diff --git a/rules/promotions/elastic_endpoint.toml b/rules/promotions/elastic_endpoint.toml index 2eb3683b7..43671e9d8 100644 --- a/rules/promotions/elastic_endpoint.toml +++ b/rules/promotions/elastic_endpoint.toml @@ -7,8 +7,8 @@ updated_date = "2020/07/08" [rule] author = ["Elastic"] description = """ -Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to -immediately begin investigating your Elastic Endpoint alerts. +Generates a detection alert each time an Endpoint Security alert is received. Enabling this rule allows you to +immediately begin investigating your Endpoint alerts. """ enabled = true from = "now-10m" @@ -16,7 +16,7 @@ index = ["logs-endpoint.alerts-*"] language = "kuery" license = "Elastic License" max_signals = 10000 -name = "Elastic Endpoint Security" +name = "Endpoint Security" risk_score = 47 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" @@ -65,4 +65,3 @@ operator = "equals" value = "99" severity = "critical" - diff --git a/rules/promotions/endpoint_adversary_behavior_detected.toml b/rules/promotions/endpoint_adversary_behavior_detected.toml index 0b0641732..554c5643f 100644 --- a/rules/promotions/endpoint_adversary_behavior_detected.toml +++ b/rules/promotions/endpoint_adversary_behavior_detected.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security detected an Adversary Behavior. Click the Elastic Endpoint Security icon in the event.module +Endpoint Security detected an Adversary Behavior. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Adversary Behavior - Detected - Elastic Endpoint Security" +name = "Adversary Behavior - Detected - Endpoint Security" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" diff --git a/rules/promotions/endpoint_cred_dumping_detected.toml b/rules/promotions/endpoint_cred_dumping_detected.toml index 6374fdf48..849f484dc 100644 --- a/rules/promotions/endpoint_cred_dumping_detected.toml +++ b/rules/promotions/endpoint_cred_dumping_detected.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security detected Credential Dumping. Click the Elastic Endpoint Security icon in the event.module +Endpoint Security detected Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Credential Dumping - Detected - Elastic Endpoint Security" +name = "Credential Dumping - Detected - Endpoint Security" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" diff --git a/rules/promotions/endpoint_cred_dumping_prevented.toml b/rules/promotions/endpoint_cred_dumping_prevented.toml index 8d4da1f0f..ac9e57329 100644 --- a/rules/promotions/endpoint_cred_dumping_prevented.toml +++ b/rules/promotions/endpoint_cred_dumping_prevented.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security prevented Credential Dumping. Click the Elastic Endpoint Security icon in the event.module +Endpoint Security prevented Credential Dumping. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Credential Dumping - Prevented - Elastic Endpoint Security" +name = "Credential Dumping - Prevented - Endpoint Security" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" diff --git a/rules/promotions/endpoint_cred_manipulation_detected.toml b/rules/promotions/endpoint_cred_manipulation_detected.toml index 84001112f..32f644210 100644 --- a/rules/promotions/endpoint_cred_manipulation_detected.toml +++ b/rules/promotions/endpoint_cred_manipulation_detected.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security detected Credential Manipulation. Click the Elastic Endpoint Security icon in the event.module +Endpoint Security detected Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Credential Manipulation - Detected - Elastic Endpoint Security" +name = "Credential Manipulation - Detected - Endpoint Security" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" diff --git a/rules/promotions/endpoint_cred_manipulation_prevented.toml b/rules/promotions/endpoint_cred_manipulation_prevented.toml index 72e1f109a..4e503130e 100644 --- a/rules/promotions/endpoint_cred_manipulation_prevented.toml +++ b/rules/promotions/endpoint_cred_manipulation_prevented.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security prevented Credential Manipulation. Click the Elastic Endpoint Security icon in the +Endpoint Security prevented Credential Manipulation. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Credential Manipulation - Prevented - Elastic Endpoint Security" +name = "Credential Manipulation - Prevented - Endpoint Security" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" diff --git a/rules/promotions/endpoint_exploit_detected.toml b/rules/promotions/endpoint_exploit_detected.toml index cbb2638c1..0e015f4fb 100644 --- a/rules/promotions/endpoint_exploit_detected.toml +++ b/rules/promotions/endpoint_exploit_detected.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security detected an Exploit. Click the Elastic Endpoint Security icon in the event.module column or +Endpoint Security detected an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Exploit - Detected - Elastic Endpoint Security" +name = "Exploit - Detected - Endpoint Security" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" diff --git a/rules/promotions/endpoint_exploit_prevented.toml b/rules/promotions/endpoint_exploit_prevented.toml index 050b472b6..e47421eac 100644 --- a/rules/promotions/endpoint_exploit_prevented.toml +++ b/rules/promotions/endpoint_exploit_prevented.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security prevented an Exploit. Click the Elastic Endpoint Security icon in the event.module column or +Endpoint Security prevented an Exploit. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Exploit - Prevented - Elastic Endpoint Security" +name = "Exploit - Prevented - Endpoint Security" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" diff --git a/rules/promotions/endpoint_malware_detected.toml b/rules/promotions/endpoint_malware_detected.toml index cf3983062..9ba7e095f 100644 --- a/rules/promotions/endpoint_malware_detected.toml +++ b/rules/promotions/endpoint_malware_detected.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security detected Malware. Click the Elastic Endpoint Security icon in the event.module column or the +Endpoint Security detected Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Malware - Detected - Elastic Endpoint Security" +name = "Malware - Detected - Endpoint Security" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" diff --git a/rules/promotions/endpoint_malware_prevented.toml b/rules/promotions/endpoint_malware_prevented.toml index 142e93ea4..78f76d5d2 100644 --- a/rules/promotions/endpoint_malware_prevented.toml +++ b/rules/promotions/endpoint_malware_prevented.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security prevented Malware. Click the Elastic Endpoint Security icon in the event.module column or the +Endpoint Security prevented Malware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Malware - Prevented - Elastic Endpoint Security" +name = "Malware - Prevented - Endpoint Security" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" diff --git a/rules/promotions/endpoint_permission_theft_detected.toml b/rules/promotions/endpoint_permission_theft_detected.toml index 6265eaf3f..69d8d9d59 100644 --- a/rules/promotions/endpoint_permission_theft_detected.toml +++ b/rules/promotions/endpoint_permission_theft_detected.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security detected Permission Theft. Click the Elastic Endpoint Security icon in the event.module column +Endpoint Security detected Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Permission Theft - Detected - Elastic Endpoint Security" +name = "Permission Theft - Detected - Endpoint Security" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" diff --git a/rules/promotions/endpoint_permission_theft_prevented.toml b/rules/promotions/endpoint_permission_theft_prevented.toml index 84bbf52a5..c76c61c6d 100644 --- a/rules/promotions/endpoint_permission_theft_prevented.toml +++ b/rules/promotions/endpoint_permission_theft_prevented.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security prevented Permission Theft. Click the Elastic Endpoint Security icon in the event.module +Endpoint Security prevented Permission Theft. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Permission Theft - Prevented - Elastic Endpoint Security" +name = "Permission Theft - Prevented - Endpoint Security" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" diff --git a/rules/promotions/endpoint_process_injection_detected.toml b/rules/promotions/endpoint_process_injection_detected.toml index 3b768a555..937c846d6 100644 --- a/rules/promotions/endpoint_process_injection_detected.toml +++ b/rules/promotions/endpoint_process_injection_detected.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security detected Process Injection. Click the Elastic Endpoint Security icon in the event.module +Endpoint Security detected Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Process Injection - Detected - Elastic Endpoint Security" +name = "Process Injection - Detected - Endpoint Security" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" diff --git a/rules/promotions/endpoint_process_injection_prevented.toml b/rules/promotions/endpoint_process_injection_prevented.toml index c5070082e..7e2b1a10d 100644 --- a/rules/promotions/endpoint_process_injection_prevented.toml +++ b/rules/promotions/endpoint_process_injection_prevented.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security prevented Process Injection. Click the Elastic Endpoint Security icon in the event.module +Endpoint Security prevented Process Injection. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Process Injection - Prevented - Elastic Endpoint Security" +name = "Process Injection - Prevented - Endpoint Security" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" diff --git a/rules/promotions/endpoint_ransomware_detected.toml b/rules/promotions/endpoint_ransomware_detected.toml index 6aa4900ee..f1d3efff1 100644 --- a/rules/promotions/endpoint_ransomware_detected.toml +++ b/rules/promotions/endpoint_ransomware_detected.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security detected Ransomware. Click the Elastic Endpoint Security icon in the event.module column or +Endpoint Security detected Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Ransomware - Detected - Elastic Endpoint Security" +name = "Ransomware - Detected - Endpoint Security" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" diff --git a/rules/promotions/endpoint_ransomware_prevented.toml b/rules/promotions/endpoint_ransomware_prevented.toml index 417138fde..7ccef9907 100644 --- a/rules/promotions/endpoint_ransomware_prevented.toml +++ b/rules/promotions/endpoint_ransomware_prevented.toml @@ -7,7 +7,7 @@ updated_date = "2020/02/18" [rule] author = ["Elastic"] description = """ -Elastic Endpoint Security prevented Ransomware. Click the Elastic Endpoint Security icon in the event.module column or +Endpoint Security prevented Ransomware. Click the Endpoint Security icon in the event.module column or the link in the rule.reference column for additional information. """ from = "now-15m" @@ -15,7 +15,7 @@ index = ["endgame-*"] interval = "10m" language = "kuery" license = "Elastic License" -name = "Ransomware - Prevented - Elastic Endpoint Security" +name = "Ransomware - Prevented - Endpoint Security" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" diff --git a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml index fb5b0b940..9f312141e 100644 --- a/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml +++ b/rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml @@ -7,14 +7,14 @@ updated_date = "2020/09/30" [rule] author = ["Elastic"] description = """ -A suspicious Elastic endpoint agent parent process was detected. This may indicate a process hollowing or other form of +A suspicious Endpoint Security parent process was detected. This may indicate a process hollowing or other form of code injection. """ from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*"] language = "kuery" license = "Elastic License" -name = "Suspicious Elastic Endpoint Parent Process" +name = "Suspicious Endpoint Security Parent Process" risk_score = 47 rule_id = "b41a13c6-ba45-4bab-a534-df53d0cfed6a" severity = "medium" @@ -40,4 +40,3 @@ reference = "https://attack.mitre.org/techniques/T1036/" id = "TA0005" name = "Defense Evasion" reference = "https://attack.mitre.org/tactics/TA0005/" -