security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning][SECURITY_SOLUTION] rename Endpoint security (#355)

Browse Source
This commit is contained in:
Kevin Logan
2020-10-05 13:55:15 -04:00
committed by GitHub
parent 0b745c5492
commit f34c96f4dc
17 changed files with 35 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/promotions/elastic_endpoint.toml
+3 -4
View File
@@ -7,8 +7,8 @@ updated_date = "2020/07/08"
[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
immediately begin investigating your Elastic Endpoint alerts.
Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to
immediately begin investigating your Endpoint alerts.
"""
enabled = true
from = "now-10m"
@@ -16,7 +16,7 @@ index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License"
max_signals = 10000
name = "Elastic Endpoint Security"
name = "Endpoint Security"
risk_score = 47
rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
rule_name_override = "message"
@@ -65,4 +65,3 @@ operator = "equals"
value = "99"
severity = "critical"
rules/promotions/endpoint_adversary_behavior_detected.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security detected an Adversary Behavior. Click the Elastic Endpoint Security icon in the event.module
Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module
column or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Adversary Behavior - Detected - Elastic Endpoint Security"
name = "Adversary Behavior - Detected - Endpoint Security"
risk_score = 47
rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
severity = "medium"
rules/promotions/endpoint_cred_dumping_detected.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security detected Credential Dumping. Click the Elastic Endpoint Security icon in the event.module
Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module
column or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Credential Dumping - Detected - Elastic Endpoint Security"
name = "Credential Dumping - Detected - Endpoint Security"
risk_score = 73
rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
severity = "high"
rules/promotions/endpoint_cred_dumping_prevented.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security prevented Credential Dumping. Click the Elastic Endpoint Security icon in the event.module
Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module
column or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Credential Dumping - Prevented - Elastic Endpoint Security"
name = "Credential Dumping - Prevented - Endpoint Security"
risk_score = 47
rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
severity = "medium"
rules/promotions/endpoint_cred_manipulation_detected.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security detected Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module
Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module
column or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Credential Manipulation - Detected - Elastic Endpoint Security"
name = "Credential Manipulation - Detected - Endpoint Security"
risk_score = 73
rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
severity = "high"
rules/promotions/endpoint_cred_manipulation_prevented.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security prevented Credential Manipulation. Click the Elastic Endpoint Security icon in the
Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the
event.module column or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Credential Manipulation - Prevented - Elastic Endpoint Security"
name = "Credential Manipulation - Prevented - Endpoint Security"
risk_score = 47
rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
severity = "medium"
rules/promotions/endpoint_exploit_detected.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security detected an Exploit. Click the Elastic Endpoint Security icon in the event.module column or
Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or
the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Exploit - Detected - Elastic Endpoint Security"
name = "Exploit - Detected - Endpoint Security"
risk_score = 73
rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
severity = "high"
rules/promotions/endpoint_exploit_prevented.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security prevented an Exploit. Click the Elastic Endpoint Security icon in the event.module column or
Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or
the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Exploit - Prevented - Elastic Endpoint Security"
name = "Exploit - Prevented - Endpoint Security"
risk_score = 47
rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
severity = "medium"
rules/promotions/endpoint_malware_detected.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security detected Malware. Click the Elastic Endpoint Security icon in the event.module column or the
Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the
link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Malware - Detected - Elastic Endpoint Security"
name = "Malware - Detected - Endpoint Security"
risk_score = 99
rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
severity = "critical"
rules/promotions/endpoint_malware_prevented.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security prevented Malware. Click the Elastic Endpoint Security icon in the event.module column or the
Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the
link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Malware - Prevented - Elastic Endpoint Security"
name = "Malware - Prevented - Endpoint Security"
risk_score = 73
rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
severity = "high"
rules/promotions/endpoint_permission_theft_detected.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security detected Permission Theft. Click the Elastic Endpoint Security icon in the event.module column
Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column
or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Permission Theft - Detected - Elastic Endpoint Security"
name = "Permission Theft - Detected - Endpoint Security"
risk_score = 73
rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
severity = "high"
rules/promotions/endpoint_permission_theft_prevented.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security prevented Permission Theft. Click the Elastic Endpoint Security icon in the event.module
Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module
column or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Permission Theft - Prevented - Elastic Endpoint Security"
name = "Permission Theft - Prevented - Endpoint Security"
risk_score = 47
rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
severity = "medium"
rules/promotions/endpoint_process_injection_detected.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security detected Process Injection. Click the Elastic Endpoint Security icon in the event.module
Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module
column or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Process Injection - Detected - Elastic Endpoint Security"
name = "Process Injection - Detected - Endpoint Security"
risk_score = 73
rule_id = "80c52164-c82a-402c-9964-852533d58be1"
severity = "high"
rules/promotions/endpoint_process_injection_prevented.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security prevented Process Injection. Click the Elastic Endpoint Security icon in the event.module
Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module
column or the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Process Injection - Prevented - Elastic Endpoint Security"
name = "Process Injection - Prevented - Endpoint Security"
risk_score = 47
rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
severity = "medium"
rules/promotions/endpoint_ransomware_detected.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security detected Ransomware. Click the Elastic Endpoint Security icon in the event.module column or
Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or
the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Ransomware - Detected - Elastic Endpoint Security"
name = "Ransomware - Detected - Endpoint Security"
risk_score = 99
rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
severity = "critical"
rules/promotions/endpoint_ransomware_prevented.toml
+2 -2
View File
@@ -7,7 +7,7 @@ updated_date = "2020/02/18"
[rule]
author = ["Elastic"]
description = """
Elastic Endpoint Security prevented Ransomware. Click the Elastic Endpoint Security icon in the event.module column or
Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or
the link in the rule.reference column for additional information.
"""
from = "now-15m"
@@ -15,7 +15,7 @@ index = ["endgame-*"]
interval = "10m"
language = "kuery"
license = "Elastic License"
name = "Ransomware - Prevented - Elastic Endpoint Security"
name = "Ransomware - Prevented - Endpoint Security"
risk_score = 73
rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
severity = "high"
rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
+2 -3
View File
@@ -7,14 +7,14 @@ updated_date = "2020/09/30"
[rule]
author = ["Elastic"]
description = """
A suspicious Elastic endpoint agent parent process was detected. This may indicate a process hollowing or other form of
A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of
code injection.
"""
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Suspicious Elastic Endpoint Parent Process"
name = "Suspicious Endpoint Security Parent Process"
risk_score = 47
rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a"
severity = "medium"
@@ -40,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1036/"
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"