diff --git a/detection_rules/schemas/definitions.py b/detection_rules/schemas/definitions.py index 1fb005e29..4716a6022 100644 --- a/detection_rules/schemas/definitions.py +++ b/detection_rules/schemas/definitions.py @@ -13,22 +13,22 @@ from marshmallow_dataclass import NewType ASSET_TYPE = "security_rule" SAVED_OBJECT_TYPE = "security-rule" -DATE_PATTERN = r'\d{4}/\d{2}/\d{2}' +DATE_PATTERN = r'^\d{4}/\d{2}/\d{2}$' MATURITY_LEVELS = ['development', 'experimental', 'beta', 'production', 'deprecated'] OS_OPTIONS = ['windows', 'linux', 'macos'] -PR_PATTERN = r'^$|\d+' -SHA256_PATTERN = r'[a-fA-F0-9]{64}' -UUID_PATTERN = r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}' +PR_PATTERN = r'^$|\d+$' +SHA256_PATTERN = r'^[a-fA-F0-9]{64}$' +UUID_PATTERN = r'^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$' _version = r'\d+\.\d+(\.\d+[\w-]*)*' CONDITION_VERSION_PATTERN = rf'^\^{_version}$' VERSION_PATTERN = f'^{_version}$' BRANCH_PATTERN = f'{VERSION_PATTERN}|^master$' -INTERVAL_PATTERN = r'\d+[mshd]' -TACTIC_URL = r'https://attack.mitre.org/tactics/TA[0-9]+/' -TECHNIQUE_URL = r'https://attack.mitre.org/techniques/T[0-9]+/' -SUBTECHNIQUE_URL = r'https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/' +INTERVAL_PATTERN = r'^\d+[mshd]$' +TACTIC_URL = r'^https://attack.mitre.org/tactics/TA[0-9]+/$' +TECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/$' +SUBTECHNIQUE_URL = r'^https://attack.mitre.org/techniques/T[0-9]+/[0-9]+/$' MACHINE_LEARNING = 'machine_learning' SAVED_QUERY = 'saved_query' QUERY = 'query' diff --git a/rules/_deprecated/exfiltration_rds_snapshot_export.toml b/rules/_deprecated/exfiltration_rds_snapshot_export.toml new file mode 100644 index 000000000..ba289d37a --- /dev/null +++ b/rules/_deprecated/exfiltration_rds_snapshot_export.toml @@ -0,0 +1,47 @@ +[metadata] +creation_date = "2021/06/06" +deprecation_date = "2021/08/02" +integration = "aws" +maturity = "deprecated" +updated_date = "2021/08/02" + +[rule] +author = ["Elastic"] +description = "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot." +false_positives = [ + """ + Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, + and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should + be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-60m" +index = ["filebeat-*", "logs-aws*"] +interval = "10m" +language = "kuery" +license = "Elastic License v2" +name = "AWS RDS Snapshot Export" +note = """## Config + +The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"] +risk_score = 21 +rule_id = "119c8877-8613-416d-a98a-96b6664ee73a5" +severity = "low" +tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" + +[rule.threat.tactic] +name = "Exfiltration" +id = "TA0010" +reference = "https://attack.mitre.org/tactics/TA0010/" + diff --git a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml index cdef2f6ab..16f081725 100644 --- a/rules/integrations/aws/exfiltration_rds_snapshot_export.toml +++ b/rules/integrations/aws/exfiltration_rds_snapshot_export.toml @@ -25,7 +25,7 @@ note = """## Config The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"] risk_score = 21 -rule_id = "119c8877-8613-416d-a98a-96b6664ee73a5" +rule_id = "119c8877-8613-416d-a98a-96b6664ee73a" severity = "low" tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] timestamp_override = "event.ingested" @@ -40,7 +40,7 @@ event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.acti framework = "MITRE ATT&CK" [rule.threat.tactic] -id = "TA0010" name = "Exfiltration" +id = "TA0010" reference = "https://attack.mitre.org/tactics/TA0010/"