.toml | 2 +- ...xchange_suspicious_mailbox_right_delegation.toml | 4 ++-- ...ess_okta_user_attempted_unauthorized_access.toml | 2 +- ...screensaver_engine_unexpected_child_process.toml | 2 +- rules/ml/ml_rare_process_by_host_windows.toml | 4 ++-- ...redential_access_mimikatz_powershell_module.toml | 2 +- rules/windows/credential_access_posh_minidump.toml | 2 +- ...e_evasion_defender_exclusion_via_powershell.toml | 9 ++++----- ...ense_evasion_masquerading_trusted_directory.toml | 2 +- ...vasion_powershell_windows_firewall_disabled.toml | 2 +- .../defense_evasion_suspicious_wmi_script.toml | 4 ++-- .../windows/discovery_adfind_command_activity.toml | 8 ++++---- .../lateral_movement_dns_server_overflow.toml | 8 ++++---- .../lateral_movement_scheduled_task_target.toml | 13 +++++++------ ...sion_registry_startup_shell_folder_modified.toml | 10 +++++----- ...ersistence_user_account_creation_event_logs.toml | 2 +- 65 files changed, 95 insertions(+), 96 deletions(-) diff --git a/rules/integrations/aws/collection_cloudtrail_logging_created.toml b/rules/integrations/aws/collection_cloudtrail_logging_created.toml index 2c206af67..c719e0418 100644 --- a/rules/integrations/aws/collection_cloudtrail_logging_created.toml +++ b/rules/integrations/aws/collection_cloudtrail_logging_created.toml @@ -10,7 +10,7 @@ description = "Identifies the creation of an AWS log trail that specifies the se false_positives = [ """ Trail creations may be made by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Trail creations from unfamiliar users or hosts should + and/or hostname should be making changes in your environment. Trail creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml index 7922a6d2c..28943ebfc 100644 --- a/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml +++ b/rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml @@ -10,7 +10,7 @@ description = "Identifies the deletion of an AWS log trail. An adversary may del false_positives = [ """ Trail deletions may be made by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Trail deletions from unfamiliar users or hosts should + and/or hostname should be making changes in your environment. Trail deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml index efde45a49..e8b245ca7 100644 --- a/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml +++ b/rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml @@ -10,7 +10,7 @@ description = "Identifies the deletion of an AWS CloudWatch alarm. An adversary false_positives = [ """ Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Alarm - deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it + deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml index eacfd9f53..6d9fde757 100644 --- a/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml @@ -13,7 +13,7 @@ in an attempt to evade defenses. false_positives = [ """ Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Flow log - deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it + deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml index b69edabb4..35352e974 100644 --- a/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml @@ -13,7 +13,7 @@ ingress/egress entries. false_positives = [ """ Network ACL's may be deleted by a network administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Network ACL deletions from unfamiliar users or hosts should + hostname should be making changes in your environment. Network ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml index 5a5c74e87..31213904f 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml @@ -10,7 +10,7 @@ description = "Identifies when an ElastiCache security group has been created." false_positives = [ """ A ElastiCache security group may be created by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users + agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml index 8005260fc..9b6e61fc5 100644 --- a/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml +++ b/rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml @@ -10,7 +10,7 @@ description = "Identifies when an ElastiCache security group has been modified o false_positives = [ """ A ElastiCache security group deletion may be done by a system or network administrator. Verify whether the user identity, - user agent, and/or hostname should be making changes in your environment. Security Group deletions from unfamiliar + user agent, and/or hostname should be making changes in your environment. Security Group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, diff --git a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml index 81c676be4..6b62e24e4 100644 --- a/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml +++ b/rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml @@ -13,7 +13,7 @@ all existing findings are lost. false_positives = [ """ The GuardDuty detector may be deleted by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Detector deletions from unfamiliar users or + agent, and/or hostname should be making changes in your environment. Detector deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml index 437b50c95..145b8d6bf 100644 --- a/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml +++ b/rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml @@ -10,7 +10,7 @@ description = "Identifies the deletion of various Amazon Simple Storage Service false_positives = [ """ Bucket components may be deleted by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Bucket component deletions from unfamiliar users or + and/or hostname should be making changes in your environment. Bucket component deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml index 1f3a8d921..939b4a030 100644 --- a/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_acl_deletion.toml @@ -10,7 +10,7 @@ description = "Identifies the deletion of a specified AWS Web Application Firewa false_positives = [ """ Firewall ACL's may be deleted by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Web ACL deletions from unfamiliar users or hosts + and/or hostname should be making changes in your environment. Web ACL deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml index d4a592440..16ec8ceed 100644 --- a/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml +++ b/rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml @@ -10,7 +10,7 @@ description = "Identifies the deletion of a specified AWS Web Application Firewa false_positives = [ """ WAF rules or rule groups may be deleted by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Rule deletions from unfamiliar users or hosts + agent, and/or hostname should be making changes in your environment. Rule deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml index d2fc0591a..6e054b5d5 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_restored.toml @@ -14,7 +14,7 @@ unauthorized or unexpected AWS account. false_positives = [ """ Restoring snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Snapshot restoration from unfamiliar users or hosts should + and/or hostname should be making changes in your environment. Snapshot restoration by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml index de722d344..5be201c92 100644 --- a/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml +++ b/rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml @@ -13,7 +13,7 @@ visibility in applications or a break in the flow with other AWS services. false_positives = [ """ EventBridge Rules could be deleted or disabled by a system administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. EventBridge Rules being deleted or disabled from unfamiliar users should + hostname should be making changes in your environment. EventBridge Rules being deleted or disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml index cb4afe7e4..ce21a7a46 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml @@ -13,7 +13,7 @@ events associated with the log group are also permanently deleted. false_positives = [ """ Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Log - group deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, + group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml index 10b0bc3d0..3d291e55d 100644 --- a/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml +++ b/rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml @@ -13,7 +13,7 @@ with the stream. false_positives = [ """ A log stream may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname - should be making changes in your environment. Log stream deletions from unfamiliar users or hosts should be + should be making changes in your environment. Log stream deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml index 5c1ef3586..1ef0548a2 100644 --- a/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml +++ b/rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml @@ -14,7 +14,7 @@ deleting the File System, or the adversary will be unable to delete the File Sys false_positives = [ """ File System or Mount being deleted may be performed by a system administrator. Verify whether the user identity, - user agent, and/or hostname should be making changes in your environment. File System Mount deleted from unfamiliar + user agent, and/or hostname should be making changes in your environment. File System Mount deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/impact_iam_group_deletion.toml b/rules/integrations/aws/impact_iam_group_deletion.toml index 1d3c402b0..6b409506d 100644 --- a/rules/integrations/aws/impact_iam_group_deletion.toml +++ b/rules/integrations/aws/impact_iam_group_deletion.toml @@ -13,7 +13,7 @@ group does not delete resources that are members of the group; it only deletes t false_positives = [ """ A resource group may be deleted by a system administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Resource group deletions from unfamiliar users or hosts + hostname should be making changes in your environment. Resource group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/impact_rds_cluster_deletion.toml b/rules/integrations/aws/impact_rds_cluster_deletion.toml index 57c6e64de..840fa8b91 100644 --- a/rules/integrations/aws/impact_rds_cluster_deletion.toml +++ b/rules/integrations/aws/impact_rds_cluster_deletion.toml @@ -13,7 +13,7 @@ cluster. false_positives = [ """ Clusters may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname - should be making changes in your environment. Cluster deletions from unfamiliar users or hosts should be + should be making changes in your environment. Cluster deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/impact_rds_group_deletion.toml b/rules/integrations/aws/impact_rds_group_deletion.toml index cb9bb7b06..8d26ba224 100644 --- a/rules/integrations/aws/impact_rds_group_deletion.toml +++ b/rules/integrations/aws/impact_rds_group_deletion.toml @@ -10,7 +10,7 @@ description = "Identifies the deletion of an Amazon Relational Database Service false_positives = [ """ An RDS security group deletion may be done by a system or network administrator. Verify whether the user identity, - user agent, and/or hostname should be making changes in your environment. Security group deletions from unfamiliar + user agent, and/or hostname should be making changes in your environment. Security group deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, diff --git a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml index d959d2c8e..fa64118bb 100644 --- a/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml +++ b/rules/integrations/aws/ml_cloudtrail_error_message_spike.toml @@ -47,14 +47,14 @@ this has the potential to uncover unknown threats or activity. ### False Positive Analysis - This rule has the possibility to produce false positives based on unexpected activity occurring such as bugs or recent changes to automation modules or scripting. -- Adoption of new services or implementing new functionality to scripts may generate false positives +- The adoption of new services or the addition of new functionality to scripts may generate false positives. ### Related Rules - Unusual AWS Command for a User - Rare AWS Error Code ### Response and Remediation -- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys +- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys - Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users - Look into enabling multi-factor authentication for users - Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS diff --git a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml index b89818381..09ef2cd25 100644 --- a/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml +++ b/rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml @@ -55,7 +55,7 @@ therefore it's important to validate the activity listed in the investigation st - Rare AWS Error Code ### Response and Remediation -- If activity is observed as suspicious or malicious, immediate response should be looked into rotating and deleting AWS IAM access keys +- If suspicious or malicious activity is observed, immediately rotate and delete relevant AWS IAM access keys - Validate if any unauthorized new users were created, remove these accounts and request password resets for other IAM users - Look into enabling multi-factor authentication for users - Follow security best practices [outlined](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/) by AWS diff --git a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml index 6d56ce4ba..514a74b92 100644 --- a/rules/integrations/aws/persistence_ec2_network_acl_creation.toml +++ b/rules/integrations/aws/persistence_ec2_network_acl_creation.toml @@ -13,7 +13,7 @@ ACL with a specified rule number. false_positives = [ """ Network ACL's may be created by a network administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Network ACL creations from unfamiliar users or hosts should + hostname should be making changes in your environment. Network ACL creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml index 1fcc2545c..e98e7f46f 100644 --- a/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml +++ b/rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml @@ -14,7 +14,7 @@ pivot in an AWS environment. false_positives = [ """ A security group may be created by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users + agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/persistence_iam_group_creation.toml b/rules/integrations/aws/persistence_iam_group_creation.toml index a0851382b..a898a74cd 100644 --- a/rules/integrations/aws/persistence_iam_group_creation.toml +++ b/rules/integrations/aws/persistence_iam_group_creation.toml @@ -13,7 +13,7 @@ users. Any user in a group automatically has the permissions that are assigned t false_positives = [ """ A group may be created by a system or network administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. Group creations from unfamiliar users or hosts should be + hostname should be making changes in your environment. Group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/persistence_rds_cluster_creation.toml b/rules/integrations/aws/persistence_rds_cluster_creation.toml index 5f806d24a..2b1be4fae 100644 --- a/rules/integrations/aws/persistence_rds_cluster_creation.toml +++ b/rules/integrations/aws/persistence_rds_cluster_creation.toml @@ -13,7 +13,7 @@ across multiple regions. false_positives = [ """ Valid clusters may be created by a system or network administrator. Verify whether the user identity, user agent, - and/or hostname should be making changes in your environment. Cluster creations from unfamiliar users or hosts + and/or hostname should be making changes in your environment. Cluster creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/persistence_rds_group_creation.toml b/rules/integrations/aws/persistence_rds_group_creation.toml index 0b76f4502..59a850d34 100644 --- a/rules/integrations/aws/persistence_rds_group_creation.toml +++ b/rules/integrations/aws/persistence_rds_group_creation.toml @@ -10,7 +10,7 @@ description = "Identifies the creation of an Amazon Relational Database Service false_positives = [ """ An RDS security group may be created by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Security group creations from unfamiliar users + agent, and/or hostname should be making changes in your environment. Security group creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/persistence_rds_instance_creation.toml b/rules/integrations/aws/persistence_rds_instance_creation.toml index 9cd7f56c7..07a3b184d 100644 --- a/rules/integrations/aws/persistence_rds_instance_creation.toml +++ b/rules/integrations/aws/persistence_rds_instance_creation.toml @@ -10,7 +10,7 @@ description = "Identifies the creation of an Amazon Relational Database Service false_positives = [ """ A database instance may be created by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Instances creations from unfamiliar users or + agent, and/or hostname should be making changes in your environment. Instances creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/persistence_route_table_created.toml b/rules/integrations/aws/persistence_route_table_created.toml index 1c90f0280..d260aeb4a 100644 --- a/rules/integrations/aws/persistence_route_table_created.toml +++ b/rules/integrations/aws/persistence_route_table_created.toml @@ -9,11 +9,10 @@ author = ["Elastic", "Austin Songer"] description = "Identifies when an AWS Route Table has been created." false_positives = [ """ - Route Table being created may be done by a system or network administrator. Verify whether the user identity, user - agent, and/or hostname should be making changes in your environment. Route Table being created from unfamiliar users or + Route Tables may be created by a system or network administrators. Verify whether the user identity, user + agent, and/or hostname should be making changes in your environment. Route Table creation by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - - Automated processes that uses Terraform may lead to false positives. + Automated processes that use Terraform may lead to false positives. """, ] from = "now-60m" diff --git a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml index f81c828cb..2ee0f37bd 100644 --- a/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml +++ b/rules/integrations/aws/persistence_route_table_modified_or_deleted.toml @@ -12,7 +12,7 @@ false_positives = [ Route Table could be modified or deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Route Table being modified from unfamiliar users should be investigated. If known behavior is causing false positives, it can be - exempted from the rule. Also automated processes that uses Terraform may lead to false positives. + exempted from the rule. Also automated processes that use Terraform may lead to false positives. """, ] from = "now-60m" diff --git a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml index 7753f121b..5fb7e84c7 100644 --- a/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml +++ b/rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml @@ -12,7 +12,7 @@ Identifies when SAML activity has occurred in AWS. An adversary could manipulate false_positives = [ """ SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or - hostname should be making changes in your environment. SAML Provider being updated from unfamiliar users should + hostname should be making changes in your environment. SAML Provider updates by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml index c71e33e4d..19c581c0e 100644 --- a/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml +++ b/rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml @@ -12,7 +12,7 @@ AWS resources. An adversary could use those credentials to move laterally and es """ false_positives = [ """ - Automated processes that uses Terraform may lead to false positives. + Automated processes that use Terraform may lead to false positives. """, ] index = ["filebeat-*", "logs-aws*"] diff --git a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml index 575fffb79..3541624e7 100644 --- a/rules/integrations/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/integrations/azure/defense_evasion_event_hub_deletion.toml @@ -13,7 +13,7 @@ volumes of events and data. An adversary may delete an Event Hub in an attempt t false_positives = [ """ Event Hub deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or - resource name should be making changes in your environment. Event Hub deletions from unfamiliar users or hosts + resource name should be making changes in your environment. Event Hub deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml index a2d68e4ff..0f77eecea 100644 --- a/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml @@ -8,12 +8,12 @@ integration = "azure" author = ["Elastic"] description = """ Identifies the deletion of a firewall policy in Azure. An adversary may delete a firewall policy in an attempt to evade -defenses and/or to eliminate barriers in carrying out their initiative. +defenses and/or to eliminate barriers to their objective. """ false_positives = [ """ Firewall policy deletions may be done by a system or network administrator. Verify whether the username, hostname, - and/or resource name should be making changes in your environment. Firewall policy deletions from unfamiliar users + and/or resource name should be making changes in your environment. Firewall policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml index 61a27b933..f19083c0c 100644 --- a/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml +++ b/rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml @@ -8,12 +8,12 @@ integration = "azure" author = ["Austin Songer"] description = """ Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a Frontdoor Web Application Firewall -(WAF) Policy in an attempt to evade defenses and/or to eliminate barriers in carrying out their initiative. +(WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their objective. """ false_positives = [ """ Azure Front Web Application Firewall (WAF) Policy deletions may be done by a system or network administrator. Verify whether the username, - hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions from + hostname, and/or resource name should be making changes in your environment. Azure Front Web Application Firewall (WAF) Policy deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml index 678f46355..b5c43c684 100644 --- a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +++ b/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml @@ -14,7 +14,7 @@ in Azure Kubernetes in an attempt to evade detection. false_positives = [ """ Events deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or - resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts + resource name should be making changes in your environment. Events deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml index e63b13746..7661bcfbf 100644 --- a/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/integrations/azure/defense_evasion_network_watcher_deletion.toml @@ -14,7 +14,7 @@ attempt to evade defenses. false_positives = [ """ Network Watcher deletions may be done by a system or network administrator. Verify whether the username, hostname, - and/or resource name should be making changes in your environment. Network Watcher deletions from unfamiliar users + and/or resource name should be making changes in your environment. Network Watcher deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml index 8ec515650..9b87ebb86 100644 --- a/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +++ b/rules/integrations/azure/impact_kubernetes_pod_deleted.toml @@ -13,7 +13,7 @@ of the environment. false_positives = [ """ Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname - should be making changes in your environment. Pods deletions from unfamiliar users or hosts should be + should be making changes in your environment. Pods deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/azure/impact_virtual_network_device_modified.toml b/rules/integrations/azure/impact_virtual_network_device_modified.toml index aa188fa2b..7f13d6365 100644 --- a/rules/integrations/azure/impact_virtual_network_device_modified.toml +++ b/rules/integrations/azure/impact_virtual_network_device_modified.toml @@ -7,14 +7,14 @@ integration = "azure" [rule] author = ["Austin Songer"] description = """ -Identifies when a virtual network device is being modified or deleted. This can be a network virtual +Identifies when a virtual network device is modified or deleted. This can be a network virtual appliance, virtual hub, or virtual router. """ false_positives = [ """ - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify + Virtual Network Device modification or deletion may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known + Virtual Network Device modification or deletion by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml index 31a8fc3d2..2c450b0a2 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml @@ -14,7 +14,7 @@ subscription is a named resource representing the stream of messages to be deliv false_positives = [ """ Subscription creations may be done by a system or network administrator. Verify whether the user email, resource - name, and/or hostname should be making changes in your environment. Subscription creations from unfamiliar users or + name, and/or hostname should be making changes in your environment. Subscription creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml index bc5ec634f..6eedb3269 100644 --- a/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml +++ b/rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml @@ -14,7 +14,7 @@ used to forward messages from publishers to subscribers. false_positives = [ """ Topic creations may be done by a system or network administrator. Verify whether the user email, resource name, - and/or hostname should be making changes in your environment. Topic creations from unfamiliar users or hosts should + and/or hostname should be making changes in your environment. Topic creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml index 6ea5923aa..fda783531 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml @@ -16,7 +16,7 @@ bucket to evade detection. false_positives = [ """ Logging bucket deletions may be done by a system or network administrator. Verify whether the user email, resource - name, and/or hostname should be making changes in your environment. Logging bucket deletions from unfamiliar users + name, and/or hostname should be making changes in your environment. Logging bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml index b96485a7e..f36dce530 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml @@ -14,7 +14,7 @@ the sink's export destination. An adversary may delete a Logging sink to evade d false_positives = [ """ Logging sink deletions may be done by a system or network administrator. Verify whether the user email, resource - name, and/or hostname should be making changes in your environment. Logging sink deletions from unfamiliar users or + name, and/or hostname should be making changes in your environment. Logging sink deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml index 98d0c4596..4e3f071d3 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml @@ -14,7 +14,7 @@ subscription is a named resource representing the stream of messages to be deliv false_positives = [ """ Subscription deletions may be done by a system or network administrator. Verify whether the user email, resource - name, and/or hostname should be making changes in your environment. Subscription deletions from unfamiliar users or + name, and/or hostname should be making changes in your environment. Subscription deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml index 47c5e4a7f..2a7503df3 100644 --- a/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml +++ b/rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml @@ -14,7 +14,7 @@ application creates and sends messages to a topic. Deleting a topic can interrup false_positives = [ """ Topic deletions may be done by a system or network administrator. Verify whether the user email, resource name, - and/or hostname should be making changes in your environment. Topic deletions from unfamiliar users or hosts should + and/or hostname should be making changes in your environment. Topic deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml index 686f1efe2..a46ed0a80 100644 --- a/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml +++ b/rules/integrations/gcp/impact_gcp_iam_role_deletion.toml @@ -14,7 +14,7 @@ role to inhibit access to accounts utilized by legitimate users. false_positives = [ """ Role deletions may be done by a system or network administrator. Verify whether the user email, resource name, - and/or hostname should be making changes in your environment. Role deletions from unfamiliar users or hosts should + and/or hostname should be making changes in your environment. Role deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml index ad429ee8c..2b167ca40 100644 --- a/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml +++ b/rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml @@ -13,7 +13,7 @@ order to disrupt their target's business operations. false_positives = [ """ Storage buckets may be deleted by a system or network administrator. Verify whether the user email, resource name, - and/or hostname should be making changes in your environment. Bucket deletions from unfamiliar users or hosts should + and/or hostname should be making changes in your environment. Bucket deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml index 491d14b64..380bc5e44 100644 --- a/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml +++ b/rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml @@ -14,7 +14,7 @@ not be updated automatically and could lead to privilege creep if not carefully false_positives = [ """ Custom role creations may be done by a system or network administrator. Verify whether the user email, resource - name, and/or hostname should be making changes in your environment. Role creations from unfamiliar users or hosts + name, and/or hostname should be making changes in your environment. Role creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml index d33662201..1c336f2a1 100644 --- a/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml +++ b/rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml @@ -15,7 +15,7 @@ practice is to rotate your service account keys regularly. false_positives = [ """ Service account key deletions may be done by a system or network administrator. Verify whether the user email, - resource name, and/or hostname should be making changes in your environment. Key deletions from unfamiliar users or + resource name, and/or hostname should be making changes in your environment. Key deletions by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml index b98e6023a..059bc40c6 100644 --- a/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml +++ b/rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml @@ -7,8 +7,8 @@ integration = "gcp" [rule] author = ["Elastic", "Austin Songer"] description = """ -Identifies the creation or patching of potential malicious rolebinding. You can assign these roles to Kubernetes subjects -(users, groups, or service accounts) with role bindings and cluster role bindings. +Identifies the creation or patching of potentially malicious role bindings. Users can use role bindings and cluster role +bindings to assign roles to Kubernetes subjects (users, groups, or service accounts). """ from = "now-20m" index = ["filebeat-*", "logs-gcp*"] diff --git a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml index 0e63464cd..ba6ac980c 100644 --- a/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml +++ b/rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml @@ -7,7 +7,7 @@ integration = "o365" [rule] author = ["Austin Songer"] description = """ -Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security. +Identifies that a user has deleted an unusually large volume of files as reported by Microsoft Cloud App Security. """ false_positives = ["Users or System Administrator cleaning out folders."] from = "now-30m" diff --git a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml index 3d0010f2d..e6eea2db8 100644 --- a/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml +++ b/rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml @@ -7,8 +7,8 @@ integration = "o365" [rule] author = ["Elastic", "Austin Songer"] description = """ -Identifies the assignment of rights to accesss content from another mailbox. An adversary may use the compromised account -to send messages to other accounts in the network of the target business while creating inbox rules, so messages can +Identifies the assignment of rights to access content from another mailbox. An adversary may use the compromised account +to send messages to other accounts in the network of the target organization while creating inbox rules, so messages can evade spam/phishing detection mechanisms. """ false_positives = ["Assignment of rights to a service account."] diff --git a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml index cc5e87363..1e0371d6b 100644 --- a/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml +++ b/rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml @@ -6,7 +6,7 @@ integration = "okta" [rule] author = ["Elastic", "Austin Songer"] -description = "Identifies when an unauthorized access attempt is made by a user for an Okta application." +description = "Identifies unauthorized access attempts to Okta applications." index = ["filebeat-*", "logs-okta*"] language = "kuery" license = "Elastic License v2" diff --git a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml index 2fc6f0861..ad82885fc 100644 --- a/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml +++ b/rules/macos/persistence_screensaver_engine_unexpected_child_process.toml @@ -19,7 +19,7 @@ name = "Unexpected Child Process of macOS Screensaver Engine" note = """## Triage and analysis - Analyze the descendant processes of the ScreenSaverEngine process for malicious code and suspicious behavior such -as downloading a payload from a server +as a download of a payload from a server - Review the installed and activated screensaver on the host. Triage the screensaver (.saver) file that was triggered to identify whether the file is malicious or not. """ diff --git a/rules/ml/ml_rare_process_by_host_windows.toml b/rules/ml/ml_rare_process_by_host_windows.toml index 81c6735fe..24cea4f49 100644 --- a/rules/ml/ml_rare_process_by_host_windows.toml +++ b/rules/ml/ml_rare_process_by_host_windows.toml @@ -27,7 +27,7 @@ note = """## Triage and analysis ### Investigating an Unusual Windows Process Searching for abnormal Windows processes is a good methodology to find potentially malicious activity within a network. -By understanding what is commonly run within an environment and developing baselines for legitimate activity can help +Understanding what is commonly run within an environment and developing baselines for legitimate activity can help uncover potential malware and suspicious behaviors. #### Possible investigation steps: @@ -51,7 +51,7 @@ such as servers that have very unique software that might appear to be unusual, - Unusual Windows Process Calling the Metadata Service ### Response and Remediation -- This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious +- This rule is related to process execution events and should be immediately reviewed and investigated to determine if malicious. - Based on validation and if malicious, the impacted machine should be isolated and analyzed to determine other post-compromise behavior such as setting up persistence or performing lateral movement. - Look into preventive measures such as Windows Defender Application Control and AppLocker to gain better control on diff --git a/rules/windows/credential_access_mimikatz_powershell_module.toml b/rules/windows/credential_access_mimikatz_powershell_module.toml index 06caa216e..7a160d027 100644 --- a/rules/windows/credential_access_mimikatz_powershell_module.toml +++ b/rules/windows/credential_access_mimikatz_powershell_module.toml @@ -44,7 +44,7 @@ Atomic Red Team or through offensive/compromise assessments. - Modification of WDigest Security Provider ### Response and Remediation -- Immediate response should be taken to review, investigate and potentially isolate activity to prevent further post-compromise +- Take immediate action to review, investigate and potentially isolate activity to prevent further post-compromise behavior - During credential dump compromises, investigate the registry in order to check the number of cached users that have used the machine. These users should have their password reset. diff --git a/rules/windows/credential_access_posh_minidump.toml b/rules/windows/credential_access_posh_minidump.toml index b589e2b92..db01f57fa 100644 --- a/rules/windows/credential_access_posh_minidump.toml +++ b/rules/windows/credential_access_posh_minidump.toml @@ -6,7 +6,7 @@ updated_date = "2021/11/30" [rule] author = ["Elastic"] description = """ -This rule detects PowerShell scripts that have capabilities to dump process memory using WindowsErrorReporting or +This rule detects PowerShell scripts capable of dumping process memory using WindowsErrorReporting or Dbghelp.dll MiniDumpWriteDump. Attackers can use this tooling to dump LSASS and get access to credentials. """ false_positives = ["Powershell Scripts that use this capability for troubleshooting."] diff --git a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml index fbb2eed01..096a708b4 100644 --- a/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml +++ b/rules/windows/defense_evasion_defender_exclusion_via_powershell.toml @@ -28,20 +28,19 @@ using scripting and PowerShell to configure the different exclusions for Windows identify the source of the activity first and determine if there is any mal-intent behind the events. - The actual exclusion such as the process, the file or directory should be reviewed in order to determine the original intent behind the exclusion. Is the excluded file or process malicious in nature or is it related to software that needs -to be legitimately whitelisted from Windows Defender? +to be legitimately allowlisted from Windows Defender? ### False Positive Analysis - This rule has a higher chance to produce false positives based on the nature around configuring exclusions by possibly -a network administrator. In order to validate the activity further, review the specific exclusion made and determine based -on the exclusion of the original intent behind the exclusion. There are often many legitimate reasons why exclusions are made -with Windows Defender so it's important to gain context around the exclusion. +a network administrator. In order to validate the activity further, review the specific exclusion and based on its +intent. There are many legitimate reasons for exclusions, so it's important to gain context. ### Related Rules - Windows Defender Disabled via Registry Modification - Disabling Windows Defender Security Settings via PowerShell ### Response and Remediation -- Since this is related to post-exploitation activity, immediate response should be taken to review, investigate and +- Since this is related to post-exploitation activity, take immediate action to review, investigate and potentially isolate further activity - If further analysis showed malicious intent was behind the Defender exclusions, administrators should remove the exclusion and ensure antimalware capability has not been disabled or deleted diff --git a/rules/windows/defense_evasion_masquerading_trusted_directory.toml b/rules/windows/defense_evasion_masquerading_trusted_directory.toml index 8c65d299a..ef8008c61 100644 --- a/rules/windows/defense_evasion_masquerading_trusted_directory.toml +++ b/rules/windows/defense_evasion_masquerading_trusted_directory.toml @@ -8,7 +8,7 @@ author = ["Elastic"] description = """ Identifies execution from a directory masquerading as the Windows Program Files directories. These paths are trusted and usually host trusted third party programs. An adversary may leverage masquerading, along with low privileges to bypass -detections whitelisting those folders. +detections allowlisting those folders. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] diff --git a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml index a8890885c..725c11f15 100644 --- a/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml +++ b/rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml @@ -13,7 +13,7 @@ constraints, like internet and network lateral communication restrictions. false_positives = [ """ Windows Firewall can be disabled may be performed by a system administrator. Verify whether the user identity, - user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled from + user agent, and/or hostname should be making changes in your environment. Windows Profile being disabled by unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] diff --git a/rules/windows/defense_evasion_suspicious_wmi_script.toml b/rules/windows/defense_evasion_suspicious_wmi_script.toml index 3bbf5cd31..9dddd6cb0 100644 --- a/rules/windows/defense_evasion_suspicious_wmi_script.toml +++ b/rules/windows/defense_evasion_suspicious_wmi_script.toml @@ -6,8 +6,8 @@ updated_date = "2021/03/03" [rule] author = ["Elastic"] description = """ -Identifies WMIC whitelisting bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting -libraries it may be indicative of a whitelist bypass. +Identifies WMIC allowlist bypass techniques by alerting on suspicious execution of scripts. When WMIC loads scripting +libraries it may be indicative of an allowlist bypass. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] diff --git a/rules/windows/discovery_adfind_command_activity.toml b/rules/windows/discovery_adfind_command_activity.toml index 9ac52ed80..9f4bff788 100644 --- a/rules/windows/discovery_adfind_command_activity.toml +++ b/rules/windows/discovery_adfind_command_activity.toml @@ -20,7 +20,7 @@ note = """## Triage and analysis ### Investigating AdFind Command Activity [AdFind](http://www.joeware.net/freetools/tools/adfind/) is a freely available command-line tool used to retrieve information from -Activity Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways +Active Directory (AD). Network discovery and enumeration tools like `AdFind` are useful to adversaries in the same ways they are effective for network administrators. This tool provides quick ability to scope AD person/computer objects and understand subnets and domain information. There are many [examples](https://thedfirreport.com/category/adfind/) observed where this tool has been adopted by ransomware and criminal groups and used in compromises. @@ -31,11 +31,11 @@ the source of the activity. This could involve identifying the account using `A what information was retrieved, then further determining if these actions are in scope of that user's traditional responsibilities. - In multiple public references, `AdFind` is leveraged after initial access is achieved, review previous activity on impacted machine looking for suspicious indicators such as previous anti-virus/EDR alerts, phishing emails received, or network traffic -to suspicious infrastructure +to suspicious infrastructure. ### False Positive Analysis - This rule has the high chance to produce false positives as it is a legitimate tool used by network administrators. One -option could be whitelisting specific users or groups who use the tool as part of their daily responsibilities. This can +option could be allowlisting specific users or groups who use the tool as part of their daily responsibilities. This can be done by leveraging the exception workflow in the Kibana Security App or Elasticsearch API to tune this rule to your environment - Malicious behavior with `AdFind` should be investigated as part of a step within an attack chain. It doesn't happen in isolation, so reviewing previous logs/activity from impacted machines could be very telling. @@ -46,7 +46,7 @@ isolation, so reviewing previous logs/activity from impacted machines could be v - Enumeration Command Spawned via WMIPrvSE ### Response and Remediation -- Immediate response should be taken to validate activity, investigate and potentially isolate activity to prevent further +- take immediate action to validate activity, investigate and potentially isolate activity to prevent further post-compromise behavior - It's important to understand that `AdFind` is an Active Directory enumeration tool and can be used for malicious or legitimate purposes, so understanding the intent behind the activity will help determine the appropropriate response. diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml index c71175b97..c299e4c86 100644 --- a/rules/windows/lateral_movement_dns_server_overflow.toml +++ b/rules/windows/lateral_movement_dns_server_overflow.toml @@ -31,7 +31,7 @@ also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vu - This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment. - Activity can be further investigated and validated by reviewing available corresponding Intrusion Detection Signatures (IDS) alerts associated with activity. -- Further examination can be made by reviewing the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. +- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data. - Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning. - Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment. @@ -39,8 +39,8 @@ the source of the incoming traffic and determine if this activity has been obser - Based on this rule which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes. -- This activity has the ability to be triggered from compliance/vulnerability scanning or compromise assessment, it's -important to determine the source of the activity and potential whitelist the source host +- This activity can be triggered by compliance/vulnerability scanning or compromise assessment, it's +important to determine the source of the activity and potentially allowlist the source host. ### Related Rules @@ -54,7 +54,7 @@ patched machines. If unable to patch immediately: Microsoft [released](https://s restart. This can be used as a temporary solution before the patch is applied. - Maintain backups of your critical systems to aid in quick recovery. - Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities. -- If observed true positive activity, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior. +- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior. """ references = [ diff --git a/rules/windows/lateral_movement_scheduled_task_target.toml b/rules/windows/lateral_movement_scheduled_task_target.toml index 665641a28..ba161aef6 100644 --- a/rules/windows/lateral_movement_scheduled_task_target.toml +++ b/rules/windows/lateral_movement_scheduled_task_target.toml @@ -15,12 +15,13 @@ note = """## Triage and analysis ### Investigating Creation of Remote Scheduled Tasks -[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great mechanism used for persistence and executing programs. These features can +[Scheduled tasks](https://docs.microsoft.com/en-us/windows/win32/taskschd/about-the-task-scheduler) are a great +mechanism for persistence and program execution. These features can be used remotely for a variety of legitimate reasons, but at the same time used by malware and adversaries. -When investigating scheduled tasks that have been set-up remotely, one of the first methods should be determining the -original intent behind the configuration and verify if the activity is tied to benign behavior such as software installations or any kind +When investigating scheduled tasks that were set up remotely, one of the first steps should be to determine the +original intent behind the configuration and to verify if the activity is tied to benign behavior such as software installation or any kind of network administrator work. One objective for these alerts is to understand the configured action within the scheduled -task, this is captured within the registry event data for this rule and can be base64 decoded to view the value. +task. This is captured within the registry event data for this rule and can be base64 decoded to view the value. #### Possible investigation steps: - Review the base64 encoded tasks actions registry value to investigate the task configured action. @@ -39,8 +40,8 @@ further understand the source of the activity and determine the intent based on - Remotely Started Services via RPC ### Response and Remediation -- This behavior represents post-exploitation actions such as persistence or lateral movement, immediate response should -be taken to review and investigate the activity and potentially isolate involved machines to prevent further post-compromise +- This behavior represents post-exploitation actions such as persistence or lateral movement, immediately review and +investigate the activity and potentially isolate involved machines to prevent further post-compromise behavior. - Remove scheduled task and any other related artifacts to the activity. - Review privileged account management and user account management settings such as implementing GPO policies to further diff --git a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml index cac45e7da..81643fa28 100644 --- a/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml +++ b/rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml @@ -20,8 +20,8 @@ note = """## Triage and analysis Techniques used within malware and by adversaries often leverage the Windows registry to store malicious programs for persistence. Startup shell folders are often targeted as they are not as prevalent as normal Startup folder paths so this -behavior may evade existing AV/EDR solutions. Another preference is that these programs might run with higher privileges -which can be ideal for an attacker. +behavior may evade existing AV/EDR solutions. These programs may also run with higher privileges which can be ideal for +an attacker. #### Possible investigation steps: - Review the source process and related file tied to the Windows Registry entry @@ -32,17 +32,17 @@ installations ### False Positive Analysis - There is a high possibility of benign legitimate programs being added to Shell folders. This activity could be based on new software installations, patches, or any kind of network administrator related activity. Before entering further -investigation, this activity should be validated that is it not related to benign activity +investigation, it should be verified that this activity is not benign. ### Related Rules - Startup or Run Key Registry Modification - Persistent Scripts in the Startup Directory ### Response and Remediation -- Activity should first be validated as a true positive event if so then immediate response should be taken to review, +- Activity should first be validated as a true positive event if so then take immediate action to review, investigate and potentially isolate activity to prevent further post-compromise behavior - The respective binary or program tied to this persistence method should be further analyzed and reviewed to understand -it's behavior and capabilities +its behavior and capabilities - Since this activity is considered post-exploitation behavior, it's important to understand how the behavior was first initialized such as through a macro-enabled document that was attached in a phishing email. By understanding the source of the attack, this information can then be used to search for similar indicators on other machines in the same environment. diff --git a/rules/windows/persistence_user_account_creation_event_logs.toml b/rules/windows/persistence_user_account_creation_event_logs.toml index e6969573c..2ddd2e4d0 100644 --- a/rules/windows/persistence_user_account_creation_event_logs.toml +++ b/rules/windows/persistence_user_account_creation_event_logs.toml @@ -12,7 +12,7 @@ domain. false_positives = [ """ Legitimate local user creations may be done by a system or network administrator. Verify whether this is known - behavior in your environment. Local user creations from unfamiliar users or hosts should be investigated. If known + behavior in your environment. Local user creations by unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ]