From ef4fc086eef10e6012b488e19b76cae14174140e Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Mon, 15 Nov 2021 14:35:28 -0900 Subject: [PATCH] Remove 7.15+ rules from 7.14 branch (#1613) * Remove 7.15+ rules from 7.14 branch --- ..._evasion_agent_spoofing_mismatched_id.toml | 49 ---------------- ...evasion_agent_spoofing_multiple_hosts.toml | 57 ------------------- 2 files changed, 106 deletions(-) delete mode 100644 rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml delete mode 100644 rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml b/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml deleted file mode 100644 index 78411e447..000000000 --- a/rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml +++ /dev/null @@ -1,49 +0,0 @@ -[metadata] -creation_date = "2021/07/14" -maturity = "production" -updated_date = "2021/07/14" -min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" -min_stack_version = "7.14.0" - -[rule] -author = ["Elastic"] -description = """Detects events which have a mismatch on the expected event agent ID. The status "agent_id_mismatch" -occurs when the expected agent ID associated with the API key does not match the actual agent ID in an event. This could -indicate attempts to spoof events in order to masquerade actual activity to evade detection. -""" -false_positives = [ - """ - This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the - necessary field, resulting in false positives. - """, -] -from = "now-9m" -index = ["logs-*", "metrics-*", "traces-*"] -language = "kuery" -license = "Elastic License v2" -name = "Agent Spoofing - Mismatched Agent ID" -risk_score = 73 -rule_id = "3115bd2c-0baa-4df0-80ea-45e474b5ef93" -severity = "high" -tags = ["Elastic", "Threat Detection", "Defense Evasion"] -timestamp_override = "event.ingested" -type = "query" - -query = ''' -event.agent_id_status:agent_id_mismatch -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - diff --git a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml b/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml deleted file mode 100644 index a66ceee82..000000000 --- a/rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml +++ /dev/null @@ -1,57 +0,0 @@ -[metadata] -creation_date = "2021/07/14" -maturity = "production" -updated_date = "2021/07/14" -min_stack_comments = "The field `event.agent_id_status` was not introduced until 7.14" -min_stack_version = "7.14.0" - -[rule] -author = ["Elastic"] -description = """Detects when multiple hosts are using the same agent ID. This could occur in the event of an agent -being taken over and used to inject illegitimate documents into an instance as an attempt to spoof events in order to -masquerade actual activity to evade detection. -""" -false_positives = [ - """ - This is meant to run only on datasources using agents v7.14+ since versions prior to that will be missing the - necessary field, resulting in false positives. - """, -] -from = "now-9m" -index = ["logs-*", "metrics-*", "traces-*"] -language = "kuery" -license = "Elastic License v2" -name = "Agent Spoofing - Multiple Hosts Using Same Agent" -risk_score = 73 -rule_id = "493834ca-f861-414c-8602-150d5505b777" -severity = "high" -tags = ["Elastic", "Threat Detection", "Defense Evasion"] -timestamp_override = "event.ingested" -type = "threshold" - -query = ''' -event.agent_id_status:* -''' - - -[[rule.threat]] -framework = "MITRE ATT&CK" -[[rule.threat.technique]] -id = "T1036" -name = "Masquerading" -reference = "https://attack.mitre.org/techniques/T1036/" - - -[rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" - - -[rule.threshold] -field = ["agent.id"] -value = 2 - -[[rule.threshold.cardinality]] -field = "host.id" -value = 2