security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Tuning] Remove all rule timelines (#466)

Browse Source
This commit is contained in:
Justin Ibarra
2020-11-03 19:51:53 +01:00
committed by GitHub
parent da64bacac1
commit f87f2a46f4
177 changed files with 177 additions and 531 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/linux/credential_access_tcpdump_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 21
rule_id = "7a137d76-ce3d-48e2-947d-2747796a78c0"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Credential Access"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/24"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 47
rule_id = "125417b8-d3df-479f-8418-12d7e034fee3"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/27"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 47
rule_id = "2f8a1226-5720-437d-9c20-e0029deb6194"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/17"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -22,8 +22,6 @@ risk_score = 21
rule_id = "debff20a-46bc-4a4d-bae5-5cdd14222795"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/17"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -22,8 +22,6 @@ risk_score = 21
rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/05/04"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 47
rule_id = "7bcbb3ac-e533-41ad-a612-d6c3bf666aba"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_disable_selinux_attempt.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/22"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "eb9eb8ba-a983-41d9-9c93-a1c05112ca5e"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_file_deletion_via_shred.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/27"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 21
rule_id = "a1329140-8de3-4445-9f87-908fb6d824f4"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_file_mod_writable_dir.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/21"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -25,8 +25,6 @@ risk_score = 21
rule_id = "9f9a2a82-93a8-4b1a-8778-1780895626d4"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/17"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -22,8 +22,6 @@ risk_score = 21
rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_hidden_file_dir_tmp.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/29"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -27,8 +27,6 @@ risk_score = 47
rule_id = "b9666521-4742-49ce-9ddc-b8e84c35acae"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/defense_evasion_kernel_module_removal.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/24"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -27,8 +27,6 @@ risk_score = 73
rule_id = "cd66a5af-e34b-4bb0-8931-57d0a043f2ef"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/discovery_kernel_module_enumeration.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 47
rule_id = "2d8043ed-5bda-4caf-801c-c1feb7410504"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/discovery_virtual_machine_fingerprinting.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/27"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 73
rule_id = "5b03c9fb-9945-4d2f-9568-fd690fee3fba"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/discovery_whoami_commmand.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -25,8 +25,6 @@ risk_score = 21
rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/execution_perl_tty_shell.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/16"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 73
rule_id = "05e5a668-7b51-4a67-93ab-e9af405c9ef3"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/execution_python_tty_shell.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/15"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 73
rule_id = "d76b02ef-fc95-4001-9297-01cb7412232f"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/lateral_movement_telnet_network_activity_external.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -27,8 +27,6 @@ risk_score = 47
rule_id = "e19e64ee-130e-4c07-961f-8a339f0b8362"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "eql"
query = '''
rules/linux/lateral_movement_telnet_network_activity_internal.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -27,8 +27,6 @@ risk_score = 47
rule_id = "1b21abcc-4d9f-4b08-a7f5-316f5f94b973"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Lateral Movement"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "eql"
query = '''
rules/linux/linux_hping_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 73
rule_id = "90169566-2260-4824-b8e4-8615c3b4ed52"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/linux_iodine_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 73
rule_id = "041d4d41-9589-43e2-ba13-5680af75ebc2"
severity = "high"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/linux_mknod_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -28,8 +28,6 @@ risk_score = 21
rule_id = "61c31c14-507f-4627-8c31-072556b89a9c"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/linux_netcat_network_connection.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -32,8 +32,6 @@ risk_score = 47
rule_id = "adb961e0-cb74-42a0-af9e-29fc41f88f5f"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "eql"
query = '''
rules/linux/linux_nmap_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -28,8 +28,6 @@ risk_score = 21
rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/linux_nping_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 47
rule_id = "0d69150b-96f8-467c-a86d-a67a3378ce77"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/linux_process_started_in_temp_directory.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -22,8 +22,6 @@ risk_score = 47
rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/linux_socat_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -27,8 +27,6 @@ risk_score = 47
rule_id = "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/linux_strace_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 21
rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/persistence_kernel_module_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -25,8 +25,6 @@ risk_score = 21
rule_id = "81cc58f5-8062-49a2-ba84-5cc4b4d31c40"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/persistence_shell_activity_by_web_server.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -23,8 +23,6 @@ risk_score = 47
rule_id = "231876e7-4d1f-4d63-a47c-47dd1acdc1cb"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Persistence"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -22,8 +22,6 @@ risk_score = 21
rule_id = "3a86e085-094c-412d-97ff-2439731e59cb"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/04/23"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -22,8 +22,6 @@ risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
severity = "low"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/macos/credential_access_compress_credentials_keychains.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/14"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -21,8 +21,6 @@ risk_score = 73
rule_id = "96e90768-c3b7-4df6-b5d9-6237f8bc36a8"
severity = "high"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/macos/credential_access_kerberosdump_kcc.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/14"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe"
severity = "high"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Credential Access"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/macos/lateral_movement_remote_ssh_login_enabled.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "5ae4e6f8-d1bf-40fa-96ba-e29645e1e4dc"
severity = "medium"
tags = ["Elastic", "Host", "macOS", "Threat Detection", "Lateral Movement"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/network/command_and_control_cobalt_strike_beacon.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/06"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -30,8 +30,6 @@ risk_score = 73
rule_id = "cf53f532-9cc9-445a-9ae7-fced307ec53c"
severity = "high"
tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_dns_directly_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -33,8 +33,6 @@ risk_score = 47
rule_id = "6ea71ff0-9e95-475b-9506-2580d1ce6154"
severity = "medium"
tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_download_rar_powershell_from_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/02"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -31,8 +31,6 @@ risk_score = 47
rule_id = "ff013cb4-274d-434a-96bb-fe15ddd3ae92"
severity = "medium"
tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_fin7_c2_behavior.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/06"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -28,8 +28,6 @@ risk_score = 73
rule_id = "4a4e23cf-78a2-449c-bac3-701924c269d3"
severity = "high"
tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -30,8 +30,6 @@ risk_score = 21
rule_id = "87ec6396-9ac4-4706-bcf0-2ebb22002f43"
severity = "low"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_halfbaked_beacon.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/06"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -29,8 +29,6 @@ risk_score = 73
rule_id = "2e580225-2a58-48ef-938b-572933be06fe"
severity = "high"
tags = ["Elastic", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -29,8 +29,6 @@ risk_score = 47
rule_id = "c6474c34-4953-447a-903e-9fcb7b6661aa"
severity = "medium"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_nat_traversal_port_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -28,8 +28,6 @@ risk_score = 21
rule_id = "a9cb3641-ff4b-4cdc-a063-b4b8d02a67c7"
severity = "low"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_port_26_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -29,8 +29,6 @@ risk_score = 21
rule_id = "d7e62693-aab9-4f66-a21a-3d79ecdd603d"
severity = "low"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_port_8000_activity_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -28,8 +28,6 @@ risk_score = 21
rule_id = "08d5d7e2-740f-44d8-aeda-e41f4263efaf"
severity = "low"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -27,8 +27,6 @@ risk_score = 21
rule_id = "d2053495-8fe7-4168-b3df-dad844046be3"
severity = "low"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_proxy_port_activity_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -31,8 +31,6 @@ risk_score = 47
rule_id = "ad0e5e75-dd89-4875-8d0a-dfdc1828b5f3"
severity = "medium"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -30,8 +30,6 @@ risk_score = 47
rule_id = "8c1bdde8-4204-45c0-9e0c-c85ca3902488"
severity = "medium"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_smtp_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 21
rule_id = "67a9beba-830d-4035-bfe8-40b7e28f8ac4"
severity = "low"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_sql_server_port_activity_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -27,8 +27,6 @@ risk_score = 47
rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd"
severity = "medium"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_ssh_secure_shell_from_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -30,8 +30,6 @@ risk_score = 47
rule_id = "ea0784f0-a4d7-4fea-ae86-4baaf27a6f17"
severity = "medium"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_ssh_secure_shell_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -29,8 +29,6 @@ risk_score = 21
rule_id = "6f1500bc-62d7-4eb9-8601-7485e87da2f4"
severity = "low"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_telnet_port_activity.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -29,8 +29,6 @@ risk_score = 47
rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269"
severity = "medium"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_tor_activity_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -27,8 +27,6 @@ risk_score = 47
rule_id = "7d2c38d7-ede7-4bdf-b140-445906e6c540"
severity = "medium"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -28,8 +28,6 @@ risk_score = 73
rule_id = "5700cb81-df44-46aa-a5d7-337798f53eb8"
severity = "high"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -28,8 +28,6 @@ risk_score = 47
rule_id = "3ad49c61-7adc-42c1-b788-732eda2f5abf"
severity = "medium"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/discovery_post_exploitation_public_ip_reconnaissance.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/04"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -30,8 +30,6 @@ risk_score = 21
rule_id = "1d72d014-e2ab-4707-b056-9b96abe7b511"
severity = "low"
tags = ["Elastic", "Network", "Threat Detection", "Discovery"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/initial_access_rdp_remote_desktop_protocol_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -29,8 +29,6 @@ risk_score = 21
rule_id = "e56993d2-759c-4120-984c-9ec9bb940fd5"
severity = "low"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "143cb236-0956-4f42-a706-814bcaa0cf5a"
severity = "high"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "32923416-763a-4531-bb35-f33b9232ecdb"
severity = "high"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "c82b2bd8-d701-420c-ba43-f11a155b681a"
severity = "high"
tags = ["Elastic", "Host", "Network", "Threat Detection", "Initial Access"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/network/initial_access_unsecure_elasticsearch_node.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/11"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -29,8 +29,6 @@ risk_score = 47
rule_id = "31295df3-277b-4c56-a1fb-84e31b4222a9"
severity = "medium"
tags = ["Elastic", "Network", "Threat Detection", "Initial Access"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "query"
query = '''
rules/promotions/elastic_endpoint.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/07/08"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -22,8 +22,6 @@ rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
rule_name_override = "message"
severity = "medium"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
timestamp_override = "event.ingested"
type = "query"
rules/promotions/endpoint_adversary_behavior_detected.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
severity = "medium"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_cred_dumping_detected.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
severity = "high"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_cred_dumping_prevented.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
severity = "medium"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_cred_manipulation_detected.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
severity = "high"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_cred_manipulation_prevented.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa"
severity = "medium"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_exploit_detected.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
severity = "high"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_exploit_prevented.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
severity = "medium"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_malware_detected.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 99
rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
severity = "critical"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_malware_prevented.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
severity = "high"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_permission_theft_detected.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3"
severity = "high"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_permission_theft_prevented.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b"
severity = "medium"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_process_injection_detected.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "80c52164-c82a-402c-9964-852533d58be1"
severity = "high"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_process_injection_prevented.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e"
severity = "medium"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_ransomware_detected.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 99
rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
severity = "critical"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/promotions/endpoint_ransomware_prevented.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
severity = "high"
tags = ["Elastic", "Endpoint Security"]
timeline_id = "db366523-f1c6-4c1f-8731-6ce5ed9e5717"
timeline_title = "Generic Endpoint Timeline"
type = "query"
query = '''
rules/windows/command_and_control_certutil_network_connection.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/19"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 21
rule_id = "3838e0e3-1850-4850-a411-2e8c5ba40ba8"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
timeline_id = "91832785-286d-4ebe-b884-1a208d111a70"
timeline_title = "Generic Network Timeline"
type = "eql"
query = '''
rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/03"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "15c0b7a7-9c34-4869-b25b-fa6518414899"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/03"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -22,8 +22,6 @@ risk_score = 47
rule_id = "c6453e73-90eb-4fe7-a98c-cde7bbfc504a"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/command_and_control_teamviewer_remote_file_copy.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/09/02"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -17,8 +17,6 @@ risk_score = 47
rule_id = "b25a7df2-120a-4db2-bd3f-3e4b86b24bee"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Command and Control"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/credential_access_credential_dumping_msbuild.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae5"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/13"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -24,8 +24,6 @@ risk_score = 73
rule_id = "b83a7e96-2eb3-4edf-8346-427b6858d3bd"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -21,8 +21,6 @@ risk_score = 73
rule_id = "0564fb9d-90b9-4234-a411-82a546dc1343"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/credential_access_iis_connectionstrings_dumping.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -25,8 +25,6 @@ risk_score = 73
rule_id = "c25e9c87-95e1-4368-bfab-9fd34cf867ec"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/credential_access_mimikatz_memssp_default_logs.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/31"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -16,8 +16,6 @@ risk_score = 73
rule_id = "ebb200e8-adf0-43f8-a0bb-4ee5b5d852c6"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -16,8 +16,6 @@ risk_score = 21
rule_id = "4630d948-40d4-4cef-ac69-4002e29bc3db"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_clearing_windows_event_logs.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 21
rule_id = "d331bbe2-6db4-4941-80a5-8270db72eb61"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_code_injection_conhost.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/31"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 73
rule_id = "28896382-7d4f-4d50-9b72-67091901fd26"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 21
rule_id = "f675872f-6d85-40a3-b502-c0d2ef101e92"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 21
rule_id = "581add16-df76-42bb-af8e-c979bfb39a59"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -19,8 +19,6 @@ risk_score = 47
rule_id = "4b438734-3793-4fda-bd42-ceeada0be8f9"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/08/21"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -16,8 +16,6 @@ risk_score = 47
rule_id = "201200f1-a99b-43fb-88ed-f65a45c4972c"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/02/18"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "fd70c98a-c410-42dc-a2e3-761c71848acf"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 73
rule_id = "c5dc3223-13a2-44a2-946c-e9dc0aa0449c"
severity = "high"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 21
rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae2"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 47
rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae3"
severity = "medium"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -20,8 +20,6 @@ risk_score = 21
rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae4"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''
rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
+1 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/03/25"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/11/02"
updated_date = "2020/11/03"
[rule]
author = ["Elastic"]
@@ -26,8 +26,6 @@ risk_score = 21
rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae6"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"]
timeline_id = "76e52245-7519-4251-91ab-262fb1a1728c"
timeline_title = "Generic Process Timeline"
type = "query"
query = '''

Some files were not shown because too many files have changed in this diff Show More