[Rule Tuning] Tune "Telnet Port Activity" Rule for Accepted Connections Only (#2374)

* adjusted query to include event action and network direction filters * adjusted rule name and file name * toml linted and tags updated Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
2022-11-07 14:00:25 -05:00
parent 25458123dd
commit fd1260c109
1 changed files with 25 additions and 11 deletions
@@ -1,9 +1,9 @@
 [metadata]
 creation_date = "2020/02/18"
 maturity = "production"
-updated_date = "2022/08/24"
 min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 min_stack_version = "8.3.0"
+updated_date = "2022/10/20"

 [rule]
 author = ["Elastic"]
@@ -11,8 +11,8 @@ description = """
 This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system
 administrators to remotely control older or embedded systems using the command line shell. It should almost never be
 directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or
-backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing
-the traffic.
+backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the
+traffic.
 """
 false_positives = [
    """
@@ -26,18 +26,31 @@ from = "now-9m"
 index = ["auditbeat-*", "filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Telnet Port Activity"
+name = "Accepted Default Telnet Port Connection"
 risk_score = 47
 rule_id = "34fde489-94b0-4500-a76f-b8a157cf9269"
 severity = "medium"
-tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control", "Host"]
+tags = [
+    "Elastic",
+    "Host",
+    "Network",
+    "Threat Detection",
+    "Command and Control",
+    "Host",
+    "Lateral Movement",
+    "Initial Access",
+]
 timeline_id = "300afc76-072d-4261-864d-4149714bf3f1"
 timeline_title = "Comprehensive Network Timeline"
 timestamp_override = "event.ingested"
 type = "query"

 query = '''
-event.category:(network or network_traffic) and network.transport:tcp and destination.port:23
+event.category:(network or network_traffic) and destination.port:23
+  and network.direction:(inbound or ingress or outbound or egress)
+  and not event.action:(
+      flow_dropped or denied or deny or
+      flow_terminated or timeout or Reject or network_flow)
 '''


@@ -45,30 +58,31 @@ event.category:(network or network_traffic) and network.transport:tcp and destin
 framework = "MITRE ATT&CK"

 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0011/"
 id = "TA0011"
 name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1021/"
 id = "T1021"
 name = "Remote Services"
+reference = "https://attack.mitre.org/techniques/T1021/"


 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0008/"
 id = "TA0008"
 name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-reference = "https://attack.mitre.org/techniques/T1190/"
 id = "T1190"
 name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"


 [rule.threat.tactic]
-reference = "https://attack.mitre.org/tactics/TA0001/"
 id = "TA0001"
 name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+