Mika Ayenson
7514c0a206
* add suuport for esql type * add unit tests * set clients in RemoteConnector from auth methods * thread remote rules; add engine test * Add versions to remote validation results --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
38 lines
1.3 KiB
TOML
38 lines
1.3 KiB
TOML
[metadata]
|
|
creation_date = "2023/11/20"
|
|
integration = ["endpoint"]
|
|
maturity = "production"
|
|
min_stack_comments = "ES|QL Rule"
|
|
min_stack_version = "8.11.0"
|
|
updated_date = "2023/11/20"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Sample ES|QL rule for unit tests.
|
|
"""
|
|
from = "now-9m"
|
|
language = "esql"
|
|
license = "Elastic License v2"
|
|
name = "Sample ES|QL rule for unit tests"
|
|
risk_score = 47
|
|
rule_id = "24220495-cffe-45a1-996c-37b599ba0e43"
|
|
severity = "medium"
|
|
tags = ["Data Source: Elastic Endpoint", "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"]
|
|
timestamp_override = "event.ingested"
|
|
type = "esql"
|
|
query = '''
|
|
from .ds-logs-endpoint.events.process-default-*
|
|
| where event.action == "start" and process.code_signature.subject_name like "Microsoft*" and process.parent.name in ("winword.exe", "WINWORD.EXE", "EXCEL.EXE", "excel.exe")
|
|
| eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\")
|
|
| stats cc = count(*) by process_path, process.parent.name | where cc <= 5
|
|
'''
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0011"
|
|
name = "Command and Control"
|
|
reference = "https://attack.mitre.org/tactics/TA0011/"
|