security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Remove 7.15+ rules from 7.14 branch (#1613)

Browse Source 
* Remove 7.15+ rules from 7.14 branch
This commit is contained in:
Justin Ibarra
2021-11-15 14:35:28 -09:00
committed by GitHub
parent c42f86eb15
commit ef4fc086ee
2 changed files with 0 additions and 106 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
-49
View File
@@ -1,49 +0,0 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2021/07/14"
min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
min_stack_version = "7.14.0"
[rule]
author = ["Elastic"]
description = """Detects events which have a mismatch on the expected event agent ID. The status "agent_id_mismatch"
occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could
indicate attempts to spoof events in order to masquerade actual activity to evade detection.
"""
false_positives = [
"""
This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the
necessary field, resulting in false positives.
""",
]
from = "now-9m"
index = ["logs-*", "metrics-*", "traces-*"]
language = "kuery"
license = "Elastic License v2"
name = "Agent Spoofing - Mismatched Agent ID"
risk_score = 73
rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93"
severity = "high"
tags = ["Elastic", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.agent_id_status:agent_id_mismatch
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
-57
View File
@@ -1,57 +0,0 @@
[metadata]
creation_date = "2021/07/14"
maturity = "production"
updated_date = "2021/07/14"
min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14"
min_stack_version = "7.14.0"
[rule]
author = ["Elastic"]
description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent
being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to
masquerade actual activity to evade detection.
"""
false_positives = [
"""
This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the
necessary field, resulting in false positives.
""",
]
from = "now-9m"
index = ["logs-*", "metrics-*", "traces-*"]
language = "kuery"
license = "Elastic License v2"
name = "Agent Spoofing - Multiple Hosts Using Same Agent"
risk_score = 73
rule_id = "493834ca-f861-414c-8602-150d5505b777"
severity = "high"
tags = ["Elastic", "Threat Detection", "Defense Evasion"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.agent_id_status:*
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1036"
name = "Masquerading"
reference = "https://attack.mitre.org/techniques/T1036/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"
[rule.threshold]
field = ["agent.id"]
value = 2
[[rule.threshold.cardinality]]
field = "host.id"
value = 2