Garrett Spong
c28795c25e
* Adds the Elastic Endpoint and External Alerts rules and required schema updates * Optimizing queries to fix tests * Apply PEP257 changes * Apply suggestions from code review * Update rules/cross-platform/external_alerts.toml * Last fixes from review * Fixing test for unrequired default * Adding increased default max_signals to not interfere with testing * Make promotions folder * Refining Elastic Endpoint rule index Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
29 lines
845 B
TOML
29 lines
845 B
TOML
[metadata]
|
|
creation_date = "2020/02/18"
|
|
ecs_version = ["1.4.0"]
|
|
maturity = "production"
|
|
updated_date = "2020/02/18"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Elastic Endpoint prevented an Exploit. Click the Elastic Endpoint icon in the event.module column or the link in the
|
|
rule.reference column in the External Alerts tab of the SIEM Detections page for additional information.
|
|
"""
|
|
from = "now-15m"
|
|
index = ["endgame-*"]
|
|
interval = "10m"
|
|
language = "kuery"
|
|
license = "Elastic License"
|
|
name = "Exploit - Prevented - Elastic Endpoint"
|
|
risk_score = 47
|
|
rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
|
|
severity = "medium"
|
|
tags = ["Elastic", "Endpoint"]
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.kind:alert and event.module:endgame and endgame.metadata.type:prevention and (event.action:exploit_event or endgame.event_subtype_full:exploit_event)
|
|
'''
|
|
|