diff --git a/rules/linux/command_and_control_cat_network_activity.toml b/rules/linux/command_and_control_cat_network_activity.toml index dae299664..d576b75ea 100644 --- a/rules/linux/command_and_control_cat_network_activity.toml +++ b/rules/linux/command_and_control_cat_network_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,25 +26,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/command_and_control_linux_chisel_client_activity.toml b/rules/linux/command_and_control_linux_chisel_client_activity.toml index 504dcfd26..141d91071 100644 --- a/rules/linux/command_and_control_linux_chisel_client_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_client_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -31,25 +31,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/command_and_control_linux_chisel_server_activity.toml b/rules/linux/command_and_control_linux_chisel_server_activity.toml index 4f35798d8..e979d04e4 100644 --- a/rules/linux/command_and_control_linux_chisel_server_activity.toml +++ b/rules/linux/command_and_control_linux_chisel_server_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -31,25 +31,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/command_and_control_linux_kworker_netcon.toml b/rules/linux/command_and_control_linux_kworker_netcon.toml index 3275a312a..fe416ebb3 100644 --- a/rules/linux/command_and_control_linux_kworker_netcon.toml +++ b/rules/linux/command_and_control_linux_kworker_netcon.toml @@ -23,8 +23,7 @@ risk_score = 21 rule_id = "25d917c4-aa3c-4111-974c-286c0312ff95" setup = """ -This rule requires data coming in from one of the following integrations: -- Elastic Defend +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows diff --git a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml index f7686c53c..1a731d9f0 100644 --- a/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml +++ b/rules/linux/command_and_control_linux_suspicious_proxychains_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml index b70caa291..14b75139e 100644 --- a/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml +++ b/rules/linux/command_and_control_linux_tunneling_and_port_forwarding.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml index 5a365395a..8e017be62 100644 --- a/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml +++ b/rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/17" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -61,7 +61,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). ### Filebeat Setup Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. @@ -72,18 +72,17 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). - To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). - For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). -- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). - +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). ### Packetbeat Setup Packetbeat is a real-time network packet analyzer that you can use for application monitoring, performance analytics, and threat detection. Packetbeat works by capturing the network traffic between your application servers, decoding the application layer protocols (HTTP, MySQL, Redis, and so on), correlating the requests with the responses, and recording the interesting fields for each transaction. -#### The following steps should be executed in order to add the Packetbeat on a Linux System: +#### The following steps should be executed in order to add the Packetbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setup-repositories.html). - To run Packetbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/running-on-docker.html). - For quick start information for Packetbeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-installation-configuration.html). -- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Packetbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/packetbeat/current/setting-up-and-running.html). """ severity = "low" diff --git a/rules/linux/command_and_control_tunneling_via_earthworm.toml b/rules/linux/command_and_control_tunneling_via_earthworm.toml index 5d905a853..9c1439397 100644 --- a/rules/linux/command_and_control_tunneling_via_earthworm.toml +++ b/rules/linux/command_and_control_tunneling_via_earthworm.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,39 +26,40 @@ risk_score = 47 rule_id = "9f1c4ca3-44b5-481d-ba42-32dc215a2769" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). diff --git a/rules/linux/credential_access_collection_sensitive_files.toml b/rules/linux/credential_access_collection_sensitive_files.toml index 9a30bc6cd..81931d4f5 100644 --- a/rules/linux/credential_access_collection_sensitive_files.toml +++ b/rules/linux/credential_access_collection_sensitive_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/23" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,7 +24,10 @@ risk_score = 47 rule_id = "6b84d470-9036-4cc0-a27c-6d90bbfe81ab" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat + ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows @@ -35,28 +38,28 @@ the Elastic Agent to monitor events on your host and send data to the Elastic Se - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). - We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/credential_access_credential_dumping.toml b/rules/linux/credential_access_credential_dumping.toml index 074fac608..412374a82 100644 --- a/rules/linux/credential_access_credential_dumping.toml +++ b/rules/linux/credential_access_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -31,25 +31,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/credential_access_gdb_init_memory_dump.toml b/rules/linux/credential_access_gdb_init_memory_dump.toml index b912d96d8..e0cec14d8 100644 --- a/rules/linux/credential_access_gdb_init_memory_dump.toml +++ b/rules/linux/credential_access_gdb_init_memory_dump.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml index 1c5d941ef..be4c0071c 100644 --- a/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml +++ b/rules/linux/credential_access_potential_linux_local_account_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml index dcb632944..97cf8340b 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/17" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -61,8 +61,7 @@ risk_score = 21 rule_id = "fa210b61-b627-4e5e-86f4-17e8270656ab" setup = """ -This rule requires data coming in from one of the following integrations: -- Filebeat +This rule requires data coming in from Filebeat. ### Filebeat Setup Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. @@ -73,10 +72,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). - To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). - For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). -- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). #### Rule Specific Setup Note -- This rule requires the Filebeat System Module to be enabled. +- This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). diff --git a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml index 1b942ca18..bacd6e116 100644 --- a/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml +++ b/rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/17" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -57,8 +57,7 @@ risk_score = 47 rule_id = "1c27fa22-7727-4dd3-81c0-de6da5555feb" setup = """ -This rule requires data coming in from one of the following integrations: -- Filebeat +This rule requires data coming in from Filebeat. ### Filebeat Setup Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. @@ -69,10 +68,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). - To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). - For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). -- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). #### Rule Specific Setup Note -- This rule requires the Filebeat System Module to be enabled. +- This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). diff --git a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml index c9593d0bd..fcba9634c 100644 --- a/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,31 +25,33 @@ risk_score = 47 rule_id = "66712812-e7f2-4a1d-bbda-dd0b5cf20c5d" setup = """ -This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration. +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). ### Auditd Manager Integration Setup The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. #### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Auditd Manager and select the integration to see more details about it. -- Click Add Auditd Manager. +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. - Configure the integration name and optionally add a description. - Review optional and advanced settings accordingly. -- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -- Click Save and Continue. -- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). #### Rule Specific Setup Note Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. diff --git a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml index 7b22d29c1..297d5b761 100644 --- a/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,31 +25,33 @@ risk_score = 47 rule_id = "521fbe5c-a78d-4b6b-a323-f978b0e4c4c0" setup = """ -This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration. +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). ### Auditd Manager Integration Setup The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. #### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Auditd Manager and select the integration to see more details about it. -- Click Add Auditd Manager. +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. - Configure the integration name and optionally add a description. - Review optional and advanced settings accordingly. -- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -- Click Save and Continue. -- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). #### Rule Specific Setup Note Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. diff --git a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml index 3d086210c..54d58ed62 100644 --- a/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml +++ b/rules/linux/credential_access_potential_successful_linux_ssh_bruteforce.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/17" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -63,7 +63,7 @@ Auditbeat is a lightweight shipper that you can install on your servers to audit - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). ### Filebeat Setup Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. @@ -74,10 +74,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). - To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). - For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). -- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). #### Rule Specific Setup Note -- This rule requires the Filebeat System Module to be enabled. +- This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). diff --git a/rules/linux/credential_access_proc_credential_dumping.toml b/rules/linux/credential_access_proc_credential_dumping.toml index 33c1f08b7..e5e2399e4 100644 --- a/rules/linux/credential_access_proc_credential_dumping.toml +++ b/rules/linux/credential_access_proc_credential_dumping.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -30,25 +30,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/credential_access_ssh_backdoor_log.toml b/rules/linux/credential_access_ssh_backdoor_log.toml index a853ae8fc..c7d883179 100644 --- a/rules/linux/credential_access_ssh_backdoor_log.toml +++ b/rules/linux/credential_access_ssh_backdoor_log.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,39 +27,40 @@ risk_score = 73 rule_id = "f28e2be4-6eca-4349-bdd9-381573730c22" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml index a12712aae..d9fafe68a 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,25 +24,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml index 5e04ea59b..644ed904f 100644 --- a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml +++ b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -21,39 +21,40 @@ risk_score = 47 rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml index 36665e37c..93bcb474a 100644 --- a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml +++ b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,39 +24,40 @@ risk_score = 21 rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "low" diff --git a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml index a092ad3ad..f25bd9e60 100644 --- a/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml +++ b/rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_chattr_immutable_file.toml b/rules/linux/defense_evasion_chattr_immutable_file.toml index 566cd4acc..f0ec2bf0e 100644 --- a/rules/linux/defense_evasion_chattr_immutable_file.toml +++ b/rules/linux/defense_evasion_chattr_immutable_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,39 +24,40 @@ risk_score = 47 rule_id = "968ccab9-da51-4a87-9ce2-d3c9782fd759" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). diff --git a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml index c6c03b022..f0e6bf8aa 100644 --- a/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml +++ b/rules/linux/defense_evasion_clear_kernel_ring_buffer.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/24" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,25 +24,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_disable_apparmor_attempt.toml b/rules/linux/defense_evasion_disable_apparmor_attempt.toml index 6b060383b..1a7896e5d 100644 --- a/rules/linux/defense_evasion_disable_apparmor_attempt.toml +++ b/rules/linux/defense_evasion_disable_apparmor_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml index 841ca4f4a..a7d4c9760 100644 --- a/rules/linux/defense_evasion_disable_selinux_attempt.toml +++ b/rules/linux/defense_evasion_disable_selinux_attempt.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,39 +22,40 @@ risk_score = 47 rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml index f155f0983..bdd999459 100644 --- a/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml +++ b/rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -30,25 +30,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml index 828fc9709..09ea2aa8f 100644 --- a/rules/linux/defense_evasion_file_deletion_via_shred.toml +++ b/rules/linux/defense_evasion_file_deletion_via_shred.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml index 1f7d0900f..98fcc694e 100644 --- a/rules/linux/defense_evasion_file_mod_writable_dir.toml +++ b/rules/linux/defense_evasion_file_mod_writable_dir.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/25" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,39 +27,40 @@ risk_score = 21 rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "low" diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml index 4bc87d73a..4422a4d67 100644 --- a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml +++ b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,39 +29,40 @@ risk_score = 47 rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). diff --git a/rules/linux/defense_evasion_hidden_shared_object.toml b/rules/linux/defense_evasion_hidden_shared_object.toml index 9f0fdc4ce..248b097fb 100644 --- a/rules/linux/defense_evasion_hidden_shared_object.toml +++ b/rules/linux/defense_evasion_hidden_shared_object.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,39 +23,40 @@ risk_score = 47 rule_id = "766d3f91-3f12-448c-b65f-20123e9e9e8c" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml index 249580820..08f152fb3 100644 --- a/rules/linux/defense_evasion_kernel_module_removal.toml +++ b/rules/linux/defense_evasion_kernel_module_removal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -32,25 +32,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_log_files_deleted.toml b/rules/linux/defense_evasion_log_files_deleted.toml index e8bd27f95..66aeee81a 100644 --- a/rules/linux/defense_evasion_log_files_deleted.toml +++ b/rules/linux/defense_evasion_log_files_deleted.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,39 +24,40 @@ risk_score = 47 rule_id = "aa895aea-b69c-4411-b110-8d7599634b30" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). diff --git a/rules/linux/defense_evasion_mount_execution.toml b/rules/linux/defense_evasion_mount_execution.toml index 31af2971b..78ac321cb 100644 --- a/rules/linux/defense_evasion_mount_execution.toml +++ b/rules/linux/defense_evasion_mount_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -32,25 +32,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_potential_proot_exploits.toml b/rules/linux/defense_evasion_potential_proot_exploits.toml index a9f3c1055..426f6a76f 100644 --- a/rules/linux/defense_evasion_potential_proot_exploits.toml +++ b/rules/linux/defense_evasion_potential_proot_exploits.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -35,25 +35,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_rename_esxi_files.toml b/rules/linux/defense_evasion_rename_esxi_files.toml index 4929de649..3e92debd9 100644 --- a/rules/linux/defense_evasion_rename_esxi_files.toml +++ b/rules/linux/defense_evasion_rename_esxi_files.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,25 +28,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/defense_evasion_rename_esxi_index_file.toml b/rules/linux/defense_evasion_rename_esxi_index_file.toml index a010bad46..bf24c7683 100644 --- a/rules/linux/defense_evasion_rename_esxi_index_file.toml +++ b/rules/linux/defense_evasion_rename_esxi_index_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,25 +28,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/discovery_esxi_software_via_find.toml b/rules/linux/discovery_esxi_software_via_find.toml index 8e1676fe5..7257d2f97 100644 --- a/rules/linux/discovery_esxi_software_via_find.toml +++ b/rules/linux/discovery_esxi_software_via_find.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -30,25 +30,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/discovery_esxi_software_via_grep.toml b/rules/linux/discovery_esxi_software_via_grep.toml index 3cbc07a56..780bf18a0 100644 --- a/rules/linux/discovery_esxi_software_via_grep.toml +++ b/rules/linux/discovery_esxi_software_via_grep.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml index 0dbf80516..334bc4366 100644 --- a/rules/linux/discovery_kernel_module_enumeration.toml +++ b/rules/linux/discovery_kernel_module_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -31,25 +31,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/discovery_linux_hping_activity.toml b/rules/linux/discovery_linux_hping_activity.toml index fa4fa6f15..05b256ac9 100644 --- a/rules/linux/discovery_linux_hping_activity.toml +++ b/rules/linux/discovery_linux_hping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,39 +28,40 @@ risk_score = 47 rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/discovery_linux_nping_activity.toml b/rules/linux/discovery_linux_nping_activity.toml index b006ad4ee..1242b8c6d 100644 --- a/rules/linux/discovery_linux_nping_activity.toml +++ b/rules/linux/discovery_linux_nping_activity.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,39 +28,40 @@ risk_score = 47 rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/discovery_ping_sweep_detected.toml b/rules/linux/discovery_ping_sweep_detected.toml index ed58852ee..a0f919c15 100644 --- a/rules/linux/discovery_ping_sweep_detected.toml +++ b/rules/linux/discovery_ping_sweep_detected.toml @@ -22,8 +22,7 @@ risk_score = 47 rule_id = "03c23d45-d3cb-4ad4-ab5d-b361ffe8724a" setup = """ -This rule requires data coming in from one of the following integrations: -- Elastic Defend +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows diff --git a/rules/linux/discovery_pspy_process_monitoring_detected.toml b/rules/linux/discovery_pspy_process_monitoring_detected.toml index 834343f22..171641a7f 100644 --- a/rules/linux/discovery_pspy_process_monitoring_detected.toml +++ b/rules/linux/discovery_pspy_process_monitoring_detected.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,21 +24,21 @@ risk_score = 21 rule_id = "bdb04043-f0e3-4efa-bdee-7d9d13fa9edc" setup = """ -This rule requires data coming in from Auditd Manager integration. +This rule requires data coming in from Auditd Manager. ### Auditd Manager Integration Setup The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. #### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Auditd Manager and select the integration to see more details about it. -- Click Add Auditd Manager. +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. - Configure the integration name and optionally add a description. - Review optional and advanced settings accordingly. -- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -- Click Save and Continue. -- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). #### Rule Specific Setup Note Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. diff --git a/rules/linux/discovery_sudo_allowed_command_enumeration.toml b/rules/linux/discovery_sudo_allowed_command_enumeration.toml index 54946d26d..3730ba69d 100644 --- a/rules/linux/discovery_sudo_allowed_command_enumeration.toml +++ b/rules/linux/discovery_sudo_allowed_command_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/discovery_suid_sguid_enumeration.toml b/rules/linux/discovery_suid_sguid_enumeration.toml index aa1a36374..95e93fd6c 100644 --- a/rules/linux/discovery_suid_sguid_enumeration.toml +++ b/rules/linux/discovery_suid_sguid_enumeration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/discovery_unusual_user_enumeration_via_id.toml b/rules/linux/discovery_unusual_user_enumeration_via_id.toml index 3137222fe..9c0eb17df 100644 --- a/rules/linux/discovery_unusual_user_enumeration_via_id.toml +++ b/rules/linux/discovery_unusual_user_enumeration_via_id.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml index eb0b20e16..2eaaf3647 100644 --- a/rules/linux/discovery_virtual_machine_fingerprinting.toml +++ b/rules/linux/discovery_virtual_machine_fingerprinting.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,39 +28,40 @@ risk_score = 73 rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" diff --git a/rules/linux/execution_abnormal_process_id_file_created.toml b/rules/linux/execution_abnormal_process_id_file_created.toml index 0a9a75116..3777d753c 100644 --- a/rules/linux/execution_abnormal_process_id_file_created.toml +++ b/rules/linux/execution_abnormal_process_id_file_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -79,25 +79,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml index ad1f06075..569af1415 100644 --- a/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml +++ b/rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." min_stack_version = "8.6.0" -updated_date = "2023/10/11" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -33,40 +33,38 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). Elastic Defend integration does not collect environment variable logging by default. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. #### To set up environment variable capture for an Elastic Agent policy: -- Go to Security → Manage → Policies. -- Select an Elastic Agent policy. -- Click Show advanced settings. -- Scroll down or search for linux.advanced.capture_env_vars. -- Enter the names of env vars you want to capture, separated by commas. +- Go to “Security → Manage → Policies”. +- Select an “Elastic Agent policy”. +- Click “Show advanced settings”. +- Scroll down or search for “linux.advanced.capture_env_vars”. +- Enter the names of environment variables you want to capture, separated by commas. - For this rule the linux.advanced.capture_env_vars variable should be set to "http_proxy,HTTPS_PROXY,ALL_PROXY". -- Click Save. -After saving the integration change, the Elastic Agents running this policy will be updated and -the rule will function properly. -For more information on capturing environment variables refer the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). +- Click “Save”. +After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. +For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ severity = "medium" diff --git a/rules/linux/execution_file_execution_followed_by_deletion.toml b/rules/linux/execution_file_execution_followed_by_deletion.toml index ecec2d920..29389ee03 100644 --- a/rules/linux/execution_file_execution_followed_by_deletion.toml +++ b/rules/linux/execution_file_execution_followed_by_deletion.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml index c91af8b5a..1f860d513 100644 --- a/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml +++ b/rules/linux/execution_file_transfer_or_listener_established_via_netcat.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -76,39 +76,40 @@ risk_score = 47 rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/execution_interpreter_tty_upgrade.toml b/rules/linux/execution_interpreter_tty_upgrade.toml index 64c68f7bc..b883f27cb 100644 --- a/rules/linux/execution_interpreter_tty_upgrade.toml +++ b/rules/linux/execution_interpreter_tty_upgrade.toml @@ -2,7 +2,7 @@ creation_date = "2023/09/20" integration = ["endpoint"] maturity = "production" -updated_date = "2023/10/19" +updated_date = "2023/11/02" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -22,12 +22,10 @@ risk_score = 47 rule_id = "84d1f8db-207f-45ab-a578-921d91c23eb2" setup = """ -This rule requires data coming in from one of the following integrations: -- Elastic Defend +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. @@ -40,7 +38,7 @@ the Elastic Agent to monitor events on your host and send data to the Elastic Se - Configure the integration name and optionally add a description. - Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" - Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). - Click "Save and Continue". diff --git a/rules/linux/execution_nc_listener_via_rlwrap.toml b/rules/linux/execution_nc_listener_via_rlwrap.toml index ed9ce7406..a08fcd393 100644 --- a/rules/linux/execution_nc_listener_via_rlwrap.toml +++ b/rules/linux/execution_nc_listener_via_rlwrap.toml @@ -29,8 +29,7 @@ risk_score = 21 rule_id = "0f56369f-eb3d-459c-a00b-87c2bf7bdfc5" setup = """ -This rule requires data coming in from one of the following integrations: -- Elastic Defend +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows diff --git a/rules/linux/execution_network_event_post_compilation.toml b/rules/linux/execution_network_event_post_compilation.toml index 748785e0a..13f948802 100644 --- a/rules/linux/execution_network_event_post_compilation.toml +++ b/rules/linux/execution_network_event_post_compilation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml index a091c5a58..d36348aa5 100644 --- a/rules/linux/execution_perl_tty_shell.toml +++ b/rules/linux/execution_perl_tty_shell.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -21,39 +21,40 @@ risk_score = 73 rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "high" diff --git a/rules/linux/execution_potential_hack_tool_executed.toml b/rules/linux/execution_potential_hack_tool_executed.toml index db74f1391..7d116f4cd 100644 --- a/rules/linux/execution_potential_hack_tool_executed.toml +++ b/rules/linux/execution_potential_hack_tool_executed.toml @@ -22,8 +22,7 @@ risk_score = 47 rule_id = "1df1152b-610a-4f48-9d7a-504f6ee5d9da" setup = """ -This rule requires data coming in from one of the following integrations: -- Elastic Defend +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows diff --git a/rules/linux/execution_process_started_from_process_id_file.toml b/rules/linux/execution_process_started_from_process_id_file.toml index fde6c8d2a..c70c71ee0 100644 --- a/rules/linux/execution_process_started_from_process_id_file.toml +++ b/rules/linux/execution_process_started_from_process_id_file.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -47,25 +47,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_process_started_in_shared_memory_directory.toml b/rules/linux/execution_process_started_in_shared_memory_directory.toml index cd552764c..d15be4abe 100644 --- a/rules/linux/execution_process_started_in_shared_memory_directory.toml +++ b/rules/linux/execution_process_started_in_shared_memory_directory.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -37,25 +37,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml index 0f6f35c31..b6129d5f6 100644 --- a/rules/linux/execution_python_tty_shell.toml +++ b/rules/linux/execution_python_tty_shell.toml @@ -2,7 +2,7 @@ creation_date = "2020/04/15" integration = ["endpoint"] maturity = "production" -updated_date = "2023/10/16" +updated_date = "2023/11/02" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" @@ -24,25 +24,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_remote_code_execution_via_postgresql.toml b/rules/linux/execution_remote_code_execution_via_postgresql.toml index 44daa3eed..ff5fbb6cd 100644 --- a/rules/linux/execution_remote_code_execution_via_postgresql.toml +++ b/rules/linux/execution_remote_code_execution_via_postgresql.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_shell_evasion_linux_binary.toml b/rules/linux/execution_shell_evasion_linux_binary.toml index 65cae9af9..74de453fd 100644 --- a/rules/linux/execution_shell_evasion_linux_binary.toml +++ b/rules/linux/execution_shell_evasion_linux_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -98,36 +98,34 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). Session View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above. #### To confirm that Session View data is enabled: -- Go to Manage → Policies, and edit one or more of your Elastic Defend integration policies. -- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom. -- Check the box for Process events, and turn on the Include session data toggle. -- If you want to include file and network alerts in Session View, check the boxes for Network and File events. -- If you want to enable terminal output capture, turn on the Capture terminal output toggle. -For more information about the additional fields collected when this setting is enabled and -the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). +- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies. +- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom. +- Check the box for “Process events”, and turn on the “Include session data” toggle. +- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”. +- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle. +For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" diff --git a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml index edaab1cf7..af21e4fc4 100644 --- a/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml +++ b/rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,26 +29,26 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + """ severity = "medium" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_shell_via_background_process.toml b/rules/linux/execution_shell_via_background_process.toml index 7730650b5..e1e181aea 100644 --- a/rules/linux/execution_shell_via_background_process.toml +++ b/rules/linux/execution_shell_via_background_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,25 +24,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_shell_via_java_revshell_linux.toml b/rules/linux/execution_shell_via_java_revshell_linux.toml index d06677ec9..57df034c2 100644 --- a/rules/linux/execution_shell_via_java_revshell_linux.toml +++ b/rules/linux/execution_shell_via_java_revshell_linux.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml index 2f3f8d0a6..abbf54a9e 100644 --- a/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml +++ b/rules/linux/execution_shell_via_lolbin_interpreter_linux.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,25 +28,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_shell_via_meterpreter_linux.toml b/rules/linux/execution_shell_via_meterpreter_linux.toml index 6e2491a2d..202e77942 100644 --- a/rules/linux/execution_shell_via_meterpreter_linux.toml +++ b/rules/linux/execution_shell_via_meterpreter_linux.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -22,31 +22,33 @@ risk_score = 47 rule_id = "5c895b4f-9133-4e68-9e23-59902175355c" setup = """ -This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration. +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). ### Auditd Manager Integration Setup The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. #### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Auditd Manager and select the integration to see more details about it. -- Click Add Auditd Manager. +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. - Configure the integration name and optionally add a description. - Review optional and advanced settings accordingly. -- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -- Click Save and Continue. -- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). #### Rule Specific Setup Note Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. diff --git a/rules/linux/execution_shell_via_suspicious_binary.toml b/rules/linux/execution_shell_via_suspicious_binary.toml index 2b7101c6c..fa8380a08 100644 --- a/rules/linux/execution_shell_via_suspicious_binary.toml +++ b/rules/linux/execution_shell_via_suspicious_binary.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml index 5f5dba990..65cad55c5 100644 --- a/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_tcp_cli_utility_linux.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,25 +28,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml index 79d260c9a..0391990f9 100644 --- a/rules/linux/execution_shell_via_udp_cli_utility_linux.toml +++ b/rules/linux/execution_shell_via_udp_cli_utility_linux.toml @@ -4,7 +4,7 @@ integration = ["auditd_manager"] maturity = "production" min_stack_comments = "The sampling feature within EQL was introduced in 8.6.0" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,31 +26,33 @@ risk_score = 47 rule_id = "a5eb21b7-13cc-4b94-9fe2-29bb2914e037" setup = """ -This rule requires data coming in either from Auditbeat integration, or Auditd Manager integration. +This rule requires data coming in from one of the following integrations: +- Auditbeat +- Auditd Manager ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). ### Auditd Manager Integration Setup The Auditd Manager Integration receives audit events from the Linux Audit Framework which is a part of the Linux kernel. Auditd Manager provides a user-friendly interface and automation capabilities for configuring and monitoring system auditing through the auditd daemon. With `auditd_manager`, administrators can easily define audit rules, track system events, and generate comprehensive audit reports, improving overall security and compliance in the system. #### The following steps should be executed in order to add the Elastic Agent System integration "auditd_manager" on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Auditd Manager and select the integration to see more details about it. -- Click Add Auditd Manager. +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Auditd Manager” and select the integration to see more details about it. +- Click “Add Auditd Manager”. - Configure the integration name and optionally add a description. - Review optional and advanced settings accordingly. -- Add the newly installed `auditd manager` to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. -- Click Save and Continue. -- For more details on the integeration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). +- Add the newly installed “auditd manager” to an existing or a new agent policy, and deploy the agent on a Linux system from which auditd log files are desirable. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://docs.elastic.co/integrations/auditd_manager). #### Rule Specific Setup Note Auditd Manager subscribes to the kernel and receives events as they occur without any additional configuration. diff --git a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml index 3cef618ea..91fa7eb9c 100644 --- a/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml +++ b/rules/linux/execution_sus_extraction_or_decrompression_via_funzip.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_suspicious_executable_running_system_commands.toml b/rules/linux/execution_suspicious_executable_running_system_commands.toml index 1e92d95cc..f38a877b2 100644 --- a/rules/linux/execution_suspicious_executable_running_system_commands.toml +++ b/rules/linux/execution_suspicious_executable_running_system_commands.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/25" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,26 +27,26 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). + """ severity = "low" tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"] diff --git a/rules/linux/execution_suspicious_mining_process_creation_events.toml b/rules/linux/execution_suspicious_mining_process_creation_events.toml index e0f79506e..002a29e16 100644 --- a/rules/linux/execution_suspicious_mining_process_creation_events.toml +++ b/rules/linux/execution_suspicious_mining_process_creation_events.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,25 +24,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/execution_tc_bpf_filter.toml b/rules/linux/execution_tc_bpf_filter.toml index 56d562e00..9a75c23f1 100644 --- a/rules/linux/execution_tc_bpf_filter.toml +++ b/rules/linux/execution_tc_bpf_filter.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/impact_data_encrypted_via_openssl.toml b/rules/linux/impact_data_encrypted_via_openssl.toml index 03a5a410e..68821691a 100644 --- a/rules/linux/impact_data_encrypted_via_openssl.toml +++ b/rules/linux/impact_data_encrypted_via_openssl.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/impact_esxi_process_kill.toml b/rules/linux/impact_esxi_process_kill.toml index 97212297a..d45f5244e 100644 --- a/rules/linux/impact_esxi_process_kill.toml +++ b/rules/linux/impact_esxi_process_kill.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.5.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml index 1fb436411..6ab9c3305 100644 --- a/rules/linux/impact_potential_linux_ransomware_file_encryption.toml +++ b/rules/linux/impact_potential_linux_ransomware_file_encryption.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,25 +26,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/impact_potential_linux_ransomware_note_detected.toml b/rules/linux/impact_potential_linux_ransomware_note_detected.toml index cdcdefb45..92c2ecbcd 100644 --- a/rules/linux/impact_potential_linux_ransomware_note_detected.toml +++ b/rules/linux/impact_potential_linux_ransomware_note_detected.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/impact_process_kill_threshold.toml b/rules/linux/impact_process_kill_threshold.toml index d89857749..e3ad173ea 100644 --- a/rules/linux/impact_process_kill_threshold.toml +++ b/rules/linux/impact_process_kill_threshold.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -55,25 +55,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/lateral_movement_ssh_it_worm_download.toml b/rules/linux/lateral_movement_ssh_it_worm_download.toml index 823ec2e42..e29caebd5 100644 --- a/rules/linux/lateral_movement_ssh_it_worm_download.toml +++ b/rules/linux/lateral_movement_ssh_it_worm_download.toml @@ -22,8 +22,7 @@ risk_score = 47 rule_id = "2ddc468e-b39b-4f5b-9825-f3dcb0e998ea" setup = """ -This rule requires data coming in from one of the following integrations: -- Elastic Defend +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml index e48026c94..01daa4c3c 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_external.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_external.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -30,39 +30,40 @@ risk_score = 47 rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml index 3e7f21eff..3cb0849c3 100644 --- a/rules/linux/lateral_movement_telnet_network_activity_internal.toml +++ b/rules/linux/lateral_movement_telnet_network_activity_internal.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -30,39 +30,40 @@ risk_score = 47 rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/persistence_chkconfig_service_add.toml b/rules/linux/persistence_chkconfig_service_add.toml index 2f05217ce..1cd1b21ac 100644 --- a/rules/linux/persistence_chkconfig_service_add.toml +++ b/rules/linux/persistence_chkconfig_service_add.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml index 415811d27..10a97feee 100644 --- a/rules/linux/persistence_credential_access_modify_ssh_binaries.toml +++ b/rules/linux/persistence_credential_access_modify_ssh_binaries.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,39 +25,40 @@ risk_score = 47 rule_id = "0415f22a-2336-45fa-ba07-618a5942e22c" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/persistence_cron_job_creation.toml b/rules/linux/persistence_cron_job_creation.toml index 602b15e17..f441b35ac 100644 --- a/rules/linux/persistence_cron_job_creation.toml +++ b/rules/linux/persistence_cron_job_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,25 +28,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_dynamic_linker_backup.toml b/rules/linux/persistence_dynamic_linker_backup.toml index c1face66f..f2b8cf4fc 100644 --- a/rules/linux/persistence_dynamic_linker_backup.toml +++ b/rules/linux/persistence_dynamic_linker_backup.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/12" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -26,25 +26,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_etc_file_creation.toml b/rules/linux/persistence_etc_file_creation.toml index 3c6a89a9e..3acc0756e 100644 --- a/rules/linux/persistence_etc_file_creation.toml +++ b/rules/linux/persistence_etc_file_creation.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/22" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_init_d_file_creation.toml b/rules/linux/persistence_init_d_file_creation.toml index 18ae474cd..e6361396e 100644 --- a/rules/linux/persistence_init_d_file_creation.toml +++ b/rules/linux/persistence_init_d_file_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -132,25 +132,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_insmod_kernel_module_load.toml b/rules/linux/persistence_insmod_kernel_module_load.toml index fe1533de0..579c4e9c5 100644 --- a/rules/linux/persistence_insmod_kernel_module_load.toml +++ b/rules/linux/persistence_insmod_kernel_module_load.toml @@ -3,7 +3,7 @@ creation_date = "2022/07/11" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/23" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -26,25 +26,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_kde_autostart_modification.toml b/rules/linux/persistence_kde_autostart_modification.toml index 4e40e7a1f..4e3c263c2 100644 --- a/rules/linux/persistence_kde_autostart_modification.toml +++ b/rules/linux/persistence_kde_autostart_modification.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/12" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,39 +26,40 @@ risk_score = 47 rule_id = "e3e904b3-0a8e-4e68-86a8-977a163e21d3" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). #### Custom Ingest Pipeline For versions <8.2, you need to add a custom ingest pipeline to populate `event.ingested` with @timestamp for non-elastic-agent indexes, like auditbeats/filebeat/winlogbeat etc. For more details to add a custom ingest pipeline refer to the [guide](https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html). diff --git a/rules/linux/persistence_linux_backdoor_user_creation.toml b/rules/linux/persistence_linux_backdoor_user_creation.toml index cbe874f66..aa6ef2339 100644 --- a/rules/linux/persistence_linux_backdoor_user_creation.toml +++ b/rules/linux/persistence_linux_backdoor_user_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -93,25 +93,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_linux_group_creation.toml b/rules/linux/persistence_linux_group_creation.toml index 4b4939ccc..a86662efa 100644 --- a/rules/linux/persistence_linux_group_creation.toml +++ b/rules/linux/persistence_linux_group_creation.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/17" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -85,8 +85,7 @@ risk_score = 21 rule_id = "a1c2589e-0c8c-4ca8-9eb6-f83c4bbdbe8f" setup = """ -This rule requires data coming in from one of the following integrations: -- Filebeat +This rule requires data coming in from Filebeat. ### Filebeat Setup Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. @@ -97,10 +96,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). - To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). - For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). -- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). #### Rule Specific Setup Note -- This rule requires the Filebeat System Module to be enabled. +- This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). diff --git a/rules/linux/persistence_linux_shell_activity_via_web_server.toml b/rules/linux/persistence_linux_shell_activity_via_web_server.toml index 6ef216a42..dd391a757 100644 --- a/rules/linux/persistence_linux_shell_activity_via_web_server.toml +++ b/rules/linux/persistence_linux_shell_activity_via_web_server.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -110,25 +110,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_linux_user_account_creation.toml b/rules/linux/persistence_linux_user_account_creation.toml index 281077914..b9ba48278 100644 --- a/rules/linux/persistence_linux_user_account_creation.toml +++ b/rules/linux/persistence_linux_user_account_creation.toml @@ -4,7 +4,7 @@ integration = ["system"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/17" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -84,8 +84,7 @@ risk_score = 21 rule_id = "edfd5ca9-9d6c-44d9-b615-1e56b920219c" setup = """ -This rule requires data coming in from one of the following integrations: -- Filebeat +This rule requires data coming in from Filebeat. ### Filebeat Setup Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash for indexing. @@ -96,10 +95,10 @@ Filebeat is a lightweight shipper for forwarding and centralizing log data. Inst - To run Filebeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html). - To run Filebeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/running-on-kubernetes.html). - For quick start information for Filebeat refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-installation-configuration.html). -- For complete Setup and Run Filebeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). +- For complete “Setup and Run Filebeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/setting-up-and-running.html). #### Rule Specific Setup Note -- This rule requires the Filebeat System Module to be enabled. +- This rule requires the “Filebeat System Module” to be enabled. - The system module collects and parses logs created by the system logging service of common Unix/Linux based distributions. - To run the system module of Filebeat on Linux follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-system.html). diff --git a/rules/linux/persistence_linux_user_added_to_privileged_group.toml b/rules/linux/persistence_linux_user_added_to_privileged_group.toml index ad80c897f..98475a809 100644 --- a/rules/linux/persistence_linux_user_added_to_privileged_group.toml +++ b/rules/linux/persistence_linux_user_added_to_privileged_group.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -88,25 +88,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_message_of_the_day_creation.toml b/rules/linux/persistence_message_of_the_day_creation.toml index c55357c72..2be689b44 100644 --- a/rules/linux/persistence_message_of_the_day_creation.toml +++ b/rules/linux/persistence_message_of_the_day_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -126,25 +126,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_message_of_the_day_execution.toml b/rules/linux/persistence_message_of_the_day_execution.toml index 2ef391fcd..15633b3e5 100644 --- a/rules/linux/persistence_message_of_the_day_execution.toml +++ b/rules/linux/persistence_message_of_the_day_execution.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -125,25 +125,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_rc_script_creation.toml b/rules/linux/persistence_rc_script_creation.toml index 4f6508d26..e5cde1a54 100644 --- a/rules/linux/persistence_rc_script_creation.toml +++ b/rules/linux/persistence_rc_script_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -111,25 +111,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_setuid_setgid_capability_set.toml b/rules/linux/persistence_setuid_setgid_capability_set.toml index 3a9e75547..99fd6e6eb 100644 --- a/rules/linux/persistence_setuid_setgid_capability_set.toml +++ b/rules/linux/persistence_setuid_setgid_capability_set.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/13" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -23,12 +23,10 @@ risk_score = 47 rule_id = "f5c005d3-4e17-48b0-9cd7-444d48857f97" setup = """ -This rule requires data coming in from one of the following integrations: -- Elastic Defend +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. @@ -41,7 +39,7 @@ the Elastic Agent to monitor events on your host and send data to the Elastic Se - Configure the integration name and optionally add a description. - Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" - Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). - Click "Save and Continue". diff --git a/rules/linux/persistence_shared_object_creation.toml b/rules/linux/persistence_shared_object_creation.toml index 02892b697..5e788d188 100644 --- a/rules/linux/persistence_shared_object_creation.toml +++ b/rules/linux/persistence_shared_object_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_systemd_scheduled_timer_created.toml b/rules/linux/persistence_systemd_scheduled_timer_created.toml index 3f36b04e2..f8ea241fd 100644 --- a/rules/linux/persistence_systemd_scheduled_timer_created.toml +++ b/rules/linux/persistence_systemd_scheduled_timer_created.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [transform] [[transform.osquery]] @@ -140,25 +140,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/persistence_systemd_service_creation.toml b/rules/linux/persistence_systemd_service_creation.toml index e79968b90..b04b6d63f 100644 --- a/rules/linux/persistence_systemd_service_creation.toml +++ b/rules/linux/persistence_systemd_service_creation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup, New Term" min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -30,25 +30,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml index 37e274ca2..34c410034 100644 --- a/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml +++ b/rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_container_util_misconfiguration.toml b/rules/linux/privilege_escalation_container_util_misconfiguration.toml index 1f523a382..d8756af51 100644 --- a/rules/linux/privilege_escalation_container_util_misconfiguration.toml +++ b/rules/linux/privilege_escalation_container_util_misconfiguration.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/07/31" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -31,36 +31,34 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). Session View uses process data collected by the Elastic Defend integration, but this data is not always collected by default. Session View is available on enterprise subscription for versions 8.3 and above. #### To confirm that Session View data is enabled: -- Go to Manage → Policies, and edit one or more of your Elastic Defend integration policies. -- Select the Policy settings tab, then scroll down to the Linux event collection section near the bottom. -- Check the box for Process events, and turn on the Include session data toggle. -- If you want to include file and network alerts in Session View, check the boxes for Network and File events. -- If you want to enable terminal output capture, turn on the Capture terminal output toggle. -For more information about the additional fields collected when this setting is enabled and -the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). +- Go to “Manage → Policies”, and edit one or more of your Elastic Defend integration policies. +- Select the” Policy settings” tab, then scroll down to the “Linux event collection” section near the bottom. +- Check the box for “Process events”, and turn on the “Include session data” toggle. +- If you want to include file and network alerts in Session View, check the boxes for “Network and File events”. +- If you want to enable terminal output capture, turn on the “Capture terminal output” toggle. +For more information about the additional fields collected when this setting is enabled and the usage of Session View for Analysis refer to the [helper guide](https://www.elastic.co/guide/en/security/current/session-view.html). """ severity = "medium" diff --git a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml index 25cce2de2..3ef2f2dcc 100644 --- a/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml +++ b/rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/25" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -24,39 +24,40 @@ risk_score = 47 rule_id = "717f82c2-7741-4f9b-85b8-d06aeb853f4f" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml index 55ff7e0e1..2300d6786 100644 --- a/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml +++ b/rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml index d75535a50..c920a0932 100644 --- a/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml +++ b/rules/linux/privilege_escalation_linux_uid_int_max_bug.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -29,25 +29,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml index 42bae30dd..7938e16f3 100644 --- a/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml +++ b/rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml @@ -3,7 +3,7 @@ creation_date = "2023/06/09" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" integration = ["endpoint"] [rule] @@ -32,25 +32,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml index 4bc6f8901..22c1de209 100644 --- a/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml +++ b/rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Linux environment variable capture feature via the Elastic Defend Integration was added in 8.6." min_stack_version = "8.6.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,40 +25,38 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). Elastic Defend integration does not collect environment variable logging by default. In order to capture this behavior, this rule requires a specific configuration option set within the advanced settings of the Elastic Defend integration. #### To set up environment variable capture for an Elastic Agent policy: -- Go to Security → Manage → Policies. -- Select an Elastic Agent policy. -- Click Show advanced settings. -- Scroll down or search for linux.advanced.capture_env_vars. -- Enter the names of env vars you want to capture, separated by commas. +- Go to “Security → Manage → Policies”. +- Select an “Elastic Agent policy”. +- Click “Show advanced settings”. +- Scroll down or search for “linux.advanced.capture_env_vars”. +- Enter the names of environment variables you want to capture, separated by commas. - For this rule the linux.advanced.capture_env_vars variable should be set to "GLIBC_TUNABLES". -- Click Save. -After saving the integration change, the Elastic Agents running this policy will be updated and -the rule will function properly. -For more information on capturing environment variables refer the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). +- Click “Save”. +After saving the integration change, the Elastic Agents running this policy will be updated and the rule will function properly. +For more information on capturing environment variables refer to the [helper guide](https://www.elastic.co/guide/en/security/current/environment-variable-capture.html). """ severity = "high" diff --git a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml index 90c623e53..86a9899c3 100644 --- a/rules/linux/privilege_escalation_overlayfs_local_privesc.toml +++ b/rules/linux/privilege_escalation_overlayfs_local_privesc.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,25 +28,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml index a07265022..e12bb1806 100644 --- a/rules/linux/privilege_escalation_pkexec_envar_hijack.toml +++ b/rules/linux/privilege_escalation_pkexec_envar_hijack.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml index d450ee6fb..1159c6295 100644 --- a/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml +++ b/rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml index d5573c48b..1cab6128a 100644 --- a/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml +++ b/rules/linux/privilege_escalation_sda_disk_mount_non_root.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,25 +28,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_shadow_file_read.toml b/rules/linux/privilege_escalation_shadow_file_read.toml index d4a4ee038..e76b0d458 100644 --- a/rules/linux/privilege_escalation_shadow_file_read.toml +++ b/rules/linux/privilege_escalation_shadow_file_read.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "The single field New Term rule type used in this rule was added in Elastic 8.4" min_stack_version = "8.4.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,25 +26,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml index 5fc7846be..7ef11c7fd 100644 --- a/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml +++ b/rules/linux/privilege_escalation_sudo_cve_2019_14287.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_sudo_hijacking.toml b/rules/linux/privilege_escalation_sudo_hijacking.toml index a76882c66..ac0f0571e 100644 --- a/rules/linux/privilege_escalation_sudo_hijacking.toml +++ b/rules/linux/privilege_escalation_sudo_hijacking.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Multiple field support in the New Terms rule type was added in Elastic 8.6" min_stack_version = "8.6.0" -updated_date = "2023/09/25" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,25 +26,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml index eb18f91c2..47d276124 100644 --- a/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml +++ b/rules/linux/privilege_escalation_sudo_token_via_process_injection.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -28,25 +28,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml index 03f553313..37b12bbcd 100644 --- a/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml +++ b/rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml @@ -24,8 +24,7 @@ risk_score = 47 rule_id = "a0ddb77b-0318-41f0-91e4-8c1b5528834f" setup = """ -This rule requires data coming in from one of the following integrations: -- Elastic Defend +This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows diff --git a/rules/linux/privilege_escalation_uid_change_post_compilation.toml b/rules/linux/privilege_escalation_uid_change_post_compilation.toml index ff74083a3..f1a4e1d5a 100644 --- a/rules/linux/privilege_escalation_uid_change_post_compilation.toml +++ b/rules/linux/privilege_escalation_uid_change_post_compilation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -25,25 +25,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """ diff --git a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml index 0633c05a4..6189c40ed 100644 --- a/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml +++ b/rules/linux/privilege_escalation_unshare_namespace_manipulation.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -26,39 +26,40 @@ risk_score = 47 rule_id = "d00f33e7-b57d-4023-9952-2db91b1767c4" setup = """ -This rule requires data coming in either from Elastic Defend, or Auditbeat integration. +This rule requires data coming in from one of the following integrations: +- Elastic Defend +- Auditbeat ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). ### Auditbeat Setup Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. For example, you can use Auditbeat to collect and centralize audit events from the Linux Audit Framework. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. -#### The following steps should be executed in order to add the Auditbeat for Linux System: +#### The following steps should be executed in order to add the Auditbeat on a Linux System: - Elastic provides repositories available for APT and YUM-based distributions. Note that we provide binary packages, but no source packages. - To install the APT and YUM repositories follow the setup instructions in this [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setup-repositories.html). - To run Auditbeat on Docker follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-docker.html). - To run Auditbeat on Kubernetes follow the setup instructions in the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/running-on-kubernetes.html). -- For complete Setup and Run Auditbeat information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). +- For complete “Setup and Run Auditbeat” information refer to the [helper guide](https://www.elastic.co/guide/en/beats/auditbeat/current/setting-up-and-running.html). """ severity = "medium" diff --git a/rules/linux/privilege_escalation_writable_docker_socket.toml b/rules/linux/privilege_escalation_writable_docker_socket.toml index e24fad689..1d3ac1b99 100644 --- a/rules/linux/privilege_escalation_writable_docker_socket.toml +++ b/rules/linux/privilege_escalation_writable_docker_socket.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/16" +updated_date = "2023/11/02" [rule] author = ["Elastic"] @@ -27,25 +27,24 @@ setup = """ This rule requires data coming in from Elastic Defend. ### Elastic Defend Integration Setup -Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows -the Elastic Agent to monitor events on your host and send data to the Elastic Security app. +Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app. #### Prerequisite Requirements: - Fleet is required for Elastic Defend. - To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html). #### The following steps should be executed in order to add the Elastic Defend integration on a Linux System: -- Go to the Kibana home page and click Add integrations. -- In the query bar, search for Elastic Defend and select the integration to see more details about it. -- Click Add Elastic Defend. +- Go to the Kibana home page and click "Add integrations". +- In the query bar, search for "Elastic Defend" and select the integration to see more details about it. +- Click "Add Elastic Defend". - Configure the integration name and optionally add a description. -- Select the type of environment you want to protect, either Traditional Endpoints or Cloud Workloads. +- Select the type of environment you want to protect, either "Traditional Endpoints" or "Cloud Workloads". - Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html). -- We suggest to select "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" -- Enter a name for the agent policy in New agent policy name. If other agent policies already exist, you can click the Existing hosts tab and select an existing policy instead. +- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions" +- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead. For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/8.10/agent-policy.html). -- Click Save and Continue. -- To complete the integration, select Add Elastic Agent to your hosts and continue to the next section to install the Elastic Agent on your hosts. +- Click "Save and Continue". +- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts. For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html). """